OAuth Developer Verification Form FAQ
This article answers frequently asked questions about the OAuth Developer Verification form.Why am I being asked to fill out this form?
To protect users and their data from deceptive applications, your new or updated web application or Apps Script may show an Unverified App screen prior to displaying the consent screen. This warning precedes the permissions consent screen and informs the user that the app has not yet passed the verification process.
You need to go through the verification process before you launch your application. Upon successful completion of the process, the Unverified App screen will be removed from your client. Verification process typically takes between 3 and 7 business days, but in some cases it may take longer.
Note: subsequent modifications of your client or the usage of new scopes after verification may require you to go through verification again.
See our earlier blog post on accessing user data which outlines your responsibility when requesting access to user data from your application. Our teams will continue our constant efforts to support a powerful, useful developer ecosystem that keeps users and their data safe. For more details on the verification process, see the article Unverified App.
Make sure you complete the steps below before submitting the verification request:
- Identify who requires the OAuth access tokens. If they will be used only to access accounts you or your development team own, you do not need to fill out a verification request. If they will be used to access accounts owned by others, you do.
- Your OAuth Consent Screen is created.
- Your authorized redirect URI or origin URL is linked to the OAuth web client.
- Each scope that you're requesting in the form must have an explanation for its use/need for the project.
- Only request scopes that your app needs. Ensure that you are not asking for permissions that your app does not use. Each scope that you’re requesting in the form must have an explanation for its use/need for the project.
- Verify your domain ownership with Google through Search Console by using an account that is either a Project Owner or a Project Editor on your OAuth Project.
The Developer verification process will need to be completed to remove the Unverified App screen from your app. The Unverified App screen informs the user of that the app has not yet passed the verification process. You do not need to submit the developer verification form if your app is going to be used in any of the following scenarios:
- My app is not shared with anyone else
- This app is for me and my family/friends
- I am using this for sending emails through Wordpress or similar single account SMTP plug-ins
- My app is trying to access data from my users’ Google Cloud Platform Project
- I am using this app to allow users to sign-in to my platform using their basic profile information
However, if the above applies and you want to remove the Unverified App screen, you will need to continue with the verification process. To ensure your submission is complete, refer to the answer to the below question How do I ensure my verification request is approved at the earliest time possible?
If your app will only be used by users within your domain, you will need to associate your project with a Cloud Organization.
To do so, you will need to:
- Create an Organization (if you don't already have one) as instructed in Quickstart Using Organizations.
- Migrate the project into the organization you created, as described in Migrating Existing Projects into the Organization.
For support related questions, see Get Support.
Please note that any subsequent modifications of your client or the usage of new scopes after verification may require you to go through verification again. For more information, see the Unverified App help article.
For help with deciding which scopes to use for your app, refer following Support pages.
As a general rule, choose the most restrictive scope possible, and avoid requesting scopes that your app does not actually need. Users more readily grant access to limited, clearly described scopes. Conversely, users may hesitate to grant broad access to their files unless they truly trust your app and understand why it needs the information.
The scope https://www.googleapis.com/auth/drive.file strikes this balance in a practical way. Presumably, users only open or create a file with an app that they trust, for reasons they understand.
For more information, see What scope or scopes does my app need?, a guide on Google Drive API scopes.
You can access data from your users' Google Cloud Platform project by creating a service account to represent your service, and then having your customers grant that service account appropriate access to their Cloud data via IAM Policies. Note that you may want to create a service account per customer if you must avoid confused deputy problems. Please take a look at the articles below in order to familiarize yourself and educate your users on using service account and updating the Cloud IAM policies.
Service Account Creation:
If any of your users are having issues creating a service account or granting your project the appropriate permissions via the IAM Policies, please direct them to Google Cloud Support.
Unfortunately you are unable to see the scopes that have been approved at this time. For now, you can create a number of OAuth requests each with one of the scopes to verify. We are working on a number of improvements and those will be rolling out through the rest of the year. Thank you for your patience.