Otherwise, before you add OAuth 2.0 authorization to your service, prepare the
following information and contact your developer relations or business
development representative:
Authorization endpoint URL.
This is the URL for the
authorization endpoint
which you host and that Google makes calls to. Traffic should be accepted
over HTTPS only. For example, https://myservice.example.com/auth.
Oftentimes an existing sign-in page can be adapted to serve as the
authorization endpoint.
The redirect_uri sent as a parameter to your authorization endpoint will have the following form:
Theredirect_uri should be allowlisted for the client_id you assign to Google.
Token endpoint URL.
This is the URL for the
token endpoint
which you host and Google makes calls to. Traffic should be accepted over
HTTPS and only from other known services (such as Google's).
For example, https://oauth2.example.com/token.
The authorization and token endpoints may be hosted on different domains.
Optional token revocation endpoint URL.
This is the URL for the
revocation endpoint
which you host and Google makes calls to. Traffic should be accepted over
HTTPS and only from other known services (such as Google's).
For example, https://oauth2.example.com/revoke.
Your authorization, token and revocation endpoints may be hosted on different
domains.
Optional Cross-Account Protection (RISC) URL.
This is a URL you host and Google makes calls to. You may chose the value.
Client ID and client secret for Google.
You must assign Google a client ID, which is used in OAuth 2.0 requests to
identify the request's origin, and a client secret, which is used to prevent
request forgery. The Google client ID and client secret can be any URL-safe
string values of your choice. You must ensure that the client secret is
visible to only Google and your service.
Optional scope strings.
Depending on how much and what kind of user data your API makes available,
you might want to define scopes that represent different categories of user
data. By doing so, parties can ask permission from your users to access only
certain kinds of data, and restrict the data available to clients to only the
authorized scopes. In particular, if your service makes more data available
than necessary for integration with Google, you might use scopes to grant
access to only some of the data.
[null,null,["Last updated 2025-08-26 UTC."],[[["\u003cp\u003eBefore integrating with Google services (excluding Google Assistant), gather necessary information like authorization and token endpoint URLs and contact your developer relations representative.\u003c/p\u003e\n"],["\u003cp\u003eYou need to provide Google with a client ID and secret, which can be any URL-safe string, and ensure the client secret remains confidential.\u003c/p\u003e\n"],["\u003cp\u003eWhen setting up your authorization endpoint, allowlist the provided \u003ccode\u003eredirect_uri\u003c/code\u003e for Google's client ID.\u003c/p\u003e\n"],["\u003cp\u003eOptionally, you can enhance security by implementing a token revocation endpoint, Cross-Account Protection, and defining scopes to limit data access for Google.\u003c/p\u003e\n"],["\u003cp\u003eTo initiate the process, locate your Google API Project ID within the Google API Console.\u003c/p\u003e\n"]]],[],null,["If you plan to integrate with the Google Assistant, see\n[Actions on Google Console](https://console.actions.google.com/).\n\nOtherwise, before you add OAuth 2.0 authorization to your service, prepare the\nfollowing information and contact your developer relations or business\ndevelopment representative:\n\n- **Authorization endpoint URL** .\n This is the URL for the\n [authorization endpoint](https://tools.ietf.org/html/rfc6749#section-3.1)\n which you host and that Google makes calls to. Traffic should be accepted\n over HTTPS only. For example, `https://myservice.example.com/auth`.\n Oftentimes an existing sign-in page can be adapted to serve as the\n authorization endpoint.\n\n The `redirect_uri` sent as a parameter to your authorization endpoint will have the following form: \n\n ```\n https://oauth-redirect.googleusercontent.com/r/YOUR_PROJECT_ID\n https://oauth-redirect-sandbox.googleusercontent.com/r/YOUR_PROJECT_ID\n ```\n\n \u003cbr /\u003e\n\n The`redirect_uri` should be allowlisted for the `client_id` you assign to Google.\n- **Token endpoint URL** .\n This is the URL for the\n [token endpoint](https://tools.ietf.org/html/rfc6749#section-3.2)\n which you host and Google makes calls to. Traffic should be accepted over\n HTTPS and only from other known services (such as Google's).\n For example, `https://oauth2.example.com/token`.\n The authorization and token endpoints may be hosted on different domains.\n\n- **Optional token revocation endpoint URL** .\n This is the URL for the\n [revocation endpoint](https://tools.ietf.org/html/rfc7009)\n which you host and Google makes calls to. Traffic should be accepted over\n HTTPS and only from other known services (such as Google's).\n For example, `https://oauth2.example.com/revoke`.\n Your authorization, token and revocation endpoints may be hosted on different\n domains.\n\n- **Optional Cross-Account Protection (RISC) URL**.\n This is a URL you host and Google makes calls to. You may chose the value.\n\n- **Client ID and client secret for Google**.\n You must assign Google a client ID, which is used in OAuth 2.0 requests to\n identify the request's origin, and a client secret, which is used to prevent\n request forgery. The Google client ID and client secret can be any URL-safe\n string values of your choice. You must ensure that the client secret is\n visible to only Google and your service.\n\n- **Optional scope strings**.\n Depending on how much and what kind of user data your API makes available,\n you might want to define scopes that represent different categories of user\n data. By doing so, parties can ask permission from your users to access only\n certain kinds of data, and restrict the data available to clients to only the\n authorized scopes. In particular, if your service makes more data available\n than necessary for integration with Google, you might use scopes to grant\n access to only some of the data.\n\n\u003c!-- --\u003e\n\n- **Your Google API Project ID**\n\n To view your project ID:\n 1. Go to the [Google API Console](https://console.developers.google.com/project).\n 2. Find your project in the table on the landing page. The project ID appears in the **ID** column.\n\n| **Note:** Requests to your OAuth endpoints can come from any number of Google IP Address. We do not recommend maintaining a list of allowed IPs and Google does not publish such a list. This is because the list is dynamic and subject to change at any time. Such a list will become outdated and lead to outages and a poor experience for users. Instead, a reverse lookup to confirm requests originate from Google can be used. See [Verifying Googlebot](https://developers.google.com/search/docs/advanced/crawling/verifying-googlebot?visit_id=637552176006795991-2252054900&rd=1) for details on how to identify Google requests."]]