Additional considerations for Google Workspace
Stay organized with collections
Save and categorize content based on your preferences.
If your app targets an
external user
type, you might want to address the widest possible audience of Google Accounts, which
includes Google Accounts administered by a Google Workspace organization.
Google Workspace administrators can use API
access controls to enable or restrict access to Google Workspace APIs for customer-owned and
third-party applications and service accounts. This feature lets Google Workspace administrators
restrict access to only OAuth client IDs that are trusted by the organization, which reduces the
risk associated with third-party access to Google Services.
To reach the widest possible audience of Google Accounts and to foster trust, we recommend the
following:
- Submit your app for verification by Google. If applicable, you must submit your app for
brand
verification, as well as
sensitive and
restricted scopes verification. Google Workspace admins can view your app's verified
status, and they might trust apps that Google verifies more than apps with an
unverified or unknown status.
- Google Workspace admins can give your app's OAuth client IDs access to restricted services and
the high-risk scopes within. If you include your app's OAuth client ID in your help documents,
you can provide Google Workspace admins, and advocates for your app within their organizations,
the information needed to give access to your app. It can also help them understand what
configuration changes might be needed before your app can access an organization's data.
- Routinely monitor your user support email address that you provide when you configure your
OAuth Consent Screen page. Google Workspace admins can view
this email address when they review your app's access, and they might reach out to you with
possible questions and concerns.
Associate your project with an organization
If you are a Google Workspace user, it is strongly recommended that your developer project is
created inside a organization resource within your Google Workspace
or Cloud Identity account. This allows you to
use enterprise management features, such as
important notifications, access control and project lifecycle management, without tying it
to an individual developer account. Otherwise, it might be difficult (or impossible) to transfer
to a new owner in the future.
When setting up your developer project,
create it in
an organization or
migrate your
existing projects into an organization.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2025-08-28 UTC.
[null,null,["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eApps targeting external Google Accounts should consider Google Workspace admin controls and aim for wide accessibility.\u003c/p\u003e\n"],["\u003cp\u003eVerification of your app by Google, including brand and sensitive/restricted scopes, builds trust with Google Workspace admins.\u003c/p\u003e\n"],["\u003cp\u003eTo enable access, provide your app's OAuth client ID to Google Workspace admins for configuration.\u003c/p\u003e\n"],["\u003cp\u003eAssociate your developer project with a Google Workspace or Cloud Identity organization for better management and future transitions.\u003c/p\u003e\n"],["\u003cp\u003eActively monitor your support email address for inquiries from Google Workspace admins regarding your app's access.\u003c/p\u003e\n"]]],[],null,["If your app targets an\n[external user\ntype](https://support.google.com/cloud/answer/10311615#user-type-external), you might want to address the widest possible audience of Google Accounts, which\nincludes Google Accounts administered by a Google Workspace organization.\n\nGoogle Workspace administrators can use [API\naccess controls](https://support.google.com/a/answer/7281227) to enable or restrict access to Google Workspace APIs for customer-owned and\nthird-party applications and service accounts. This feature lets Google Workspace administrators\nrestrict access to only OAuth client IDs that are trusted by the organization, which reduces the\nrisk associated with third-party access to Google Services.\n\nTo reach the widest possible audience of Google Accounts and to foster trust, we recommend the\nfollowing:\n\n- Submit your app for verification by Google. If applicable, you must submit your app for [brand\n verification](/identity/protocols/oauth2/production-readiness/brand-verification), as well as [sensitive](/identity/protocols/oauth2/production-readiness/sensitive-scope-verification) and [restricted](/identity/protocols/oauth2/production-readiness/restricted-scope-verification) scopes verification. Google Workspace admins can view your app's verified status, and they might trust apps that Google verifies more than apps with an [unverified](https://support.google.com/a/answer/9352843) or unknown status.\n- Google Workspace admins can give your app's OAuth client IDs access to restricted services and the high-risk scopes within. If you include your app's OAuth client ID in your help documents, you can provide Google Workspace admins, and advocates for your app within their organizations, the information needed to give access to your app. It can also help them understand what configuration changes might be needed before your app can access an organization's data.\n- Routinely monitor your user support email address that you provide when you configure your OAuth [Consent Screen page](https://console.developers.google.com/apis/credentials/consent). Google Workspace admins can view this email address when they review your app's access, and they might reach out to you with possible questions and concerns.\n\nAssociate your project with an organization\n\nIf you are a Google Workspace user, it is strongly recommended that your developer project is\ncreated inside a [organization resource](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#organizations) within your [Google Workspace](https://gsuite.google.com/)\nor [Cloud Identity](https://cloud.google.com/identity) account. This allows you to\nuse [enterprise management features](https://cloud.google.com/resource-manager/docs/cloud-platform-resource-hierarchy#benefits_of_the_organization_resource), such as\n[important notifications](https://cloud.google.com/resource-manager/docs/managing-notification-contacts), access control and project lifecycle management, without tying it\nto an individual developer account. Otherwise, it might be difficult (or impossible) to transfer\nto a new owner in the future.\n\nWhen setting up your developer project,\n[create it in\nan organization](https://cloud.google.com/resource-manager/docs/creating-managing-projects) or\n[migrate your\nexisting projects into an organization](https://cloud.google.com/resource-manager/docs/migrating-projects-billing)."]]