Setting up your OAuth consent screen

You must configure an OAuth consent screen before using an OAuth 2.0 client ID. This article describes OAuth consent screen settings and their impact on how your Google Cloud Platform project requests OAuth scopes from a Google Account.

App information and logo

Your application's name, support email and logo can be shown to users when signing in or authorizing account access.  In order for your app name and/or logo to be displayed, you must submit your app for verification.

App Name

Choose an app name that distinctively represents your business. Do not use names that may be confused with Google's or other organizations' brands or combine Google product names with generic terms like "app" or "mobile." Refer to the Google Brand Resource Center guidelines for naming your app/product for more information. 

Examples of unacceptable names:

  • Google
  • YouTube
  • Google+ Online
  • Google Drive for iOS
  • Mobile YouTube app
  • Gmail for Android
  • Google Photo App

Examples of acceptable names:

  • Photo Browser
  • Inbox Assistant
  • PDF Viewer for Google Drive
  • Top YouTube Videos
The app name will be displayed on the OAuth consent screen only if your app has been verified. See the OAuth App Verification Help Center page for details on the verification process.
Authorized Domains

In the consent screen, users are shown links to your app's homepage, privacy policy, and terms of service. These pages should help users learn more about your app and provide them with a clear understanding of how their data is used. To ensure successful registration of your project, any domains utilized in these links must be registered as authorized domains. Domains of your authorized redirect URIs and JavaScript origins are also automatically added as authorized domains. 

Your project can only have up to 10 authorized domains. Exceeding this limit will result in a Domain Limit Exceeded Exception. If you need more than 10 unique domains in your redirect URIs and origin URLs, review the Domain Limit Exceeded FAQ for information on how to fix this error.

Avoid using malicious links or domains. Google may flag sites suspected of hosting harmful downloads, engaging in bad practices, or being hacked. Refer to the Cloud Abuse Project History article for more information.

Note: If your application needs to go through verification, you may be required to verify your domain in the Google Search Console.

If you'd like to remove a previously uploaded logo, you can follow the steps below:
  1. Go to the Cloud Console OAuth consent screen page.

  2. On the project selection drop-down, select the project that you want to modify.

  3. Click Edit app to modify app information.

  4. To remove the current logo, click the Remove button.

If your app has previously been verified, you cannot remove the logo. However, you can change the logo by resubmitting your app for brand verification.

User Support Email
The User Support Email field requires you to specify an email address that will be displayed to users on the consent screen.  This should be an email address that you regularly monitor so that you can answer questions they have about sign-in, authorization, or your app in general. The drop-down selection box will show you the available options for the User Support Email, which must be one of the following:
  • The address of a Google Group managed by the currently logged-in user.  If you are a Google Workspace user, you can use an existing group or create a new group in your organization before selecting it as the User Support Email.
  • The email address of the currently logged-in user, which must be registered as a Google account. To use a non-Gmail address, you must
    • log in to the Google API Console with the Google Workspace account which you want to use for the User Support Email, OR
    • register an existing non-Gmail address when creating a Google account; make that account a project editor or owner, then log in with the new account so that it appears as a drop-down selection

User type

The user type setting impacts your app's potential audience.

External

Projects configured with a user type of External are available to any user with a Google Account.

A user's ability to authorize your app's requested scopes are impacted by your project's publishing status.

Internal

Projects associated with a Google Cloud Organization can configure Internal users to limit authorization requests to members of the organization. For more information about migrating a project into a Google Cloud Organization resource, see Migrating projects into an organization.

User authorization of scopes associated with restricted Google Workspace services, including high-risk Gmail and Drive scopes, might require additional configuration by your organization's administrators. For more information, see the Let Internal apps access restricted Google Workspace APIs section of the Control which third-party and internal apps access Google Workspace data article.

An org_internal authorization error is displayed when authorization is requested from users outside the Google Cloud project's parent.

Publishing status

The publishing status setting impacts the potential audience, and potential authorizations, of a project configured with a user type of External.

Testing

Projects configured with a publishing status of Testing are limited to up to 100 test users listed in the OAuth consent screen. A test user consumes a project's test user quota once added to the project.

Google will display a warning message before allowing a specified test user to authorize scopes requested by your project's OAuth clients. The warning message confirms the user has test access to your project but should consider the risks associated with granting access to their data to an unverified app.

Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.

A Brand Account may authorize scopes requested by your project's OAuth clients if a specified test user manages the Brand Account.

The only exception to this behavior is if your app requests a subset of the following: name, email address, and user profile (through the userinfo.email, userinfo.profile, openid scopes or their OpenID Connect equivalents). For such requests, your users do not need to be in the trusted user list, they will not see a warning message, and their authorizations will not expire after 7 days. If your app uses Sign in with Google to authenticate users then this exception also applies. If your app requests any other OAuth scopes, then this exception does not apply.

A test user may be unable to authorize scopes requested by your project's OAuth clients due to the availability of Google Services for the account or configured restrictions. A Google Workspace may control which third-party apps access its data or an account enrolled in Advanced Protection may block most non-Google apps.

In production

Projects configured with a publishing status of In production are available to any user with a Google Account. A project's publishing status is considered In production after selecting the Publish app button. Your project's configuration may be subject to verification before its name and logo are displayed on an authorization screen or before it may request authorization of sensitive or restricted scopes.

Projects configured with a publishing status of In production should complete the verification process, including defining scopes actively requested by your project's OAuth clients, if it meets one or more of the OAuth verification criteria, as described in Verification status.

Google will display an Unverified apps warning message if your project's OAuth clients request authorization of scopes considered sensitive or restricted before your project has completed verification for those scopes.

Verification Status

Google verifies projects configured for a user type of External and a publishing status of In production if they meet one or more of the OAuth verification criteria:

  • You want to display an icon or display name for your project on the OAuth consent screen.
  • Your project's OAuth clients request authorization of any sensitive or restricted scopes.
  • The number of authorized domains for your project exceeds the domain count limit.
  • There are changes to your project's OAuth consent screen configuration after a previous published, verified configuration.

Your project's last verified OAuth consent screen configuration is presented to users while your project is under verification review. Your project's OAuth clients may be listed as "Not Google verified" in app access control settings available to Google Workspace administrators evaluating third-party access to their Google Workspace data while your project's OAuth consent screen configuration is under verification review.

Verification not required

Submitting for verification may not be required, based on the current configuration of your OAuth consent screen. Users may not see all of your app's information, including its name and logo, until your project has completed verification.

Review the current configuration of your OAuth consent screen by selecting the Edit App button and reviewing details within. Compare the Authorized domains and Scopes sections of the configuration with the active use by your project's OAuth clients to confirm your OAuth consent screen is properly configured. Review the OAuth verification criteria, as described in Verification status, for any possible impact to your project.

Needs verification

The current configuration of your OAuth consent screen meets one or more OAuth verification criteria, as described in Verification status. Select the Prepare for verification button to review your app's information presented on the OAuth consent screen and, if applicable, describe your app's use of sensitive and/or restricted scopes.

Select the Prepare for verification button to review your app's information presented on the OAuth consent screen and add any scopes requested by your app. Additional requirements, if applicable, will be highlighted during each step of the Prepare for verification process. Select the Submit for verification button on the Final review screen to submit your project for OAuth verification.

Verification in progress

Your project's last submitted OAuth consent screen is under review. Additional information about your app, if required, may be requested via email at the email addresses you provided in the Developer contact information section of the Prepare for verification process. Expect the first email within 3-5 days.

Your last approved OAuth consent screen configuration, if applicable, is still in use while the verification of your new configuration is pending. You may alter your OAuth consent screen configuration through the Prepare for verification screens and resubmit if your application details or scope usage has changed.

Reverification in progress

Your project's last submitted OAuth consent screen is under review to come into compliance with new OAuth consent screen requirements. Additional information about your app, if required, may be requested via email at the email addresses you provided in the Developer contact information section of the Prepare for verification process. Expect the first email within 3-5 days.

Your last approved OAuth consent screen configuration is still in use while the verification of your new configuration is pending. You may alter your OAuth consent screen configuration through the Prepare for verification screens and resubmit for verification if your application details or scope usage has changed.

Pending developer action

Your project's OAuth consent screen verification is paused and requires additional action. Review emails sent to the email addresses you provided in the Developer contact information section of the Prepare for verification process for more information shared by Google's Trust and Safety team. Respond to the email you received once you have addressed outstanding items.

Pending security assessment

Your project is subject to a third-party security assessment to demonstrate secure data handling requirements of the Google API Services User Data Policy or the policies of a specific enabled Google API. Review emails sent to the email addresses you provided in the Developer contact information section of the Prepare for verification process for more information shared by Google's Trust and Safety team, including important deadlines to obtain and present a Letter of Assessment from a Google-designated third-party.

Rejected

Your submitted request for verification of your OAuth consent screen changes was rejected. Your last approved OAuth consent screen configuration is in use.

Review emails sent to the email addresses you provided in the Developer contact information section of the Prepare for verification process for more information shared by Google's Trust and Safety team regarding the rejection and any required changes to your project's OAuth consent screen configuration.

Verified

Your currently configured OAuth consent screen has been verified by Google.

If you make changes requiring verification, such as requesting new scopes or editing the information shown on a consent screen, you must resubmit your application for review before those changes are verified and published.

Was this helpful?

How can we improve it?
Search
Clear search
Close search
Google apps
Main menu
8938835858033648940
true
Search Help Center
true
true
true
true
true
95384
false
false