The Overview page serves as a starting point for configuring your application. Clicking on the "GET STARTED" button allows you to initiate the configuration process if you haven't done so already.
The Overview page also provides insights into your application’s metrics, allowing you to monitor app requests and usage.
Metrics
Traffic
This graph shows the number of OAuth requests per day across all your clients.
Errors
This graph shows the daily count of errors encountered during OAuth requests across your clients. For common errors that may occur when accessing the Google OAuth 2.0 endpoint, refer to the error documentation.
Users
This graph shows the number of active unique users authorizing your app per day.
OAuth token grant rate
The token grant rate limit restricts how rapidly your application can acquire new users. This graph enables you to monitor your grant rate limit and notifies you if your limit is about to be exceeded.
If your limit has been reached or is about to be, you can submit a request to increase your daily token limit.
Note: The token grant rate limit only applies to non-identity scopes. If your application only uses identity scopes, this graph will not display any data.
Review the OAuth Application Rate Limits article to learn more about rate limits.
Project Checkup
The Project Checkup verifies compliance with our policies and best practices. Warning or success indicators are displayed based on the status of each individual check.
- warning - recommended action to improve the experience of users authorizing your application.
- success - your application complies with the policy / best practice.
The compliance checks are done across 5 categories : App Verification, Developer Identity, Incremental Auth, Modern Platforms and App Security
App VerificationOAuth App verification
Reports if your app needs verification. Learn more about verification requirements in the OAuth Verification Center
Updated contact information
Reports if your app has out-of-date developer contact information. These are the contact emails where relevant information about your projects are sent. An error is reported if registered email addresses are not reachable. You can update your developer contact information in the Branding page.
Domain verification
Reports if one or more of the domains being used by your application has not been verified. Review your list of domains in the Authorized domains section of the Branding page and ensure all domains are verified in the Google Search Console.
Billing account verification
Some Google APIs charge for usage, and you need to enable billing before you can start using these APIs.
This check reports if your app does not have an associated Cloud billing account. It is recommended to associate your project with a billing account since some Google APIs charge for usage.
To fix this issue, associate a Cloud billing account with your project.
Project contacts
Your project should have at least one and not more than 15 human project owners or editors who can be reached.
This check will notify you if your project does not have a human project owner or editor, or if there are more than 15 registered project owners or editors.
Review the Manage project members or change project ownership article for instructions on how to add or remove a project owner/editor from your project.
Incremental authorization
It is considered a user experience best practice to request authorization for resources at the time you need them instead of requesting all scopes your app needs upfront.
This check reports whether or not your app complies with the incremental auth best practice. Learn more about incremental authorization and how to implement it in your application.
Granular permissions
Partial consent or granular permission allows users to get more fine-grained control over what account data they choose to share with your app. When you request for multiple permissions, users are given the choice to consent to some or all of the requested scopes.
This check reports if your application supports and appropriately handles granular permissions. Learn more about granular permissions and how to implement it in your application.
These checks report on whether or not your application is using modern and supported technologies.
Legacy browsers
Your application should use secure browsers and not make requests to the Google OAuth 2.0 endpoint from an embedded user-agent under the developer's control.
This check reports if your application is using an older browser or embedded webview that may be unsafe.
Legacy client libraries
Our clients libraries are updated periodically to adhere to the latest security and user best practices. Your application should always use the latest version of our Google Identity Services client libraries.
This check reports if your application is using the latest and recommended Google Identity Services library to make calls to the Google OAuth 2.0 endpoints.
Legacy operating systems
Your apps should run on modern, safe operation systems. This check reports if your app is being supported in a legacy, unsafe operating system with potential security vulnerabilities.
To fix this, ensure your application is only supported in modern, safe operating systems.
Send Token Securely
Your app should send tokens securely. For example, access tokens should not be sent in the authorization URL or via HTTP. The check reports if your app is sending tokens securely.
Use secure flows
To ensure the security of your application, you should avoid using insecure flows susceptible to impersonation. When making requests to the Google OAuth 2.0 endpoint, ensure that the requests originate from verified apps and incorporate appropriate security measures for added protection. This check verifies the following:
- You are using Proof Key for Code Exchange (PKCE) to make the installed app OAuth flow more secure.
- You have verified ownership of your application to reduce the risk of app impersonation.
- You have verified ownership of your Android app.
- You have verified ownership of your Chrome app.
Webviews usage
Sending requests to the Google OAuth 2.0 endpoint from an embedded webview is not supported due to vulnerabilities to "man in the middle" attacks.
This check reports if your app is using an embedded webview. Learn more about fixing errors originating from embedded webviews.
Cross-Account Protection
Cross-Account Protection enhances the security of your app by enabling you to monitor and react to security incidents involving Google Accounts linked with your apps. For instance, you may be notified through token revocation events when a user revokes a token previously granted to your app. You can take action in response to this notification, such as terminating any active sessions.
Implementing Cross-Account Protection is strongly recommended as an additional security measure for accounts using your application.
This check reports if you have Cross-Account Protection implemented for your application. Learn more about Cross-Account Protection and how to implement it in your application.