Manage App Audience

Projects configured with a user type of External are available to any user with a Google Account.

A user's ability to authorize your app's requested scopes are impacted by your project's publishing status.

Projects associated with a Google Cloud Organization can configure Internal users to limit authorization requests to members of the organization. For more information about migrating a project into a Google Cloud Organization resource, see Migrating projects into an organization.

User authorization of scopes associated with restricted Google Workspace services, including high-risk Gmail and Drive scopes, might require additional configuration by your organization's administrators. For more information, see the Let Internal apps access restricted Google Workspace APIs section of the Control which third-party and internal apps access Google Workspace data article.

An org_internal authorization error is displayed when authorization is requested from users outside the Google Cloud project's parent.

Projects configured with a publishing status of Testing are limited to up to 100 test users listed in the OAuth consent screen. A test user consumes a project's test user quota once added to the project.

Google will display a warning message before allowing a specified test user to authorize scopes requested by your project's OAuth clients. The warning message confirms the user has test access to your project but should consider the risks associated with granting access to their data to an unverified app.

Authorizations by a test user will expire seven days from the time of consent. If your OAuth client requests an offline access type and receives a refresh token, that token will also expire.

A Brand Account may authorize scopes requested by your project's OAuth clients if a specified test user manages the Brand Account.

The only exception to this behavior is if your app requests a subset of the following: name, email address, and user profile (through the userinfo.email, userinfo.profile, openid scopes or their OpenID Connect equivalents). For such requests, your users do not need to be in the trusted user list, they will not see a warning message, and their authorizations will not expire after 7 days. If your app uses Sign in with Google to authenticate users then this exception also applies. If your app requests any other OAuth scopes, then this exception does not apply.

A test user may be unable to authorize scopes requested by your project's OAuth clients due to the availability of Google Services for the account or configured restrictions. A Google Workspace may control which third-party apps access its data or an account enrolled in Advanced Protection may block most non-Google apps.

Projects configured with a publishing status of In production are available to any user with a Google Account. A project's publishing status is considered In production after selecting the Publish app button. Your project's configuration may be subject to verification before its name and logo are displayed on an authorization screen or before it may request authorization of sensitive or restricted scopes.

Projects configured with a publishing status of In production should complete the verification process, including defining scopes actively requested by your project's OAuth clients, if it meets one or more of the OAuth verification criteria, as described in Verification status.

Google will display an Unverified apps warning message if your project's OAuth clients request authorization of scopes considered sensitive or restricted before your project has completed verification for those scopes.

The OAuth user quotas are summarized in the following table. These might be adjusted for specific apps based on the app history, developer reputation, and riskiness.

For more information, see the OAuth Application Rate Limits page.