Create OAuth authorization credentials for a Looker (Google Cloud core) instance
An OAuth client must be set up and OAuth credentials must be generated as part of Looker (Google Cloud core) instance creation, even if you want to use adifferent authentication method for authenticating your users into a Looker (Google Cloud core) instance.
Required roles
To use the Google Cloud console to create and edit OAuth credentials, you need the following permissions. (To hide the list of permissions, collapse theRequired permissions section.)
Required permissions
- clientauthconfig.*
- clientauthconfig.brands.create
- clientauthconfig.brands.delete
- clientauthconfig.brands.get
- clientauthconfig.brands.list
- clientauthconfig.brands.update
- clientauthconfig.clients.create
- clientauthconfig.clients.createSecret
- clientauthconfig.clients.delete
- clientauthconfig.clients.get
- clientauthconfig.clients.getWithSecret
- clientauthconfig.clients.list
- clientauthconfig.clients.listWithSecrets
- clientauthconfig.clients.undelete
- clientauthconfig.clients.update
- oauthconfig.*
- oauthconfig.clientpolicy.get
- oauthconfig.testusers.get
- oauthconfig.testusers.update
- oauthconfig.verification.get
- oauthconfig.verification.submit
- oauthconfig.verification.update
You might also be able to get the required permissions throughcustom roles or otherpredefined roles. For more information about granting roles, see theManage access to projects, folders, and organizations page in the Identity and Access Management (IAM) documentation.
Before you create a Looker (Google Cloud core) instance
Before you create a Looker (Google Cloud core) instance, complete the steps that are described in these sections:
- Generate the OAuth client ID and client secret
- Configure the user consent screen, scopes, and test users
Generate the OAuth client ID and client secret
First, create an OAuth client and generate the client ID and client secret for that client. These values are required during creation of the Looker (Google Cloud core) instance.
You can set up the OAuth client in any Google Cloud project you want. It doesn't need to be the same project as the Looker (Google Cloud core) instance. However, the Looker (Google Cloud core) APImust be enabled in this project.
To create the client and its credentials, follow these steps:
- Navigate to the project that you want to create the OAuth client in.
- Navigate toAPIs & Services > Credentials.
- From theCredentials page, clickCreate Credentials.
- From the drop-down menu, selectOAuth client ID.
- In theApplication type drop-down, selectWeb application.
- In theName field, enter a name for your OAuth client.
- At this point, youdon't need to add URIs in theAuthorized JavaScript origins orAuthorized redirect URIs sections.
- ClickCreate.
After you clickCreate, anOAuth client created window appears. This window displays the client ID and client secret created for your OAuth client. These values will be required when youcreate the Looker (Google Cloud core) instance.
Optionally, clickDownload JSON to download the credential information in a JSON file. To close the window, clickOK.
Configure the user consent screen, scopes, and test users
Next, you may want to configure the consent screen. The consent screen is shown to a user of the Looker (Google Cloud core) instance at their first login and at any point when their authorizationexpires or isrevoked by the user.
Follow the instructions on theConfigure the OAuth consent screen and choose scopes documentation page. While configuring your screen, complete the following settings as described:
In theBranding section, underAuthorized domains, the domain must match the domain of the Looker (Google Cloud core) instance that uses the OAuth credentials. If you are going to create acustom domain for your Looker (Google Cloud core) instance and know the domain that you will assign to it, you can enter it now. Otherwise, you can leave this field empty; it will be automatically populated when youadd the authorized redirect URI after the Looker (Google Cloud core) instance is created.
In theAudience section, underUser Type, select one of the following:
- Internal: This setting is the default. Only users within yourorganization can access the instance once they areadded through IAM.
- Make external: Users with any kind ofGoogle Account can access the instance once they areadded through IAM.
During Looker (Google Cloud core) instance creation
When you arecreating the Looker (Google Cloud core) instance, add the OAuth client ID and client secret in theOAuth Application Credentials section. You cannot create an instance without OAuth credentials. Find the OAuth client ID and client secret by navigating to the OAuth client in the Google Cloud console.
After you create a Looker (Google Cloud core) instance
Complete the following instructions to finish configuration. When you add an authorized redirect URI, it will be added to your OAuth consent screen as an authorized domain.
Add the authorized redirect URI to the OAuth client
If you haven't done so already, follow these steps to enter the URL of the newly created Looker (Google Cloud core) instance into the OAuth client.
After you have created a Looker (Google Cloud core) instance, find and copy the URL for the instance. You can find the URL on theInstances page.
Note: If you are setting up acustom domain for your instance, be sure to complete that setup before copying the URL. Once you add the custom domain to the OAuth client, users will no longer be able to log in to the autogenerated instance URL that was granted when the instance was created, even if that domain is also in the OAuth client.In the Google Cloud console, navigate toAPIs & Services > Credentials.
Under theOAuth 2.0 Client IDs heading, click the name of theclient you created.
In theAuthorized redirect URIs section, clickAdd URI.
Paste the URL of the Looker (Google Cloud core) instance into theURIs field. Add
/oauth2callbackto the end of the URL. For example:https://uuid.looker.app/oauth2callback.If you are going to set upOAuth authorization for BigQuery, you can also add a second redirect URI that points to the URL of the Looker (Google Cloud core) instance followed by
/external_oauth/redirectadded to the end of the URL. For example:https://uuid.looker.app/external_oauth/redirect.ClickSave.
It may take from five minutes to a few hours for the update to take effect.
Manage users
Once the OAuth client is configured and the Looker (Google Cloud core) instance iscreated, you canchoose the authentication method for your instance.
If using OAuth as your primary authentication method, complete the steps as described on theUse Google OAuth for Looker (Google Cloud core) user authentication documentation page to complete OAuth setup for user authentication.
Once your authentication method is set up, you can add or remove users through your identity provider andmanage them within Looker.
Edit the OAuth client for a Looker (Google Cloud core) instance
If you want, you can edit or change the OAuth credentials for your Looker (Google Cloud core) instance by following these steps:
- Set up the new client or credentials.
- In the Google Cloud console, from theInstances page, click on an instance's name to open theDETAILS page.
- From theDETAILS page, clickEdit.
- On theEdit Looker (Google Cloud core) instance page, enter the new values in theOAuth Client ID andOAuth Client Secret fields.
- ClickSave.
What's next
- Create a public IP Looker (Google Cloud core) instance
- Create a private connections (private services access) Looker (Google Cloud core) instance
Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.
Last updated 2026-02-19 UTC.