Scopes

  • Add-ons require user authorization and request specific permissions called OAuth scopes to access data or act on a user's behalf.

  • Scopes are declared in the add-on's manifest and can be viewed in the script project's overview section, with explicit scope definition recommended for better control and security.

  • Certain restricted scopes, particularly for Gmail and Editor add-ons, require careful consideration and adherence to specific guidelines for add-on review and publication.

  • Google Workspace add-ons have specific scopes tailored to each service, such as temporary access to document content for Editors, access to message metadata for Gmail, and event access for Calendar, requiring developers to choose the appropriate scope for the desired functionality.

  • Using sensitive or restricted scopes might necessitate OAuth client verification, and it is crucial to always use the least permissive scopes possible to minimize security risks and ensure user privacy.

Users must authorize add-ons and other applications that access their dataor act on their behalf. When a user runs an add-on for the first time, theadd-on UI presents an authorization prompt to start the authorization flow.

During this flow, the prompt tells the user what the application wantspermission to do. For example, an add-on might want permission to read auser's email message or create events in their calendar. The add-on's scriptproject defines these individual permissions asOAuth scopes.

You declare scopes in yourmanifestusing URL strings. During the authorization flow, Apps Script presents ahuman-readable description of the scope to the user. For example, your Google Workspace add-onmight use the "Read current message" scope, which is written in your manifest ashttps://www.googleapis.com/auth/gmail.addons.current.message.readonly. Duringthe authorization flow, an add-on with this scope asks the user to allow theadd-on to:View your email messages when the add-on is running.

Note: The scopes Apps Script uses for its various services overlap with thescopes used by the related API. For example, Apps Script'sCalendar service uses many of the samescopes as theCalendar API. You can look up the scopes thatparticular Apps Script service methods require in the Apps Scriptreference documentation.

Viewing scopes

You can see the scopes your script project currently requires by doing thefollowing:

  1. Open the script project.
  2. At the left, clickOverview.
  3. View the scopes under "Project OAuth Scopes."

You can also view the script project's current scopes in the project manifest,under theoauthScopesfield, but only if you have set those scopesexplicitly.

Setting explicit scopes

Apps Script automatically determines what scopes a script needs by scanningits code for function calls that require them. For most scripts this issufficient and saves you time, but for published add-ons you should exercisemore direct control of the scopes.

For example, Apps Script might give an add-on script project the very permissivescopehttps://mail.google.com by default. When a user authorizes a scriptproject with this scope, the project is granted full access to the user's Gmailaccount. For published add-ons, youmust replace this scope with a morelimited set that cover the add-ons's needs and no more.

Warning: Always use the least permissive scope set possible. To protect userinformation, add-ons and other published applications shouldnever askfor more scope permissions then they absolutely need. The scopes your add-onrequires are examined during the publicationadd-on review process; if the add-on uses scopes that are too broad it can't pass review.

You can explicitly set the scopes your script project uses by editingitsmanifest file. The manifest fieldoauthScopes is an arrayof all scopes used by the add-on. To set your project's scopes, do thefollowing:

  1. View the scopes your add-on currently uses. Determine whatchanges need to be made, such as using a narrower scope.
  2. Open your add-on's manifest file.
  3. Locate the top-level field labeledoauthScopes. If it is not present,you can add it.

  4. TheoauthScopesfield specifies an array of strings. To set the scopesyour project uses, replace the contents of this array with the scopes youwant it to use. For example, for a Google Workspace add-on that extends Gmail you might have the following:

    {  ...  "oauthScopes": [    "https://www.googleapis.com/auth/gmail.addons.current.message.metadata",    "https://www.googleapis.com/auth/userinfo.email"  ],  ...}

  5. Save the manifest file changes.

OAuth verification

Using certain sensitive OAuth scopes may require that your add-on go throughOAuth client verificationbefore you can publish it. For more information, see the following guides:

Restricted scopes

Certain scopes arerestricted and subject to additional rules that helpprotect user data. If you intend to publish a Gmail or Editor add-on that usesone or more restricted scopes, the add-on must comply with all the specifiedrestrictions before it can be published.

Review thefull list of restricted scopesbefore you attempt to publish. If your add-on uses any of them, you must complywith theAdditional requirements for specific API scopesprior to publishing.

Note: Avoid using restricted scopes in your add-on if you can—it iseasier to pass add-on review for public publication if you don't use them. Youcan use restricted scopes freely for non-public add-ons.

TheGoogle Workspace Developer Tools extension for Visual Studio Code provides diagnostic information for all scopes including the scope's description and whether it is sensitive or restricted.

Choose scopes for Google Workspace add-ons

The following sections provide scopes that are commonly used forGoogle Workspace add-ons.

Editor scopes

Below are frequently-used scopes for Google Workspace add-ons that extend Docs, Sheets,and Slides.

Note: Thecurrentonly scope is only available within Apps Script Services. This does not include Apps ScriptAdvanced Services or direct calls to Google Workspace APIs.
Scope
Current Docs file accesshttps://www.googleapis.com/auth/documents.currentonly

Required if the add-on accesses the Apps Script Docs API. Grants temporary access to the open document's content.

Current Sheets file accesshttps://www.googleapis.com/auth/spreadsheets.currentonly

Required if the add-on accesses the Apps Script Sheets API. Grants temporary access to the open spreadsheet's content.

Current Slides file accesshttps://www.googleapis.com/auth/presentations.currentonly

Required if the add-on accesses the Apps Script Slides API. Grants temporary access to the open presentation's content.

Per-file accesshttps://www.googleapis.com/auth/drive.file

Required for the add-on to use theonFileScopeGrantedTrigger and if the add-on accesses the Docs, Sheets, Slides, or Drive API. Grants per-file access to files created or opened by the app, using the Apps ScriptAdvanced Drive Service. This doesn't allow the use of similar actions using the basicDrive service, however. File authorization is granted on a per-file basis and is revoked when the user deauthorizes the app.

Gmail

There are a few scopes that were created specifically forGoogle Workspace add-ons to help protect user Gmaildata. You mustadd these scopes explicitlyto your add-on manifest, along with any others youradd-on code requires.

Below are frequently-used scopes for Google Workspace add-ons that extend Gmail;the ones labeledRequired must be added to yourGoogle Workspace add-on manifest if your add-on extendsGmail.

Be sure to also replace the very broadhttps://mail.google.com scope in youradd-on with a narrower set of scopes that allow the interactions your add-onneeds and no more.

Scope
Create new draftshttps://www.googleapis.com/auth/gmail.addons.current.action.compose

Required if the add-on uses compose action triggers. Allows the add-on to temporarily create new drafts messages and replies. See Composing draft messages for details; this scope is also often used with compose actions. Requires an access token.

Read open message metadatahttps://www.googleapis.com/auth/gmail.addons.current.message.metadata

Grants temporary access to the open message's metadata (such as the subject or recipients). Does not allow reading of message content and requires an access token.

Required if the add-on uses metadata in compose action triggers. For compose actions, this scope is required if a compose trigger needs access to metadata. In practice, this scope lets a compose trigger access recipient lists (to:, cc:, and bcc:) of a reply email draft.

Read open message contenthttps://www.googleapis.com/auth/gmail.addons.current.message.action

Grants access to the open message's content upon a user interaction, such as when an add-on menu item is selected. Requires an access token.

Read open thread contenthttps://www.googleapis.com/auth/gmail.addons.current.message.readonly

Grants temporary access to the open message's metadata and content. Also grants access to the content of other messages in the open thread. Requires an access token.

Read any message content and metadatahttps://www.googleapis.com/auth/gmail.readonly

Read any email metadata and content, including the open message. Required if you need to read information about other messages, such as when conducting a search query or reading an entire mail thread.

Warning: This is a very broad,restricted scope. Only use it if absolutely necessary.

Google Calendar scopes

Below are frequently-used scopes for Google Workspace add-ons that extend Google Calendar.

Scope
Access event metadatahttps://www.googleapis.com/auth/calendar.addons.execute

Required if the add-on accesses Calendar event metadata. Allows the add-on to access event metadata.

Read user-generated event datahttps://www.googleapis.com/auth/calendar.addons.current.event.read

Required if the add-on needs to read user-generated event data. Allows the add-on to access user-generated event data. This data is only available if theaddOns.calendar.eventAccess manifest field is set toREAD orREAD_WRITE.

Write user-generated event datahttps://www.googleapis.com/auth/calendar.addons.current.event.write

Required if the add-on needs to write user-generated event data. Allows the add-on to edit user-generated event data. This data is only available if theaddOns.calendar.eventAccess manifest field is set toWRITE orREAD_WRITE.

Google Chat scopes

To call the Chat API, you must authenticate as theGoogle Chat user or as theChat app.Each type of authentication requires different scopes, and not allChat API methods support app authentication.

To learn more about Chat scopes and authentication types, see theChat APIAuthentication and authorization overview

The following table shows frequently-used Chat API methods and scopesbased on the supported authentication types:

MethodUser authentication supportedApp authentication supportedAuthorization scopes supported
Send a message WithUser authentication:
  • chat.messages.create
  • chat.messages
  • chat.import
WithApp authentication:
  • chat.bot
Create a space WithUser authentication:
  • chat.spaces.create
  • chat.spaces
  • chat.import
WithApp authentication andadministrator approval (available inDeveloper Preview):
  • chat.app.spaces.create
  • chat.app.spaces
Create and add members to a space WithUser authentication:
  • chat.spaces.create
  • chat.spaces
Add a user to a space WithUser authentication:
  • chat.memberships
  • chat.memberships.app
  • chat.import
WithApp authentication andadministrator approval (available inDeveloper Preview):
  • chat.app.memberships
List activities or events from a Chat space WithUser authentication, you must use a scope for each event type included in the request:
  • For events about messages:
    • chat.messages
    • chat.messages.readonly
  • For events about reactions:
    • chat.messages.reactions
    • chat.messages.reactions.readonly
    • chat.messages
    • chat.messages.readonly
  • For events about memberships:
    • chat.memberships
    • chat.memberships.readonly
  • For events about the space:
    • chat.spaces
    • chat.spaces.readonly

Google Drive scopes

Below are frequently-used scopes for Google Workspace add-ons that extend Google Drive.

Scope
Read selected item metadatahttps://www.googleapis.com/auth/drive.addons.metadata.readonly

Required if the add-on implements a contextual interface triggered when the user selects items in Drive. Allows the add-on to read limited metadata about items a user has selected in Google Drive. The metadata is limited to the item's ID, title, MIME type, icon URL and whether the add-on has permission to access the item.

Per-file accesshttps://www.googleapis.com/auth/drive.file

Recommended if the add-on needs to access individual Drive files. Grants per-file access to files created or opened by the app, using the Apps ScriptAdvanced Drive Service. This doesn't allow the use of similar actions using the basicDrive service, however. File authorization is granted on a per-file basis and is revoked when the user deauthorizes the app.

See the Request file access for selected files example.

Access tokens

To protect user data, the Gmail scopes used inGoogle Workspace add-ons only granttemporary access to user data. To enable temporary access, you must call thefunctionGmailApp.setCurrentMessageAccessToken(accessToken)using an access token as an argument. You must obtain an access token from anaction event object.

Note: The access token than enables Gmail scopes isnot the same asthe access token returned byScriptApp.getOAuthToken().You must use the token provided in the action event object.

The following shows an example of setting an access token to allow access toa message's metadata. The only scope necessary for this example ishttps://www.googleapis.com/auth/gmail.addons.current.message.metadata.

functionreadSender(e){varaccessToken=e.gmail.accessToken;varmessageId=e.gmail.messageId;//Thefollowingfunctionenablesshort-livedaccesstothecurrent//messageinGmail.AccesstootherGmailmessagesordataisn't//permitted.GmailApp.setCurrentMessageAccessToken(accessToken);varmailMessage=GmailApp.getMessageById(messageId);returnmailMessage.getFrom();}

Other Google Workspace scopes

Your add-on may require additional scopes if it uses other Google Workspace or Apps Script services.In most cases you can let Apps Script detect these scopes and update themanifest automatically. When editing your manifest's scope list, do not removeany scopes unless you are replacing them with a more appropriate alternative,such as a narrower scope.

The following table shows a list of scopes that Google Workspace add-ons often use:

Scope
Read user's email addresshttps://www.googleapis.com/auth/userinfo.email

Allows the project to read the current user's email address.

Allow calls to external serviceshttps://www.googleapis.com/auth/script.external_request

Allows the project to makeUrlFetch requests. This is also required if the project makes use of the OAuth2 for Apps Script library.

Read user's locale and timezonehttps://www.googleapis.com/auth/script.locale

Allows the project to learn the current user's locale and timezone. See Accessing user locale and timezone for details.

Create triggershttps://www.googleapis.com/auth/script.scriptapp

Allows the project to create triggers.

Preview third-party linkshttps://www.googleapis.com/auth/workspace.linkpreview

Required if the add-on previews links from a third-party service. Allows the project to see a link within a Google Workspace application while the user is interacting with it. To learn more, see Preview links with smart chips.

Create third-party resourceshttps://www.googleapis.com/auth/workspace.linkcreate

Required if the add-on creates resources in a third-party service. Allows the project to read the information that users submit to the resource creation form and insert a link to the resource within a Google Workspace application. To learn more, see Create third-party resources from the @ menu.

Except as otherwise noted, the content of this page is licensed under theCreative Commons Attribution 4.0 License, and code samples are licensed under theApache 2.0 License. For details, see theGoogle Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2025-12-11 UTC.