Control API access with domain-wide delegation

As an administrator, you can use domain-wide delegation of authority to grant third-party and internal applications access to your users' data.

App developers and administrators can create service accounts with OAuth 2.0. Then, you authorize the service accounts to access your users' data without requiring each user to give consent. Typical apps granted domain-wide delegation:

  • Google Workspace migration and sync tools

  • Internal apps (for example, automation apps) that developers create for your organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.

  • Three-legged OAuth apps, which normally require individual user consent. Users activate apps without being prompted for consent, and you can specify the user data that the apps can access.

To delegate access in the Google Admin console, you add the client ID of the service account or OAuth2 client ID of the app, and then grant access to supported Google APIs (scopes).

About domain-wide delegation

Domain-wide delegation is a powerful feature that allows apps to access users' data across your organization's Google Workspace environment. For example, grant domain-wide delegation to a migration app that duplicates user content from another service to Google Workspace. For this reason, only super admins can manage domain-wide delegation, and they must specify each API scope that the app can access.

You can also manage domain-wide installation and view API scopes for Google Workspace Marketplace apps. Learn about Marketplace apps data access and installation.

Open all   |   Close all

Before you begin

  • You need super admin privileges for your Google Workspace account.

  • To add or edit an app, get the following information from the app developer:
  • The client ID of the service account.
  • The list of API scopes requested by the app. Check that the app has an appropriately small scope of access.
  • With domain-wide delegation, the app has access to the data belonging to all of your users. We recommend setting up a regular review of service accounts and deleting any accounts no longer in use.

Set up domain-wide delegation for a client

  2. On the Admin console Home page, go to Security and then API controls.

  3. Click Manage Domain Wide Delegation.

  4. Click Add new and enter your service account client ID.

    You can find the ID (also known as the Unique ID) in the JSON file that you downloaded when you created the service account or in the Google Cloud Console (click IAM & Admin and then Service accounts and thenthe name of your service account).

  5. Enter the client ID of the service account or OAuth2 client ID of the app. (Typically, the ID is provided by the developer. If you're the owner of the service account, you can look up the ID.)

  6. InOAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
  7. Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

  8. Point to the new client ID, click View details, and make sure every scope is listed.

    If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

The app should be available for use within an hour, but might take up to 24 hours.

View, edit, or delete clients and scopes

As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also, delete clients you no longer need. For example, remove access for a migration tool after you complete your migration.

  2. On the Admin console Home page, go to Security and then API controls.

  3. Under Domain-wide delegation, click Manage domain-wide delegation.

  4. Click a client name and then choose an option:

  • View details—View the full client name and list of scopes

  • Edit—Add or remove scopes. You can't edit the client ID. Changes should be active within an hour, but might take up to 24 hours.

  • Remove—Applications that depend on the client authorization will immediately stop working.

Was this helpful?

How can we improve it?