Control API access with domain-wide delegation (original) (raw)

Control API access with domain-wide delegation

Domain-wide delegation is a powerful feature that lets you grant client applications permission to access your Workspace users' data without requiring their consent. You can use domain-wide delegation in two ways:

1. Authorize a service account to access data on behalf of a user. Aservice accountmight use the following types of apps:
   • Migration and sync tools that duplicate user content from another service to Google Workspace.
   • Internal apps (for example, automation apps) that developers create for your organization. For example, you can delegate access to an application that uses the Calendar API to add events to your users' calendars.
2. Allow users to use OAuth client apps without seeing a consent screen. Users can access apps without being prompted for consent, and you can specify the user data that the apps can access.

You can also manage domain-wide installation and view API scopes for Google Workspace Marketplace apps. Learn about Marketplace apps data access andinstallation.

Before you begin

Set up domain-wide delegation for a client

1. In the Google Admin console, go to Menu Security Access and data control API controls Manage Domain Wide Delegation.
   You must be signed in as a super administrator for this task.
2. Click Add new.
3. Enter the Client ID for either the service account or the OAuth2 client.
4. In OAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
5. Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.
   Note: If Multi-party approval is enabled for your organization, authorizing domain-wide delegation for a client app requires approval from another super admin.
6. Point to the new client ID, click View details, and make sure that every scope is listed.
   If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

Changes can take up to 24 hours but typically happen more quickly. Learn more

View, edit, or delete clients and scopes

As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also, delete clients you no longer need. For example, remove access for a migration tool after you complete your migration.

1. In the Google Admin console, go to Menu Security Access and data control API controls Manage Domain Wide Delegation.
   You must be signed in as a super administrator for this task.
2. Click a client name and then choose an option:

• View details—View the full client name and list of scopes
• Edit—Add or remove scopes. You can't edit the client ID. Changes can take up to 24 hours but typically happen more quickly. Learn more
• Delete—Applications that depend on the client authorization will immediately stop working.
  Note: If Multi-party approval is enabled for your organization, editing scopes or deleting domain-wide delegation for a client app requires approval from another super admin.

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.

Last updated 2026-04-09 UTC.