Ruslan Musagitov

Google OAuth App verification

We use Sheets API by Google in our new project Functions - save to sheets. Besides, we also use /auth/spreadsheets that allows read and write into user tables.
Ruslan Musagitov
Co-founder
If your application is available for external users, it needs to be verified in the following cases:
  • Your app uses a sensitive and/or restricted scope

  • Your app displays an icon on its OAuth consent screen

  • Your app has a large number of authorized domains

  • You have made changes to a previously-verified OAuth consent screen
Without verification your app will have a maximum limited number of users, and authorization will be harder because of additional warning that an app isn't verified for users.
Picture 1. "Unverified app" warning screen
To prepare your project for verification, you should go to OAuth consent screen in google developer console.
Picture 2. OAuth consent screen of not verified project.
For verification you have to prepare:

  • application name

  • application logo

  • email to contact you

  • authorized domain

  • application home page link that is hosted on authorized domain

  • application privacy policy page that is hosted on authorized domain
The essential point is privacy policy. You definitely have to state how an application gets, uses, saves and share the users' data. An application shouldn't be beyond user agreements that is stated in privacy policy.
This is how the Functions - save to sheets, our own project, privacy policy looks like: http://bytepace.com/functionsapp/tos-and-privacy-policy.
After you send an app for verification process, you could be asked for a video, hosted on YouTube, that shows:

  1. How to log into your project (ensuring that the URL bar with the client ID is clearly visible)

  2. How to request an OAuth token (OAuth Consent Screen/Permissions Page)

  3. How your project's functionality utilizes the requested scopes:
- list of sensitive scopes, that your app requests

4. Demonstrate that functionality was successfully achieved.
- Please note, we must verify that any changes made via the application are successfully reflected in the user's Google Drive.
In our case we recorded a video from the device, incorporated with /auth/spreadsheets scope. We launched a video on YouTube and sent to a verifier.
During the review we were also asked to update the login button to comply with brand rules https://developers.google.com/identity/branding-guidelines.
We did some fixes, sent a screenshot, and in a day we got an answer that our app was verified.
Summimg up
We could have sped the process if we did a screen demonstration first and sent the link by verification request. The home page and privacy policy we also could done in advance. In this case the process could be taken a couple of days.

But we spent a couple of weeks because of fixes, generally.


The article that helped us a lo with verification process: https://medium.com/@crspybits/the-google-oauth-review-process-9d1b05f53aea
Thanks for reading!