← DocumentationIntegrationsFederation Setup
Self-HostedGoogle Cloud

Google OAuth Setup Guide

Configure Google Cloud OAuth credentials so your self-hosted DiviDen instance can connect to Gmail, Google Calendar, and Google Drive. This guide walks through every step from creating a Google Cloud project to verifying the connection.

Contents

Prerequisites5. Configure Environment Variables1. Create a Google Cloud Project6. Restart and Connect2. Enable Required APIsScope Reference3. Configure OAuth Consent ScreenTroubleshooting4. Create OAuth CredentialsSecurity Notes

Prerequisites

  • --A running self-hosted DiviDen instance (see Federation Setup Guide)
  • --Admin access to the instance (the account that deployed it)
  • --A Google account with access to the Google Cloud Console
  • --Your instance accessible via HTTPS (required for OAuth redirect)
Important: Google OAuth requires HTTPS. If your instance is running on bare HTTP, you must set up TLS (via reverse proxy, Caddy, or a cloud load balancer) before proceeding.

Step 1: Create a Google Cloud Project

1
2

Enter a project name. Something like DiviDen Instance or MyOrg DiviDen works fine. The name is for your reference only.

3

Select your organization (if applicable) or leave as "No organization".

4

Click Create. Wait for the project to be provisioned (a few seconds).

5

Make sure the new project is selected in the project dropdown at the top of the console. All subsequent steps must be done within this project.

Step 2: Enable Required APIs

DiviDen needs three Google APIs enabled. You can enable them one by one from the API Library, or use the direct links below.

Gmail API

Read, send, and compose emails

Enable →

Google Calendar API

Full read and write access to calendar events

Enable →

Google Drive API

Read-only access to files and folders

Enable →
Tip: For each API, click the Enable button on the API page. If the button says "Manage" instead, the API is already enabled.

Step 3: Configure OAuth Consent Screen

The consent screen is what users see when they authorize DiviDen to access their Google data.

1
2

Select External user type (unless your Google Workspace org restricts it to Internal). Click Create.

3

Fill in the app information:

App nameDiviDen (or your instance name)
User support emailYour admin email address
App logoOptional — upload your instance logo if desired
Developer contactYour admin email address
4

On the Scopes page, click Add or Remove Scopes and add these seven scopes:

Required OAuth Scopes
https://www.googleapis.com/auth/gmail.readonly
https://www.googleapis.com/auth/gmail.send
https://www.googleapis.com/auth/gmail.compose
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/userinfo.email
https://www.googleapis.com/auth/userinfo.profile

You can paste these into the "Manually add scopes" field, one per line, then click Add to Table.

5

On the Test users page, add the Google accounts that will connect to your instance. While the app is in "Testing" publishing status, only these accounts can authorize.

6

Click Save and Continue through the remaining screens, then Back to Dashboard.

Important: The Gmail and Calendar scopes are classified as sensitive by Google. While your app is in "Testing" status, only test users you explicitly add can authorize. To remove this restriction, you must submit for Google verification (see Security Notes below).

Step 4: Create OAuth Credentials

1
2

Click + Create CredentialsOAuth client ID.

3

Set Application type to Web application.

4

Give it a name (e.g., DiviDen OAuth).

5

Under Authorized redirect URIs, click + Add URI and enter:

Redirect URI
https://your-domain.com/api/auth/callback/google-connect

Replace your-domain.com with your actual instance domain. If you access your instance at https://dividen.mycompany.com, the redirect URI would be https://dividen.mycompany.com/api/auth/callback/google-connect.

6

Click Create. Google will display your Client ID and Client Secret. Copy both values immediately — you will need them in the next step.

Important: Do not add Authorized JavaScript origins — DiviDen uses server-side OAuth and does not need them. Adding incorrect origins can cause unexpected errors.

What you should have at this point

--Client ID (looks like 123...apps.googleusercontent.com)
--Client Secret (looks like GOCSPX-...)

Step 5: Configure Environment Variables

Add the credentials to your DiviDen instance's environment. How you do this depends on your deployment method.

Docker / Docker Compose

Add these to your .env file or docker-compose.yml environment section:

.env
GOOGLE_CLIENT_ID=your-client-id-here.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-client-secret-here

Bare Metal / Node.js

Add to your .env file in the project root:

.env
GOOGLE_CLIENT_ID=your-client-id-here.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-your-client-secret-here

Cloud Platform (Railway, Render, Fly.io, etc.)

Add both variables to your platform's environment/secrets configuration. The exact location varies by platform but is typically under Settings → Environment Variables.

Tip: DiviDen detects these variables at runtime. If they are missing, the "Connect Google" button in Settings → Integrations will show a configuration prompt instead of starting the OAuth flow.

Step 6: Restart and Connect

1

Restart your DiviDen instance so it picks up the new environment variables.

Docker
docker compose restart
Node.js
# Stop the running process, then:
yarn build && yarn start
2

Log in to your DiviDen instance and go to Settings → Integrations.

3

Click Connect Google. You should be redirected to Google's consent screen.

4

Select the Google account you want to connect and authorize all requested permissions.

5

You will be redirected back to DiviDen. If successful, you will see connected status indicators for Gmail, Calendar, and Drive in the Integrations panel.

What happens after connection

  • --Email: DiviDen syncs your inbox and installs the Outbound Email capability for your agents.
  • --Calendar: Events sync immediately. The Meeting Scheduling capability is auto-installed.
  • --Drive: Files and folders sync in read-only mode. Accessible from the Files tab.
  • --Multi-account: You can connect up to 3 Google accounts per identity. Repeat the Connect flow for additional accounts.

Scope Reference

DiviDen requests seven OAuth scopes. Here is what each one does:

ScopeServiceAccess LevelUsed For
gmail.readonlyGmailReadSync inbox, read email threads
gmail.sendGmailWriteSend emails via agents
gmail.composeGmailWriteDraft and compose emails
calendarCalendarRead + WriteSync events, create meetings
drive.readonlyDriveReadSync files and folders
userinfo.emailIdentityReadIdentify the Google account
userinfo.profileIdentityReadDisplay name and avatar
Tip: All scopes are requested together in a single consent prompt. Users cannot selectively deny individual scopes — it is all or nothing. If a user denies consent, no services will be connected.

Troubleshooting

redirect_uri_mismatch error

This is the most common error. It means the redirect URI configured in Google Cloud does not exactly match what DiviDen sends.

Check these:

  • -- The redirect URI must be exactly: https://your-domain.com/api/auth/callback/google-connect
  • -- Protocol must be https:// (not http://)
  • -- No trailing slash
  • -- Domain must match exactly (including www. vs non-www.)

"Access blocked: This app's request is invalid"

This usually means the OAuth consent screen is not fully configured. Go back to the consent screen settings and make sure:

  • -- All required fields are filled in (app name, support email, developer contact)
  • -- At least one scope is added
  • -- If using "External" user type, your Google account is added as a test user

No refresh token received

DiviDen requires offline access (refresh tokens) to maintain persistent connections. If you previously authorized the app and then revoked access, Google may not issue a new refresh token.

Fix:

  1. Go to Google Account → Security → Third-party apps
  2. Find your DiviDen app and click Remove Access
  3. Try connecting again from DiviDen — Google will now issue a fresh refresh token
Tip: DiviDen uses prompt: consent and access_type: offline in the OAuth flow, which should force a refresh token on every authorization. This issue is rare but can happen if Google's token cache is stale.

"Google integration not configured" error in DiviDen

This means your instance cannot find the GOOGLE_CLIENT_ID and/or GOOGLE_CLIENT_SECRET environment variables.

  • -- Verify the variables are set: echo $GOOGLE_CLIENT_ID
  • -- Make sure you restarted the instance after adding them
  • -- If using Docker, ensure the .env file is mounted or variables are passed via -e flags

Sync completes but no data appears

Check the browser console and server logs for errors. Common causes:

  • -- The connected Google account has no data (empty inbox, no calendar events)
  • -- API rate limits hit during initial sync — wait a few minutes and refresh
  • -- Token expired between connection and sync — disconnect and reconnect

Security Notes

Testing vs. Production Publishing Status

By default, your Google Cloud OAuth app is in Testing status. This means:

  • -- Only accounts you add as test users can authorize
  • -- Maximum of 100 test users
  • -- Refresh tokens expire after 7 days
  • -- Users see a "This app isn't verified" warning screen

For a personal or small-team instance, Testing status is usually fine — just add all team members as test users. If you need wider access or tokens that do not expire:

  1. Go to the OAuth consent screen in Google Cloud Console
  2. Click Publish App
  3. Google will require you to submit for verification (privacy policy URL, homepage, demo video)
  4. Verification typically takes 2-6 weeks for sensitive scopes

Credential Security

  • --Never commit GOOGLE_CLIENT_SECRET to version control. Use environment variables or secrets management.
  • --The Client ID is semi-public (visible in the OAuth URL) but the Client Secret must remain private.
  • --DiviDen stores OAuth tokens encrypted in the database. Refresh tokens are used server-side only and never exposed to the client.
  • --If you suspect your Client Secret is compromised, rotate it immediately in Google Cloud Console → Credentials → your OAuth client → Reset Secret.

Revoking Access

Users can revoke DiviDen's access at any time from Google Account → Third-party apps. DiviDen also provides a Disconnect button in Settings → Integrations.

Download a plain-text copy of this page

Last updated: May 27, 2026

Built by DiviDen — the individual-first operating system

IntegrationsFederation SetupDocumentationAPI ReferenceChangelog