Google Services Setup
All Google services use the same OAuth2 client credentials (client ID + client secret from a single GCP project) but obtain separate refresh tokens with different scopes. This means:
- One
client_secret.jsonfile works for all services - Each service gets its own
.envfile (e.g.secrets/gcal.env,secrets/gmail_send.env) - Each refresh token is scoped to a single API permission
- Revoking one token doesn't affect the others
Setup
# Set up all services at once (encrypts automatically)
python scripts/setup-google-oauth.py --all
# Or set up specific services
python scripts/setup-google-oauth.py gmail gcal
# Encrypt with age after each OAuth flow
python scripts/setup-google-oauth.py gmail --encrypt
# Encrypt all existing .env files in secrets/ (no OAuth flow)
python scripts/setup-google-oauth.py --encrypt-all
Available Services
| Service | Executor | OAuth Scope |
|---|---|---|
| Google Calendar (read) | gcal |
calendar.readonly |
| Google Calendar (write) | gcal_write |
calendar.events |
| Gmail (read) | gmail |
gmail.readonly |
| Gmail (send) | gmail_send |
gmail.send |
| Gmail (modify) | gmail_modify |
gmail.modify |
| Google Drive (read) | drive |
drive.readonly |
| Google Drive (write) | drive_write |
drive.file |
GCP Project Setup
- Create a project in Google Cloud Console
- Enable the APIs you need (Calendar, Gmail, Drive)
- Create OAuth 2.0 credentials (Desktop application type)
- Download the
client_secret.jsonfile to your project root - Run the setup script for each service you want to use