All Collections
Authentication guides
Google Workspace Authentication Guide (JWT)
Google Workspace Authentication Guide (JWT)

How to authenticate Google for use with Tines using JWT

Fergal Collins avatar
Written by Fergal Collins
Updated over a week ago

Google Workspace is a collection of cloud computing, productivity, and collaboration tools, software, and products developed and marketed by Google. It consists of Gmail, Contacts, Calendar, Meet, and Chat for communication; Currents for employee engagement; Drive for storage; and the Google Docs Editors suite for content creation.

Firstly, configure Google for use with Tines

We will use OAuth 2.0 with a service account to connect Tines with G Suite. The Admin SDK API allows the programmatic administration of domain resources such as users, groups, and admin settings.

Navigate to and enable the Admin SDK.

Then, create a "service account" in Google

  1. Create a service account following these instructions from Google.

    1. Open the Service accounts page. If prompted, select a project.

    2. Click "Create Service Account."

    3. Grant the Service Account the “Service Directory Admin” role. This can be done during the Service Account Creation process. Service Account roles can also be added after the Service Account is created by following the steps documented by Google here.

    4. In the Create service account window, type a name for the service account, and select "Furnish A New Private Key." Ensure that Google Workspace Domain-wide Delegation is enabled. Then click "Create."

    5. Your private key will be downloaded to your computer in JSON format and should look similar to the one below. Keep this file safe; it contains secret information and cannot be downloaded again.

Authorize the service account in Google

For Tines to access user data in Google Workspace, a Google Workspace administrator needs to authorize the account we just created in the Google Workspace admin console, this is a process known as delegating domain-wide authority.

  1. Go to your Google Workspace domain’s Admin console.

  2. Select "Security" from the list of controls. If you don’t see "Security" listed, select "More Controls" from the gray bar at the bottom of the page, then select "Security" from the list of controls. If you can’t see the controls, make sure you’re signed in as an administrator for the domain.

  3. Select "Show More" and then "Advanced Settings" from the list of options.

  4. Select “API Controls" and then "Manage Domain Wide Delegation"

  5. Select "Add New" to add your Client ID and OAuth Scopes.

  6. In the Client Name field, enter the service account’s Client ID. You can find your service account’s client ID in the Service accounts Client ID. This can be found under the “client_id” field in the private key file you downloaded and is typically a long number.

  7. Under “One or More API Scopes” enter the required scopes. Scopes provide a way to limit the amount of access that is granted to an access token or application. A full list of OAuth 2.0 Scopes for Google APIs is available here. Your credential uses the following scopes:

  8. Click "Authorize"

Lastly, create a Google credential in Tines

Google uses JSON Web Tokens (JWT) to securely represent and exchange information between services. Before Google provides an access token that we can use to access the required APIs, we need to send a JWT confirming we are who we say we are.

  1. Sign in to your Tines tenant, navigate to the team using the Google API, and select "+ New Credential"

  2. Under “Type” choose “JWT”

  3. Enter a credential name

  4. The only signing algorithm supported by the Google OAuth 2.0 Authorization Server is RSA using SHA-256 hashing algorithm. Under “Algorithm” choose RSA256.

  5. The payload component of the JWT credential is the data stored inside the JWT (this data is also referred to as the “claims” of the JWT). The fields are described below:

  6. Google expects us to provide a payload that looks like the below:


  7. In this case, “iss” should be taken from the “client_email” field in your private key file; “sub” is the email address of an admin in your domain that has access to manage users and groups; and “scope” must be the same as that defined under Step 7 of “Authorizing the service account” above.

  8. By selecting the “Auto generate ‘iat’ (Issued At) & ‘exp’ (Expiration Time) claims” checkbox. Tines will add “iat” and “exp” claims to the payload according to when the credential is used.

  9. Copy and paste the private key from your private key file into the Tines credential.

  10. When complete, the credential page should look similar to the below:

For more on creating credentials in Tines, click here.
You can find a selection of Google stories in the Tines story library.

Did this answer your question?