Skip to main content

Authenticate with Google APIs using OAuth 2.0

Learn how to use OAuth 2.0 to authenticate with Google APIs.

In some cases, you may need to use OAuth 2.0 credentials for a Google Cloud project. These can include:

  • Accessing Google Sheets from a self-hosted deployment.
  • Creating a resource to use a Google API for which Retool does not have a built-in integration.

If you are already using Okta SSO using OpenID Connect (OIDC), you can safely authorize Google SSO without presenting an additional sign in method. Retool only displays one SSO button on the login page and Okta has priority over Google when both are enabled.

Prerequisites

This guide assumes you have an existing Google Cloud project. If not, create a new project first.

Create OAuth 2.0 credentials

Follow Google's Setting up OAuth 2.0 guide to create an OAuth 2.0 client ID. Use the following information to configure it for use with Retool.

SettingValue
Application typeWeb application
JavaScript origin URIThe base URL you use to access Retool (e.g., https://example.retool.com or https://retool.mycompany.com
Authorized redirect URIsBASE_URL/oauth/oauthcallback and BASE_URL/oauth/user/oauthcallback.

Once complete, Google displays the client ID and secret, and also makes it available for download in JSON format. You use these credentials to create Google API resources in Retool.

Enable APIs and define scope

Before you can create a resource in Retool, you must enable the desired APIs and define the scope of access that the credentials will request from users.

First, enable any APIs you wish to use with this project. These will be accessible using the OAuth credentials once you define their scope.

Next, follow Google's guide to configure the OAuth consent screen and define the scopes with which the OAuth credentials will request for any enabled APIs. For example, the auth/calendar/events scope for the Google Calendar API would allow Retool to view and edit all calendar events once a user completes authorization.

Create a REST API resource

You can now create REST API resources for Google APIs, such as the Google Calendar API, with the following settings.

Google requires the URL parameters access_type=offline and prompt=consent to obtain refresh tokens, so you should include these in your Authorization URL variable.

SettingValue
Base URLThe base URL of the API (e.g., https://www.googleapis.com/calendar/v3).
HeadersA key-value pair set to Authorization and Bearer OAUTH2_TOKEN.
Authentication typeOAuth 2.0.
Authorization URLhttps://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent
Access token URLhttps://oauth2.googleapis.com/token
Client IDThe client ID provided by Google.
Client secretThe client secret provided by Google.
ScopesA space-separated list of scopes (e.g., https://www.googleapis.com/auth/calendar.events).