Authenticate with Google APIs using OAuth 2.0
Learn how to use OAuth 2.0 to authenticate with Google APIs.
In some cases, you may need to use OAuth 2.0 credentials for a Google Cloud project. These can include:
- Accessing Google Sheets from a self-hosted deployment.
- Creating a resource to use a Google API for which Retool does not have a built-in integration.
If you are already using Okta SSO using OpenID Connect (OIDC), you can safely authorize Google SSO without presenting an additional sign in method. Retool only displays one SSO button on the login page and Okta has priority over Google when both are enabled.
Prerequisites
This guide assumes you have an existing Google Cloud project. If not, create a new project first.
Create OAuth 2.0 credentials
Follow Google's Setting up OAuth 2.0 guide to create an OAuth 2.0 client ID. Use the following information to configure it for use with Retool.
| Setting | Value |
|---|---|
| Application type | Web application |
| JavaScript origin URI | The base URL you use to access Retool (e.g., https://example.retool.com or https://retool.mycompany.com |
| Authorized redirect URIs | BASE_URL/oauth/oauthcallback and BASE_URL/oauth/user/oauthcallback. |
Once complete, Google displays the client ID and secret, and also makes it available for download in JSON format. You use these credentials to create Google API resources in Retool.
Enable APIs and define scope
Before you can create a resource in Retool, you must enable the desired APIs and define the scope of access that the credentials will request from users.
First, enable any APIs you wish to use with this project. These will be accessible using the OAuth credentials once you define their scope.
Next, follow Google's guide to configure the OAuth consent screen and define the scopes with which the OAuth credentials will request for any enabled APIs. For example, the auth/calendar/events scope for the Google Calendar API would allow Retool to view and edit all calendar events once a user completes authorization.
Create a REST API resource
You can now create REST API resources for Google APIs, such as the Google Calendar API, with the following settings.
Google requires the URL parameters access_type=offline and prompt=consent to obtain refresh tokens, so you should include these in your Authorization URL variable.
| Setting | Value |
|---|---|
| Base URL | The base URL of the API (e.g., https://www.googleapis.com/calendar/v3). |
| Headers | A key-value pair set to Authorization and Bearer OAUTH2_TOKEN. |
| Authentication type | OAuth 2.0. |
| Authorization URL | https://accounts.google.com/o/oauth2/v2/auth?access_type=offline&prompt=consent |
| Access token URL | https://oauth2.googleapis.com/token |
| Client ID | The client ID provided by Google. |
| Client secret | The client secret provided by Google. |
| Scopes | A space-separated list of scopes (e.g., https://www.googleapis.com/auth/calendar.events). |