Reference google oauth architecture
Google OAuth client map¶
Justin's personal GCP project OAuth client ID 954659188872-... covers:
- Forge calendar direct client (forge_google_calendar.py)
- n8n Gmail credential for [email protected] (business)
- n8n Gmail credential for [email protected] (personal)
- n8n Calendar credential
This client is unverified / Testing-mode. In Testing mode, refresh tokens expire after 7 days. Pushing to Production without Google verification causes a hard block on consent (no Advanced > Continue escape).
Integrations NOT affected (use separate verified OAuth)¶
- rclone Drive -- uses rclone's own verified OAuth client; tokens do not expire on 7-day cycle
- Claude MCP Gmail (
mcp__claude_ai_Gmail__*) -- uses Anthropic's claude.ai-side OAuth; unaffected
Account types and permanent fix paths¶
[email protected]-- Google Workspace, Justin is admin. Enables service account + domain-wide delegation (DWD). No OAuth expiry ever.[email protected]-- consumer Gmail. Service accounts cannot access consumer Gmail. Permanent paths: (A) Apps Script Web App (GmailApp runs as owner, verified Google environment, no external OAuth client), or (B) forward all mail to Workspace + configure as Send-mail-as alias (rides Workspace DWD).- Personal Calendar -- service account works via calendar-share (share calendar with SA email). Already planned.
- Personal Drive (rclone) -- already on separate rclone OAuth client, no action needed.
Key architectural insight¶
Apps Script is the functional equivalent of rclone for personal Gmail: it runs inside Google's own verified environment, so no external OAuth client is involved and tokens never expire.
Plan handoff¶
Full step-by-step migration at memory/handoffs/google-oauth-permanent-fix-2026-05-04.md.
[Claude Code]
[auto-memory session c9b048dc-396f-48f3-8346-6bafed27690c, confidence 0.85, mode direct]