Skip to content

Reference google oauth architecture

Google OAuth client map

Justin's personal GCP project OAuth client ID 954659188872-... covers: - Forge calendar direct client (forge_google_calendar.py) - n8n Gmail credential for [email protected] (business) - n8n Gmail credential for [email protected] (personal) - n8n Calendar credential

This client is unverified / Testing-mode. In Testing mode, refresh tokens expire after 7 days. Pushing to Production without Google verification causes a hard block on consent (no Advanced > Continue escape).

Integrations NOT affected (use separate verified OAuth)

  • rclone Drive -- uses rclone's own verified OAuth client; tokens do not expire on 7-day cycle
  • Claude MCP Gmail (mcp__claude_ai_Gmail__*) -- uses Anthropic's claude.ai-side OAuth; unaffected

Account types and permanent fix paths

  • [email protected] -- Google Workspace, Justin is admin. Enables service account + domain-wide delegation (DWD). No OAuth expiry ever.
  • [email protected] -- consumer Gmail. Service accounts cannot access consumer Gmail. Permanent paths: (A) Apps Script Web App (GmailApp runs as owner, verified Google environment, no external OAuth client), or (B) forward all mail to Workspace + configure as Send-mail-as alias (rides Workspace DWD).
  • Personal Calendar -- service account works via calendar-share (share calendar with SA email). Already planned.
  • Personal Drive (rclone) -- already on separate rclone OAuth client, no action needed.

Key architectural insight

Apps Script is the functional equivalent of rclone for personal Gmail: it runs inside Google's own verified environment, so no external OAuth client is involved and tokens never expire.

Plan handoff

Full step-by-step migration at memory/handoffs/google-oauth-permanent-fix-2026-05-04.md.

[Claude Code]

[auto-memory session c9b048dc-396f-48f3-8346-6bafed27690c, confidence 0.85, mode direct]