## Google Workspace integration

Integrating Google Workspace with Frontegg lets your application manage users, groups, organizational units, roles, and custom user schemas in a Google Workspace domain through the Admin SDK Directory API — all via Frontegg's integration layer using Google OAuth 2.0.

Prerequisites
- A Google Workspace account with **super admin** privileges (the Admin SDK Directory API requires admin authorization at runtime)
- Access to [Google Cloud Console](https://console.cloud.google.com/) with permission to create OAuth clients
- A Google Cloud project (you can create one during setup)


### Enable the Admin SDK API

#### Step 1: Open the Admin SDK API in the API library

Go to the [Admin SDK API](https://console.cloud.google.com/apis/library/admin.googleapis.com) page in the Google Cloud Console. Select your project from the top navigation, then click **Enable** if the API is not yet enabled. If you see **Manage** and **API Enabled**, the API is already active.

![Admin SDK API page in Google Cloud Console](/assets/google-workspace-1.49fc5b2bfe9e6dd5ee6884c708b53a7369816d57d669b5ae39a8e2b3a9ccc151.1ce25488.png)

### Create an OAuth client

#### Step 2: Go to the Credentials page

In the left sidebar, navigate to **APIs & Services** → **Credentials**. Click **Create credentials**.

![Credentials page with Create credentials button highlighted](/assets/google-workspace-2.19b618dadbaaa129fdc0f493f56d0d889e2237c23246899b1f507f224323c97f.1ce25488.png)

#### Step 3: Select OAuth client ID

From the dropdown, select **OAuth client ID**.

![Create credentials dropdown with OAuth client ID highlighted](/assets/google-workspace-3.5c57f0035a095d20d7ba6c9951b8c41ca64ffef1a1d909d1a3a976c193c9563a.1ce25488.png)

#### Step 4: Configure the OAuth client

On the **Create OAuth client ID** page:

1. Set **Application type** to **Web application**.
2. Enter a name for the client (for example, `Frontegg Integration`).
3. Under **Authorized redirect URIs**, click **Add URI** and add your Frontegg Redirect URL:
  - `https://YOUR_MCP_GATEWAY_URL/integration-callback`


![OAuth client form with name and redirect URI filled in](/assets/google-workspace-4.c314dc01e0782f8cd85d028e4df30e0fc1596b60b65d4694a3f9a642a9d1c691.1ce25488.png)

#### Step 5: Create the client

Click **Create** to save the OAuth client. A dialog will display your **Client ID** and **Client Secret** — copy both values and store them securely.

Save your Client Secret now
The Client Secret is only shown once in this dialog. After you close it, you cannot retrieve it again — you can only create a new secret.

![OAuth client created dialog showing Client ID and blurred Client Secret](/assets/google-workspace-5.cfecf60f8d3a5e800afe83211f4865490887b3594383f8477a16b995cee112d3.1ce25488.png)

### Copy your credentials

#### Step 6: Locate the new client in the credentials list

After closing the dialog, your new client appears in the **OAuth 2.0 Client IDs** list on the Credentials page.

![Credentials page showing the new Frontegg Integration client](/assets/google-workspace-6.307cc7b783a15f2f2d496ed1037999f26e052b888454c86175be432a8c5ad47d.1ce25488.png)

#### Step 7: View the Client ID in the client detail page

Click the client name to open its detail page. You can view and copy the **Client ID** at any time from the **Additional information** section.

![OAuth client detail page showing Client ID](/assets/google-workspace-7.5e43827288c703f931f98068a71a06838df78eeaafa6303cd851a1523146d117.1ce25488.png)

### Configure the Frontegg portal

Once you have your **Client ID** and **Client Secret**, enter them in the Frontegg portal:

1. Open the **Frontegg portal** and navigate to [ENVIRONMENT] → Integrations → Google Workspace.
2. Enter the **Client ID** and **Client Secret** in the corresponding fields.
3. Optionally, enter your **Customer ID** to scope all calls to a specific Google Workspace customer. Leave it empty to use the authenticated admin's domain (recommended). You can find your Customer ID in the [Google Admin Console](https://admin.google.com/) under **Account** → **Account settings** → **Customer ID** (for example, `C03az79cb`).
4. Select the required **scopes**:


| Scope | Description |
|  --- | --- |
| `https://www.googleapis.com/auth/admin.directory.user` | Read, create, update, and delete users in the directory |
| `https://www.googleapis.com/auth/admin.directory.user.readonly` | Read-only access to users in the directory |
| `https://www.googleapis.com/auth/admin.directory.user.security` | Manage user security settings (sign-in cookies, application-specific passwords) |
| `https://www.googleapis.com/auth/admin.directory.group` | Read, create, update, and delete groups in the directory |
| `https://www.googleapis.com/auth/admin.directory.group.readonly` | Read-only access to groups in the directory |
| `https://www.googleapis.com/auth/admin.directory.group.member` | Manage group memberships |
| `https://www.googleapis.com/auth/admin.directory.group.member.readonly` | Read-only access to group memberships |
| `https://www.googleapis.com/auth/admin.directory.orgunit` | Manage organizational units |
| `https://www.googleapis.com/auth/admin.directory.orgunit.readonly` | Read-only access to organizational units |
| `https://www.googleapis.com/auth/admin.directory.rolemanagement` | Manage admin roles and role assignments |
| `https://www.googleapis.com/auth/admin.directory.rolemanagement.readonly` | Read-only access to admin roles and role assignments |
| `https://www.googleapis.com/auth/admin.directory.userschema` | Manage custom user schemas |
| `https://www.googleapis.com/auth/admin.directory.userschema.readonly` | Read-only access to custom user schemas |


1. Click **Save**.


Keep your credentials secure
Never share or commit your Client Secret to version control.

### Additional resources

- [Admin SDK Directory API documentation](https://developers.google.com/admin-sdk/directory/reference/rest)
- [Google Cloud Console](https://console.cloud.google.com/)
- [Google Admin Console](https://admin.google.com/)
- [Setting up OAuth 2.0](https://developers.google.com/identity/protocols/oauth2/)
- [How to get your Redirect URL](/agen-for-work/connectors/redirect-url)