Ryan S. Chiang

Google OAuth Verification: What to Expect (2024 Walkthrough)

Google OAuth Verification: What to Expect (2024 Walkthrough)

Updated

12 min read

I'm going to be documenting the Google OAuth Consent Screen verification process so that others can gain some insight and transparency into the process.

Prior to personally requesting verification, I found very little information out there that explains the steps, timeline, and what to expect when requesting verification.

Note

This post documents my experience getting my OAuth consent screen verified. I got verified in less 3 days time from start-to-finish, which is likely abnormal and not to be expected, but nonetheless it can be helpful to see the full process.

Before we dive into the process, here are some helpful resources from Google covering the OAuth verification process:

Now I will walk you through a detailed account of my experience getting OAuth scopes verified.

Day 1. Preparing for Verification

First things first, you may not need to go through the verification process.

Google has a list of conditions when verification is not needed for your reference.

If you're just using the basic /auth/userinfo.email and similar scopes to implement Google SSO, your app won't need to be verified.

But if you're using restricted or sensitive scopes (or frankly, any scopes beyond the basic email/name/profile picture ones), your OAuth consent screen will likely need verification.

Find Out if You Need Verification

When your app is ready to go live, head over to your Google Cloud Console.

You probably have already set up the OAuth consent screen, but if not, do that.

From there, you'll see a button: "Publish App":

Google OAuth Publish App Button

Push to Production

After clicking "Publish App," you will see a popup similar to below:

Google OAuth Push to Production Popup

If you don't see this popup, you may not need verification.

This popup explains that you will need to provide 4 things:

  1. An official link to your app's Privacy Policy
  2. A YouTube video explaining how you use Google user data from the scopes selected
  3. A written explanation of why you need access to this data
  4. Your domain(s) need to be verified in Google Search Console

I'll explain each of these requirements in the following sections. But this popup can be confusing at first glance.

But don't worry, pressing "Confirm" won't immediately start the verification process just yet. When you click "Confirm", you will be taken back to your OAuth Consent Screen setup page.

Prepare for Verification

After clicking "Confirm" and acknowledging the 4 requirements, you'll be taken to a setup flow that looks very similar to your initial setup flow when creating the OAuth consent screen.

Google OAuth Prepare for Verification

This first step, "OAuth consent screen," will be identical to what you've already setup.

Google OAuth Prepare for Verification

Most importantly on this page, make sure you add a link to your privacy policy. This will fulfill Requirement #1 from the popup.

If you're going to add a logo, now is also the time, because changing your logo requires re-verification.

Verify Your Domain(s) via Google Search Console

Now's a good time to satisfy Requirement #4 from the popup.

Find your authorized domain in the OAuth consent screen "Prepare for Verification" flow.

Google OAuth Authorized Domains

Now, head over to Google Search Console (GSC).

Important

Make sure you use the same Google account in GSC as the one that owns the Google Cloud Project you are verifying.

At the very least, the Google account you are using to setup the OAuth consent screen should have ownership in GSC of the domain. But for simplicity and ease of mind, I recommend just using the same account throughout this process.

Add your domain from the dropdown menu:

Google Search Console Add Domain

Then verify the domain by creating a TXT record in your DNS configuration.

Google Search Console Verify Domain

Now that we've verified the domain, we can go back to the OAuth consent screen tab.

Configure Scopes

Back in the Google Cloud Console, the next page will have you configure and confirm the scopes needed.

There shouldn't be anything for you to do here, as you've already set it up.

Google OAuth Scopes

But if you're going to make changes to scopes, do it now. Again, modifying scopes will require re-verification of your app.

Add Optional Info

Here's where things get interesting, and where we fulfill Requirements #2 and #3.

Google OAuth Consent Screen Optional Info

The OAuth consent screen verification is confusing because the popup we originally saw had 4 "requirements."

But this section is now called "Optional info." So it's safe to say this info isn't actually optional (besides the Google contacts section).

In the "Share any final details about your app" section, I simply wrote a short explanation of the scopes used and how I will be using them. For example:

Our app requires access to sensitive user data via [the Google APIs you're using] to enable [functionality of your app]. We use [scopes you use]. [Explanation of how you use, store, manipulate, and protect the data]

Note that you are only allowed 1000 characters in this section, so I'm still not really sure whether this section is meant for Requirement #3 stating a "written explanation".

But since there's nowhere else suitable, I figured this space would make the most sense

Lastly, for the "Provide up to 3 more links to any relevant documentation," you should link a Youtube video to satisfy Requirement #2.

YouTube Video Explanation

Remember that requirement #2 of the popup when pushing to production stated, "A YouTube video showing how you plan to use the Google user data you get from scopes."

I recorded a short, 5-6 minute video screenshare of my app. In it, I covered these main points:

  • What the app does
  • How Google data is used in the app
  • Whether we store data and if so how
Important

In your YouTube video explanation, be sure to show the full OAuth flow that users will take, including the consent screen.

There is a good explanation of the "app functionality demonstration video" requirements from Google here.

To summarize, in your video explanation you must:

  • Show the "end-to-end flow of your app"
  • Show the complete OAuth Consent Screen
  • Show the app functionalities that use the requested OAuth scopes

In my video explanation, I even showed the codebase where Google APIs are used. I'm not sure if this is necessary or recommended, but for full transparency I thought it couldn't hurt.

I even showed part of my database setup to emphasize how I was planning on using the Google data.

For the two other links, you can add whatever helpful documentation you think would be worthwhile.

I included another link to the privacy policy (even though we already supplied it on step 1).

I also linked to a page on my website which explains a longer written explanation (basically a transcript of the YouTube video). I don't think this is necessary, but it couldn't hurt.

Other Checks Before You Submit for Verification

Google also provides some guidelines for "brand verification."

This includes 5 main requirements:

1. Homepage Requirements

Basically, your app must be hosted on a domain that you own (so not something on Vercel or Github pages, for example).

Your homepage must represent your brand and describe your app functionality. Your homepage cannot be a login page only.

Your homepage must include a link to your privacy policy (the same link as the one on your OAuth consent screen configuration).

Privacy Policy Linked in Footer of Homepage

For the last point, I just linked the privacy policy in the footer, which is a standard practice.

I also linked the privacy policy on the login page itself clearly:

Privacy Policy on Login Page

2. Privacy Policy Requirements

Google lists a long list of privacy policy requirements.

But the most important one is that your privacy policy "must disclose how your app accesses, uses, stores, and/or shares Google user data."

3. Verify Domain Ownership

We accomplished this earlier, but make sure you successfully verified ownership of your domain using Google Search Console.

Remember to use the same Google account for submitting verification request as you use in GSC.

At the very least, the project owner of your GCP account must have ownership of the authorized domain on GSC.

4. Google Branding

Google has lots of branding guidelines, but the most relevant ones are "Sign in with Google" buttons and using the Google logo.

Basically, don't obscure or modify the Google logo and use correct phrasing, like "Sign in with Google" or "Continue with Google."

5. Up-to-date Project Contact Information

The last main check before you submit for verification is to make sure the email listed in the "Developer contact information" section should be up-to-date and accessible.

Important

The developer email you provide in the OAuth consent screen configuration is where the Trust and Safety team will email you during the verification process

Submit for Verification

After you click "Save & Continue" you will submit your verification application.

So make sure everything is in order before you do this.

After the "Final Review" step, you should see a message saying:

The Trust and Safety team has received your form. They will reach out to you via your contact email if needed. The review process can take up to 4-6 weeks. Expect the first email from our Trust and Safety team within 3-5 days. Your last approved consent screen is still in use.

Day 2. First Email from Google

The next day, I checked my Google Cloud Console, and saw this on the OAuth consent screen page:

Developer Action Required

Google OAuth Consent Screen Domain Verification Action Required

It says I must "Comply with domain verification requirements" by "[Ensuring] your application's domains have completed the Search Console verification process."

At first, I was not sure why I received this, since I verified my authorized domain in GSC.

But upon examination, I realized I used a different Google account between GCP and GSC. So I made my GCP account the owner of the verified domain in GSC.

After completing the required action, it instructs to "Update your email thread with our Trust and Safety team after you have completed an action".

But what email? I hadn't received anything yet, so I just waited.

First Email from Google

About 12 hours after submitting for verification, I received an email from the Trust and Safety team, titled OAuth Verification Request.

The sender email address is a unique one, starting with api-oauth-dev...@google.com.

Google OAuth Verification First Email

This automated email basically asks you to confirm that you do indeed require verification.

It reiterates the times when verification is not needed and asks you to reply to confirm that you want to start the verification process.

I replied, confirming, and also noted that I completed the "action required" as shown in GCP.

Day 3. Verification Granted

2.5 days since submitting my app for verification, I've received official verification from Google!

I have to admit I was quite surprised when I opened my inbox this morning to see this email:

Google OAuth Verification Granted Email

From everything I've read online, as well as Google's own message when submitting for verification, I expected this process to take 3-4 weeks.

I'm pleasantly surprised by how quickly my OAuth consent screen received verification.

But I'm also left wondering if this was just luck on my end, or whether anything I did helped expedite the process.

  • Were the specific sensitive/restricted scopes I requested "less sensitive" than others?
  • Was the thoroughness of my verification application a factor?
  • Or did I just get lucky?

Ultimately, I cannot say. But let's wrap up with a few lessons learned:

Lessons Learned

Google OAuth Consent Screen Verified

Getting my OAuth consent screen verified was smoother and much faster than I expected.

Nonetheless, the process is still a blackbox. I received 2 emails in total from the Trust and Safety team.

The 4 "requirements" shown when pushing to production are still confusing. Were those necessary to add in the Optional Info section? Maybe not, but it was probably worth doing anyway.

If you're planning to get your app verified, all I can advise is to be thorough and check all the details before submitting for verification.

Most importantly, make sure to:

  • Verify your authorized domain in Google Search Console using the same account as in Google Cloud Platform
  • Create a robust privacy policy that explicitly details how you use Google data
  • Have a full-fledged homepage (not just a login screen)
  • Create a short YouTube video explanation of how Google data is used in your app
    • Show the full OAuth flow and consent screen in the demo
    • (Optional) Show parts of your code base or database?

Here's what your OAuth consent screen will look like once verified:

Google OAuth Consent Screen After Verification

I hope this walkthrough of my experience is helpful to you, whether you are verifying your own OAuth consent screen or assisting others with the process.

My goal was to provide some transparency about the relatively obscure process, and even though I feel I got lucky in the end given it took less than 3 days total, I hope it's a good documentation of the process.

As always, let me know if you have any questions or feedback.

Ryan Chiang

Meet the Author

Ryan Chiang

Hello, I'm Ryan. I build things and write about them. This is my blog of my learnings, tutorials, and whatever else I feel like writing about.
See what I'm building →.

If you want an alert when I write a new blog post (not often), you can subscribe below:

0

Comments

Leave a Comment

Your email will not be published. Required fields are marked *

2024

Google Docs Word Count as if Suggestions Were Accepted (Tutorial)
How to Actually Remove, Replace, or Clone Shadow DOM Roots
How to Prevent Google from Using "noscript" Content
How to Use React Shadow DOM with CSS Modules + style-loader
How to Add Cloudflare Turnstile to Next.js 14
How to Use PM2 Clusters with NodeJS for Zero Downtime Deployment
How to Create a Pure Tailwind CSS Star Rating
How to Bundle TailwindCSS using RollupJS (Step-by-Step)
Google OAuth Verification: What to Expect (2024 Walkthrough)
Personal Blogs Solve Problems
How to Resolve "[Error] Dynamic server usage: Route used cookies" in NextJS 14
How to Use Incremental Static Regeneration (ISR) with NextJS 14 App Router
How to Scope Tailwind CSS Styles (Including Preflight)
Optimizing Retrieval-Augmented Generation (Strategies and Tricks)
Three.js - Handling Click Events with Raycasting
NextJS HTTPS/SSL Made Easy (Let's Encrypt Tutorial)
How to Share Code with a SvelteKit Monorepo
Tailwind CSS Triangle Generator (Free Tool)
How to Create a Typewriter Effect in Svelte (Fancy Text Animation)
How to Deploy SvelteKit App to Nginx Reverse Proxy (With PM2 and SSL)
Iptables Rules for Nginx Reverse Proxy + Node.js Apps

2023

How to Convert .prtranscript to .SRT (Adobe Premiere Pro)
How to Improve Voice-Over Quality in Premiere Pro (5 Steps)
How to Self-Host a Video Course on AWS for $10/year

© 2024 Ryan Chiang

BlogToolsAboutWorkNewsletter