Google Workspace API Scopes

Updated
  • Updated on Mar 4, 2026
  • Published on May 29, 2025
  • 2 minute(s) read
  • Corey Smith
 Prev Next

Overview

This document outlines the integration between Opensense and Google Workspace Directory. The integration is used solely to retrieve user metadata and deploy personalized email signatures within the Opensense platform.

Although the Opensense Marketplace app includes a broad set of permissions, only the scopes listed below are authorized and utilized in this deployment.

Integration components

Component

Description

App Name

Opensense (formerly SenderGen)

Source

Google Workspace Marketplace

Publisher

Opensense Inc.

Purpose

Retrieve directory metadata and deploy email signatures

Integration Type

OAuth 2.0 via scoped API access

Data Flow

One-way: Google Workspace ➜ Opensense

Purpose of access

The integration reads user and group metadata from Google Directory and writes signatures to Gmail to support:

  • Signature Personalization: Insert user-specific fields (e.g., full name, title, phone) into templated HTML signatures.

  • Group-based Logic: Apply signature variations based on group memberships (e.g., different designs for Sales and Support teams).

  • OU-based Filtering: Use organizational units (OUs) to define user targeting or inclusion rules.

  • Signature Deployment: Write finalized signatures to user mailboxes, primary addresses, and send-as aliases via the Gmail API.

Authorized API scopes

Only the following API scopes are granted. API scopes are permission identifiers used by Google to control what data an application can access — they are not navigable URLs. For a full reference of available Gmail API scopes, see Choose Gmail API scopes.

API Scope

Access

Purpose

https://www.googleapis.com/auth/admin.directory.user.readonly

Read-only

Pull user attributes like name, title, department, etc.

https://www.googleapis.com/auth/admin.directory.group.readonly

Read-only

Identify group memberships to assign the correct signature template.

https://www.googleapis.com/auth/admin.directory.orgunit.readonly

Read-only

Allow filtering or targeting based on user's OU placement.

https://www.googleapis.com/auth/gmail.settings.basic

Read/Write

Edit email signatures for user's primary account.

https://www.googleapis.com/auth/gmail.settings.sharing

Read/Write

Edit email signatures for user's alias accounts.

Directory scopes are strictly read-only. The gmail.settings.basic and gmail.settings.sharing scopes are write-capable but limited to signature deployment. Opensense cannot access, read, or modify email content, routing, or any other Gmail settings.

Excluded permissions (not utilized)

Although presented during app installation, the following permissions are not authorized, granted, or used:

  • Access sensitive mail settings

  • Control mail routing

  • Filter or delegate Gmail

  • Access Gmail message content

These are default scopes in the Opensense app manifest but are explicitly excluded during deployment via scoped OAuth configuration.

Security and access controls

Access control

  • Integration is authorized and managed by a Google Workspace Super Admin.

  • Permissions are enforced using granular OAuth scope control via the Admin Console.

  • App access is restricted to the five API scopes listed above.

No access to email content or controls

  • Opensense cannot view, alter, or route email messages.

  • The platform has no access to Gmail accounts, settings, or message data beyond signature deployment.

Data handling

  • Data is accessed through secure, encrypted API calls (TLS).

  • No directory data is written back to Google Workspace; Opensense processes only non-sensitive metadata for display purposes.

Revocation and audit

Admins can revoke access at any time: Admin Console → Security → Access and Data Control → API Controls

Audit logs and app access reviews are supported natively in Google Admin settings.

IT security review checklist

  1. Confirm scoped access. Validate that only the five API scopes listed above are authorized.

  2. Review admin approval. Ensure the Marketplace app is approved and restricted by a Super Admin.

  3. Review access control settings. Confirm that permissions to Gmail message content, routing, or sensitive settings are not enabled.

  4. Enable audit logging. Consider enabling API access logs for periodic internal compliance reviews.

  5. Request OAuth scope summary (optional). Contact Opensense or your admin for a detailed list of active scopes if needed for internal audit or SOC 2/ISO 27001 reviews.

  6. Review vendor security documentation. Reference: Opensense Security Overview.

Troubleshooting and support

  • App not syncing users? Check that organizational units or groups are accessible to the app.

  • Signatures not deploying? Confirm the gmail.settings.basic and gmail.settings.sharing scopes are authorized and that domain-wide delegation is enabled for the Opensense service account.

  • Aliases not receiving signatures? Verify that gmail.settings.sharing is authorized and domain-wide delegation is correctly configured in the Admin Console.

  • Unexpected permissions? Reverify scopes in Admin Console under Apps → App Access Control.

  • Need assistance? Reach out to Opensense support for integration guidance or reconfiguration help.

1390 Market Street, Suite 200
San Francisco, CA 94102
(866) 673-6736

 
 
Products
Company
Opensense App
Connect With Us
Sales and Support
Copyright © Opensense Inc. All Rights Reserved