# Authenticating Google connectors

At Tray.io, we use the  Google OAuth2 API to enable our customers to authenticate into Google applications when building workflows on the Tray Platform

## Overview

At Tray, we use the [ Google OAuth2 API](https://support.google.com/cloud/answer/9110914?hl=en) to enable our customers to authenticate into Google applications when building workflows on the Tray Platform.
Due to particulars around how the API works, for certain Google services, you will need to whitelist the Tray app in the G-Suite admin interface. These services are:

* [Gmail](https://tray.ai/documentation/connectors/service/gmail/)
* [BigQuery](https://tray.ai/documentation/connectors/service/google-bigquery/)
* [Adwords](https://tray.ai/documentation/connectors/service/google-adwords/)

## Step 1 - Whitelisting the Tray app

Before proceeding with the authentication of your Google accounts, it's essential to whitelist the Tray OAuth2 application. This security measure ensures that only authentications created with the Tray app are permitted, enhancing the overall security of your Google accounts and applications.
*Note: Whitelisting does not grant access to your Google accounts; it only allows authentications created with the Tray app.*
\*\*Prerequisites: \*\*Ensure you have [ super admin permissions](https://support.google.com/a/answer/172176?hl=en) before following the instructions below.
\*\*Step-by-Step Guide: \*\*
To whitelist the Tray OAuth2 application, follow these specific instructions using the G-Suite admin interface:

1. Log in to the [G-Suite admin console](https://admin.google.com).
2. Navigate to **Security** > **Access and data control** > \*\*API controls \*\*from the menu bar.
3. On the App access control page, click the \*\*MANAGE THIRD-PARTY APP ACCESS \*\*button.

![authenticating-google-connectors-whitelisting-1](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/4cMnN8iqZ00vOqiBVniT8T_authenticating-google-connectors-whitelisting-1.png)
4\. Click the **Add app** button on the App access control page and choose **OAuth App Name or Client ID** from the available options.

![authenticating-google-connectors-whitelisting-3](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/3tISbN7ForK1U7Pdy4sWRz_authenticating-google-connectors-whitelisting-3.png)
5\. Enter the Client ID: `597325623219-f23k7dhk377f8bvamo2e6klu1i37tco7.apps.googleusercontent.com `in the search bar and click the **SEARCH** button.
6\. Under the App name select the **tray** app.

![authenticating-google-connectors-whitelisting-4](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/2pHFeMPRp33WPWhDnOAeZ4_authenticating-google-connectors-whitelisting-4.png)
7\. Check the boxes for the client IDs you want to configure, then click **Select.**

![authenticating-google-connectors-whitelisting-5](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/5U0hfjZn5sM2VVKFjXGo4E_authenticating-google-connectors-whitelisting-5.png)
8\. Select the organization you would like to configure access for and click **CONTINUE**.

![authenticating-google-connectors-whitelisting-6](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/1cdvhR3oYj86zVl394GAtI_authenticating-google-connectors-whitelisting-6.png)
9\. Choose the type of access the Tray app has to Google data and click **CONTINUE**.

![authenticating-google-connectors-whitelisting-7](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/20gkzXm0oxhzZ6oOoMcpgm_authenticating-google-connectors-whitelisting-7.png)
10\. Review the configured settings

![authenticating-google-connectors-whitelisting-8](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/6k0aLWMg5s59QOlIH2EUhq_authenticating-google-connectors-whitelisting-8.png)
Upon successful configuration, the Tray app should be visible under the Configured apps list.
![authenticating-google-connectors-whitelisting-9](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/1dpvcdk2hMT7Au3sq6rv1B_authenticating-google-connectors-whitelisting-9.png)

## Step 2 - Creating the Authentications

Once you have whitelisted the Tray OAuth2 app, you will now be able to create authentications for Gmail, BigQuery and AdWords.
For each service you wish to use, please see the [individual connector pages](https://tray.ai/documentation/connectors/service/) where you will find instructions on how to authenticate and manage the specific access scopes you wish to give (read/write files, edit metadata etc.)

## Notes for Embedded customers

### Custom OAuth apps

You can create a custom OAuth app in order to [White-label](https://tray.ai/documentation/platform/embedded/advanced-features/whitelabelling/custom-oauth-apps) the authentication dialog for your integrations.
In order to use Google OAuth in an Embedded Solution and to access Google users’ data, Google requires 3rd party applications to validate domain ownership with their Authentication Server (full google docs[ ](https://support.google.com/cloud/answer/9110914?hl=en#zippy=%2Cwhat-are-the-different-types-of-verification-that-google-requires-for-accessing-user-data-via-oauth)). Therefore, we need you to provide a subdomain that you would like to use, for example: \*.integrations.acme.com.
The required steps are outlined below:

#### Prerequisites

### 1 - Provide Subdomain

You provide Tray a subdomain you want to use.
For example: `*.integrations.acme.com`
Tray will use your subdomain to create a certificate for the custom subdomain on our load balancer.

### 2 - Validation & registration

You will need to validate this creation by adding a register to your DNS within 72 hours of creation. Assuming use of AWS - more information can be found [here](https://docs.aws.amazon.com/acm/latest/userguide/dns-validation.html).
Once AWS validates ownership they will authorise Tray to issue that subdomain a certificate.
If you are unable to add the validation register within 72 hours, please let us know when you will be able to and we will retry the process from our side. It should work immediately then.

#### Google Setup: Part 1

### 1 - Login and navigate to setup

Login to the [Google Cloud Platform Console](https://console.cloud.google.com/).
![gc-console](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/5YMw3iYUOiBK6CtGbmcPXN_gc-console.png)

### 2 - Select/Create Project

Select or create a Project by clicking on the dropdown in the top left corner of the console.
![gc-project](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/76aDHR3DpnH5F6WsYufMJz_gc-project.png)

### 3 - Navigate to Credentials

On the left-hand side of the page under **APIs and Services** select **Credentials**.
Under **Create Credentials** click on **OAuth Client ID**.
![gc-creds-page](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/T8X0fIBUYmLejBDwvux7n_gc-creds-page.png)
![gc-api-creds-create](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/2gWfaaRIvXbXhEaFVk7GIX_gc-api-creds-create.png)

### 4 - Configure Consent

On the next screen it will ask you to **configure consent screen**. Click on the button to initiate the process.
When it asks you for the **User Type** specify **External** as you plan on serving users with integrations outside of your organization\*.\*
![gc-configure-consent](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/78qsEOhrZMNI6MbTIEja56_gc-configure-consent.png)
![gc-consent-external](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/38BknEaAZ9jLdgSu3zvDew_gc-consent-external.png)

### 5 - Provide App Info

Fill out the **App Consent** screen details with the relevant links to your company’s Privacy Policy and Terms of Service.
Look at the right-hand side of the screen in the **Learn** section to see how all of your inputs get added to the consent screen.
Under **Authorized Domains** specify your **Redirect URL** that you received from Tray in the **Prerequisites** section.
![gc-fill-in-consent-details](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/sTRefpBdyGKcEhlLSy9JD_image13%20%281%29.png)
![gc-url-tray-prereq](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/3fSpss5cspjsGLzuufPEwc_image8%20%281%29.png)

### 6 - Select Scopes

Next select the **Scopes** you need to perform the API calls in your Tray workflows. Note that some scopes are considered "sensitive” or “restricted”.
If you select scopes that fall into either of those categories Google will need to review your justification for needing to use those scopes.
![gc-scopes-sensitive](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/5ZJp0piLxZ1c8olZqGEESF_image5.png)

### 7 - Associated Email address

You will need to supply the Google email addresses that you use with Tray to test your workflows.
**These email addresses will be the only ones that can be used until Google has completed verification of your app**.
![gc-registration](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/5PhMjkzfpy5KTxPW5ITn7_image10%20%281%29.png)

### 8 - Add URLs

After reviewing the summary of your consent screen navigate back to the Google **Credentials** page and click on **Create Credentials** -> **OAuth Client ID** once more. Fill out the app details as you deem appropriate here.
Under **Redirect URLs** you will want to add **both** the URL you received from Tray (as covered in the Prerequisites section above) and the **Tray Redirect URL**. The Tray redirect URL is needed to create an authentication inside the Tray App for testing your workflows.
![gc-app-creds-continued](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/756wu4sIsmURrkcb8NiOFR_image9%20%281%29.png)

#### Tray Setup

### 1 - Create new authentication

Navigate to a Google connector step inside your Tray workflow. On the connector properties panel select the **Authentication** tab and click **New Authentication**.
![gc-new-auth](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/UZyx2pEnezG75AJ7QgkFf_image3.png)

### 2 - Use own OAuth

Provide an appropriate name for the authentication in the authentication modal.
On the second screen click on **Use own OAuth App**.
![gc-use-own-auth](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/7veFJo8GYISsVgogcOOean_image4.png)

### 3 - Name auth appropriately

Provide an appropriate name and description for how this Google OAuth app will be stored in Tray.
This name will be the display name for the OAuth app going forward so please make it clear.
![gc-name-auth-properly](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/pLWR4dbISmhTMPKyUTn2U_image11.png)

### 4 - Select the same Scopes

On the next screen provide your **Client ID** and **Secret**. Click **Create Auth App**.
**Make sure you select the same auth scopes in Tray in this modal as you did in the previous section inside the Google Platform Cloud console**.
Click **Create authentication** and subsequently login/consent for the Google Oauth app to perform API calls on behalf of your user.

#### Google Setup: Part 2

### 1 - Remove redirect URL

Navigate back to the OAuth Client ID you created in Part 1 to edit its settings.
Remove the Tray Redirect URL.
![gc-remove-redirect-url](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/1giSnZZGAidZ3abXyYZ2Ox_image12%20%281%29.png)

### 2 - Publish App

Navigate to the **OAuth consent screen** once more and click **Publish App**.
If you requested to use sensitive or restricted scopes there will be a waiting period of about 3-5 days for Google to approve the use of those scopes (with conversation back and forth throughout the process).
This completes setup.
![gc-pubish-app](https://tray.ai/documentation/images/platform/connectivity/authenticating-google-connectors/4y5XiFC8OeRDT9CotMt00L_image6%20%281%29.png)