Provides OAuth 2.0 authentication for Google services (Docs, Sheets, Drive, etc.). Returns access tokens that can be used directly with Google APIs.
- π JWT Authentication - Integrated with jwt.toolgate.dev
- π« Google OAuth 2.0 - Full OAuth flow with refresh token support
- π Flexible Scopes - Request only the permissions you need
- π Auto-Refresh - Tokens automatically refreshed when expired
- πΎ Session Management - DynamoDB-backed sessions with 24-hour TTL
- π Custom Domain - Deployed at
https://google.toolgate.dev - β‘ Fast - Serverless architecture with API Gateway + Lambda
User β google.toolgate.dev (API Gateway)
β Lambda Function
β Google OAuth
β DynamoDB (toolgate-google-sessions)
β Return Access Token
Initiate Google OAuth flow.
Headers:
Authorization: Bearer <jwt>(from jwt.toolgate.dev)
Body:
{
"scopes": ["docs", "sheets", "drive"]
}Response:
{
"authUrl": "https://accounts.google.com/o/oauth2/v2/auth?...",
"session_id": "uuid",
"scopes": ["docs", "sheets", "drive"],
"message": "Please complete Google OAuth login"
}Poll for OAuth completion status.
Response (pending):
{
"status": "pending",
"message": "Waiting for user to complete OAuth"
}Response (authenticated):
{
"status": "authenticated",
"user_email": "user@example.com",
"google_email": "user@gmail.com",
"scopes": ["docs", "sheets", "drive"]
}Get Google access token (auto-refreshes if expired).
Headers:
Authorization: Bearer <jwt>
Response:
{
"access_token": "ya29.a0AfH6SM...",
"token_type": "Bearer",
"expires_at": 1701234567000,
"scopes": ["docs", "sheets", "drive"],
"google_email": "user@gmail.com"
}Disconnect Google account.
Headers:
Authorization: Bearer <jwt>
Health check.
API documentation.
| Shortcut | Full Scope |
|---|---|
email |
userinfo.email |
profile |
userinfo.profile |
docs |
documents.readonly |
docs.write |
documents |
sheets |
spreadsheets.readonly |
sheets.write |
spreadsheets |
drive |
drive.readonly |
drive.write |
drive |
calendar |
calendar.readonly |
gmail |
gmail.readonly |
Or pass full scope URLs directly.
# Login via browser, get one-time code, exchange for JWT
JWT=$(curl -s "https://jwt.toolgate.dev/code?code=XXXXXX" | jq -r '.jwt')curl -X POST https://google.toolgate.dev/connect \
-H "Authorization: Bearer $JWT" \
-H "Content-Type: application/json" \
-d '{"scopes": ["docs", "sheets", "drive"]}'Open the authUrl from the response in your browser and authorize.
curl "https://google.toolgate.dev/session/$SESSION_ID"curl https://google.toolgate.dev/credentials \
-H "Authorization: Bearer $JWT"ACCESS_TOKEN=$(curl -s ... | jq -r '.access_token')
# Google Docs
curl "https://docs.googleapis.com/v1/documents/$DOC_ID" \
-H "Authorization: Bearer $ACCESS_TOKEN"
# Google Sheets
curl "https://sheets.googleapis.com/v4/spreadsheets/$SHEET_ID" \
-H "Authorization: Bearer $ACCESS_TOKEN"
# Google Drive
curl "https://www.googleapis.com/drive/v3/files" \
-H "Authorization: Bearer $ACCESS_TOKEN"-
Google OAuth Credentials in AWS Secrets Manager:
aws secretsmanager create-secret \ --name toolgate/google-oauth \ --secret-string '{"client_id":"YOUR_CLIENT_ID","client_secret":"YOUR_CLIENT_SECRET"}' \ --profile tpm-pprod --region us-east-1 -
Add OAuth Redirect URI in Google Console:
- Go to: https://console.cloud.google.com/apis/credentials
- Edit your OAuth client
- Add redirect URI:
https://google.toolgate.dev/oauth/callback
cd /Users/dschwartz/Dropbox/cc/toolgate/google
AWS_PROFILE=tpm-pprod ./deploy.sh- Lambda:
toolgate-google-connector - DynamoDB:
toolgate-google-sessions - API Gateway:
google.toolgate.dev - CloudFormation Stack:
GoogleConnectorStack
# View logs
aws logs tail /aws/lambda/toolgate-google-connector \
--follow --profile tpm-pprod --region us-east-1"Not Connected" error:
- Call
/connectfirst to initiate OAuth - Complete the OAuth flow in browser
"Token Expired" error:
- If refresh fails, reconnect via
/connect
OAuth redirect error:
- Verify redirect URI in Google Console matches exactly
aws cloudformation delete-stack \
--stack-name GoogleConnectorStack \
--profile tpm-pprod --region us-east-1