Skip to main content
Set up one Google Cloud project and reuse it for every Google MCP server — Google Drive, Docs, Sheets, Slides, Gmail, Calendar, and the rest. Each Google server connects through a Google Cloud project that you own, and a single project can back all of them.

Before you begin

  • AI access management must be enabled for your tenant. See Enable AI access management.
  • Access to the Google Cloud console with permission to create or select a project, enable APIs, and edit IAM — a project Owner, or Editor plus a role that grants IAM admin.
  • A Google Workspace administrator for the steps that allow the OAuth client or configure domain-wide delegation.

What the project provides

When a user’s AI client calls a Google tool, C1 makes the matching request to the Google API. Your Google Cloud project supplies three things that request depends on: The third item is the one most often missed — see Grant users permission to use the project. Skipping it is the most common cause of a failed Google connection.

Create or select a project

Pick the project that will own your OAuth credentials and receive API quota. It can be a new project or an existing one.
1
Sign in to the Google Cloud console.
2
Create a new project for C1, or select an existing one. Note its Project ID (for example, acme-c1-mcp) — you’ll enter this exact value when you register each Google server.
3
The Workspace APIs in this guide don’t require a billing account. If you plan to use a billing-gated Google API or need higher quota limits, link a billing account to the project.

Enable the APIs for your connectors

Enable one API per Google connector you plan to use. In the console, go to APIs & Services > Library, search for the API by name, and select Enable. The service ID is the identifier you use with the gcloud CLI.
Enable only the APIs for the connectors you actually register. If a connector’s API isn’t enabled, its tool calls fail with a SERVICE_DISABLED error telling you to enable that API in the project.
To enable the APIs from the command line instead, pass the service IDs to gcloud. This example enables the full set — drop any you don’t need:
To confirm which APIs are enabled on the project:

Grant users permission to use the project

When you register a Google server with per-user OAuth, each person authenticates as themselves — so each user is the caller Google checks. Because you set a Quota Project ID, every request carries that project as its quota project, and Google requires the caller to hold the serviceusage.services.use permission on it. If a user doesn’t have it, their tool calls fail with:
The serviceusage.services.use permission comes with the Service Usage Consumer role (roles/serviceusage.serviceUsageConsumer). It only allows using APIs already enabled in the project and attributing quota to it — it grants no access to any data in the project. Because every user needs this, grant it to a Google group that contains all of your MCP users rather than to individuals. New users then inherit access automatically when they join the group.
1
Create (or choose) a Google group that contains everyone who will use your Google MCP servers — for example, an all-employees group.
2
In the Google Cloud console, go to IAM & Admin > IAM, select Grant access, enter the group’s email as the principal, and assign the Service Usage Consumer role. See Google’s Grant a role documentation.
If you prefer the command line:
IAM changes usually take effect within a minute but can take a few. If a user still sees PERMISSION_DENIED right after you grant access, have them retry shortly and reconnect their Google account so C1 mints a fresh token.
For the service-account option (see Use a service account instead), the caller is the service account rather than each user — grant the Service Usage Consumer role to the service account instead of a user group.

Create an OAuth client

Per-user OAuth needs one OAuth client in your project. Its client ID and secret let each user authorize C1 with their own Google account. The consent screen defines who can authorize the app and which scopes they grant.
1
Go to APIs & Services > OAuth consent screen (labeled Google Auth Platform on newer projects).
2
Choose the audience:
  • Internal — only accounts in your Google Workspace organization. Recommended when all your users are in one Workspace, because it avoids Google’s app-verification review.
  • External — any Google account. Broad Google Workspace scopes are restricted and require Google verification before an External app can be used outside your organization.
3
Add the scopes your connectors need — see OAuth scopes by connector for the full list per connector. Request only the scopes you need; for read-only use, prefer the narrower .readonly scopes. See Google’s Configure the OAuth consent screen documentation.
For an External app that hasn’t completed Google verification, add each person as a test user on the consent screen. Otherwise they hit a “Google hasn’t verified this app” screen and can’t authorize. Publishing and verifying the app removes that limit.

Create the client credentials

Create the OAuth client, then capture its ID and secret.
1
Go to APIs & Services > Credentials > Create Client > Web application. For details, see Google’s Manage OAuth Clients documentation.
2
Under Authorized redirect URIs, add exactly:
The value must match exactly — even a trailing-slash difference fails the authorization flow.
3
Select Create, then copy the Client ID and Client secret. Google shows the client secret only once.
If your users are on Google Workspace, an administrator may also need to allow the OAuth client under Admin Console > Security > Access and data control > API controls > App access control.

OAuth scopes by connector

Add the scopes for each connector you use — to the consent screen for per-user OAuth, or to domain-wide delegation for a service account. Each list below is the full set that connector’s tools can use. Grant only what your deployment needs, and prefer the .readonly scopes for read-only use.
Broad Google Workspace scopes are restricted or sensitive and require Google verification before an External app can use them outside your organization. Internal (Workspace-only) apps skip that review. See Google’s OAuth API verification FAQs. If you add scopes after users have connected, they must reconnect their Google account to grant the new scopes.

Optional: Use a service account instead

Instead of per-user OAuth, a Google Workspace tenant can authenticate everyone through a single service account with domain-wide delegation. All tool calls then reach Google as one shared identity.
1
In the Google Cloud console, go to APIs & Services > Credentials > Create credentials > Service account, create the account, and generate a JSON key. See Google’s Create service accounts documentation.
2
Note the service account’s numeric Unique ID.
3
As a Workspace administrator, go to Admin Console > Security > Access and data control > API controls > Domain-wide delegation, select Add new, and enter the Unique ID along with the scopes your connectors need.
4
Grant the service account the Service Usage Consumer role on your project (see Grant users permission to use the project) so its requests can use the quota project.

Register your Google servers

With the project ready, register each Google MCP server. During authentication setup, you provide:
  • The Google Cloud Quota Project ID — the Project ID from Create or select a project.
  • For per-user OAuth: the client ID, client secret, and the scopes you configured.
  • For a service account: the JSON key and the scopes you delegated.
Then follow the connector-specific page for anything unique to that server:
Connectors without a dedicated page above use the same Register an MCP server flow. If a Google connector you want isn’t in your catalog yet, contact the C1 support team.

Troubleshoot Google Cloud project errors

Tool discovery runs even before authentication works, so seeing discovered tools doesn’t confirm your credentials are correct. You confirm the setup only when an approved user successfully calls a Google tool from their AI client.