What we need

[] Google Credentials [] Domain [] Username Admin

Follow these steps to create credentials for the Google Admin API:

1. Create or select a Google Cloud project

   • Go to the Google Cloud Console.
   • Select an existing project or click New Project.

2. Enable Google APIs

   • Navigate to API & Services > Enabled API & Services
   • For each of the following available APIs & Services, find the API and navigate to the page and click Enable if it is not already enabled.
     • GMail API
     • Google Slides API
     • Google Sheets API
     • Google Drive API
     • Google Docs API
     • Google Calendar API
     • Google Drive Activity API
     • Admin SDK API
     • Google Meet REST API

   ⚠️ IMPORTANT: Make sure ALL these APIs are enabled. Failure to enable any of these APIs will result in permission errors when trying to access the corresponding Google services.

   Common Error: If you encounter the error Drive Activity API has not been used in project [PROJECT_ID] before or it is disabled, this means the Drive Activity API specifically needs to be enabled. Navigate to the provided URL in the error message or go to API & Services > Library, search for “Drive Activity API”, and click Enable.

3. Enable the Admin SDK API

   • In the Cloud Console, navigate to APIs & Services > Library.
   • Search for Admin SDK and click Enable.

4. Create a service account

   • Go to APIs & Services > Credentials.
   • Click Create Credentials > Service Account.
   • Enter a name and description, then click Create.

5. Grant the service account proper roles

   • Assign roles like Owner or more restrictive roles as needed.
   • Click Done.

6. Generate a service account key

   • In the Service Accounts list, locate your service account and click Manage keys.
   • Click Add Key > Create new key.
   • Choose JSON and click Create. A JSON file will be downloaded.

7. Configure Domain-Wide Delegation (CRITICAL) (see also official docs)

   • Go to your Google Workspace Admin Console as a Super Administrator.

   • Navigate to Security > Access and data control > API controls.

   • Look for Manage Domain-wide Delegation and click on it.

   • Click Add new to add a new API client.

   • For the Client ID, enter the Client ID of your service account (found in the service account details page or in the downloaded JSON file as client_id).

   • For OAuth Scopes, add the following scopes (one per line):

     • https://www.googleapis.com/auth/admin.directory.user.readonly
     • https://www.googleapis.com/auth/admin.directory.group.readonly
     • https://www.googleapis.com/auth/directory.readonly
     • https://www.googleapis.com/auth/drive.activity.readonly
     • https://www.googleapis.com/auth/drive.readonly
     • https://www.googleapis.com/auth/drive.metadata.readonly
     • https://www.googleapis.com/auth/documents.readonly
     • https://www.googleapis.com/auth/spreadsheets.readonly
     • https://www.googleapis.com/auth/presentations.readonly
     • https://www.googleapis.com/auth/calendar.readonly
     • https://www.googleapis.com/auth/gmail.readonly
     • https://www.googleapis.com/auth/userinfo.profile
     • https://www.googleapis.com/auth/userinfo.email
     • https://www.googleapis.com/auth/meetings.space.readonly
     • https://www.googleapis.com/auth/drive.meet.readonly

   • Click Authorize.

   Important Note: The “unauthorized_client” error occurs when Domain-Wide Delegation is not properly configured. This step is essential for the service account to access user data through the Admin API.

   Troubleshooting Common API Errors:

   • Drive Activity API Error: If you see Drive Activity API has not been used in project [PROJECT_ID] before or it is disabled, go to the Google Cloud Console, navigate to API & Services > Library, search for “Google Drive Activity API”, and click Enable. Wait a few minutes for the change to propagate.
   • Other API Permission Errors: Similar errors can occur for any of the APIs listed in step 2. Always ensure ALL required APIs are enabled in your Google Cloud project.

   Troubleshooting: If you encounter issues with the Google Admin API, please refer to our troubleshooting guide.

Finding Your Service Account Client ID

The Client ID is a long string that looks like: 123456789012-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com

You can find it:

1. In your Google Cloud Console under APIs & Services > Credentials > Service Accounts
2. Click on your service account, then look for “Unique ID” or “Client ID”
3. Or in the downloaded JSON credentials file as the client_id field

Required OAuth Scopes

For most user operations, you’ll need these scopes:

You can now call the Admin SDK from your client using these credentials.

Item Checklist of what’s needed for integration

1. The credentials json created above
2. The Domain of the Google Organization (it’s the part after “@” in company emails)
3. One admin email address (must be a Super Admin with access to configure API controls)