Control API access with domain-wide delegation (2025)

• Ensure you have super admin privileges for your Google Workspace account.
• Review the domain-wide delegation best practicesand best practices for using service accounts.
• Verify the list of API scopes needed by the app or service account. Check that the app or service account has an appropriately small scope of access.
• (If delegating an OAuth app) Get the OAuth client ID from the app developer.
• (If delegating a service account) Get the client ID of the service account. If you’re the owner of the service account, you can find the ID as follows:
  1. Sign in to Google Cloud as a super administrator.
  2. Click IAM & AdminService accounts[name of your service account].
  3. Expand Advanced settings and copy the Client ID.
• With domain-wide delegation, the app has access to the data belonging to all of yourusers. We recommend setting up a regular review of service accounts and deleting any accounts no longer in use.

1. Sign in with a superadministrator account to the GoogleAdminconsole.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to MenuSecurity > Access and data control > API controls > Manage Domain Wide Delegation.

   You must be signed in as asuper administratorfor this task.

3. Click Add new.

4. Enter the Client ID for either the service account or the OAuth2 client.

5. InOAuth Scopes, add each scope that the application can access (should be appropriately narrow). You can use any of the OAuth 2.0 Scopes for Google APIs. For example, if the application needs domain-wide access to the Google Drive API and the Google Calendar API, enter https://www.googleapis.com/auth/drive and https://www.googleapis.com/auth/calendar.
6. Click Authorize. If you get an error, the client ID might not be registered with Google or there might be duplicate or unsupported scopes.

   Note: If Multi-party approval is enabled for your organization, authorizing domain-wide delegation for a client app requires approval from another super admin.

7. Point to the new client ID, click View details, and make sure that every scope is listed.

   If a scope is not listed, click Edit, enter the missing scope, and click Authorize. You can't edit the client ID.

Changes can take up to 24 hours but typically happen more quickly.Learn more

As a best practice, periodically check your app's scopes and remove scopes that aren't required or actively used. Also, delete clients you no longer need. For example, remove access for a migration toolafter you complete your migration.

1. Sign in with a superadministrator account to the GoogleAdminconsole.

   If you aren’t using a super administrator account, you can’t complete these steps.

2. Go to MenuSecurity > Access and data control > API controls > Manage Domain Wide Delegation.

   You must be signed in as asuper administratorfor this task.

3. Click a client name and then choose an option:

• View details—View the full client name and list of scopes
• Edit—Add or remove scopes. You can't edit the client ID.Changes can take up to 24 hours but typically happen more quickly.Learn more
• Delete—Applications that depend on the client authorization will immediately stop working.

  Note: If Multi-party approval is enabled for your organization, editing scopes or deleting domain-wide delegation for a client app requires approval from another super admin.