Knowledge blog

Setting up Gmail OAuth (2LA) for your web application

  1. Open the Service accounts page as logging in as admin

  2. Select a project, or create a new one.
  3. Click + Create service account.

  1. Fill up the Name and description on your own. And click CREATE AND CONTINUE.
  1. Under Grant Service Account Access page you may select role as well add conditions if need. But this is purely optional and in our case I am leaving it.

  2. Click Continue.
  3. Again Grant Users Access page is optional so just clicking DONE.

  4. In the grid Click on the Email account name you just created.
  1. Click on the KEYS tab and then click Create new Key from the ADD KEY dropdown.
  1. Leave the JSON as selected and click CREATE.
  1. Download the JSON and store it in your computer.

That is your new public/private key pair which serves as the only copy of the private key. You are responsible for storing it securely. If you lose this key pair, you will need to generate a new one.

Take note of the service account’s email address and store the service account’s private key file in a location accessible to your application. Your application needs them to make authorized API calls.

Delegate domain wide authority to the service account
  1. Go to admin console ( From the Main menu, click Security >> Access and data control >> API Controls.
  2. Click Add New
  3. In the Client ID field, enter the service account’s Client ID. You can find your service account’s client ID in the Service accounts page.
  4. In the OAuth scope enter
  5. Click Authorize.

Make sure you have enabled Gmail API in your google cloud console for this specific project, if not enable it now.

  1. Login to
  2. Go to the menu Enabled API & Services.
  3. Search using Gmail Api. Select the Gmail API from Search result.
  4. Click Enable.

That’s it. You can simply use the downloaded JSON with your web applications for sending emails using Gmail OAuth 2 legged authentication eliminating the user consent step.

Scroll to Top