My experience of the OAuth consent screen verification process.

For my Chrome Extension setup, I need the Google Calendar read-only scope to fetch the calendar events for some analytics generation. This meant that I need to use Google’s Oauth Consent screen to ask the user for permission. This is a sensitive scope (see all scopes) which meant that I need to go through an approval process to get the app verified.

If I don’t, the user will see a quite scary screen!

Unverified App Screen

The user is allowed to still continue but I reckon most will uninstall your app instantly.

Creating the Consent App and Submitting it for verification

To get started, the first thing to do is to find out if your required scope is sensitive or restricted (because the base scopes do not need additional verification). I suggest using the APIs Explorer, then under the “Authorization scopes” section, you will be able to see the minimum required scope.

Scopes for Gmail API users.messages.get

Once you have determined the scope, you can create the testing OAuth consent screen by filling out this setup form. You can now start to test with the OAuth app. After testing, you can click “Publish” to make it open to the public.

Publish app

If you have added sensitive or restricted scopes, the console will show you the “Prepare for verification” step. This is a similar screen as the app creation with the exception being that some of the fields are now mandatory.

Prepare for verification

Here are the fields I found a bit more difficult to fill:

Youtube video: It is also required to submit a Youtube video on how your app uses the scopes. Here is the link to the one I created. However, it didn’t register any views during the verification flow so I am dubious if they watch it.

Privacy policy: I generated one from a template and edited it as required. There are a few Google specifc clauses you have to add in order to comply with their rules. I have described this in more detail later.

External Domains: This initially got me slightly worried as I use Supabase as my Auth solution. This meant the callback uses their domain rather than mine. I added this detail to my application under the “Share any final details about your app.” section.

The verification timeline

7th Jun - Submitted OAuth Request on console

13th Jun - Received first email requesting additional requirements. Including:

Fixing branding to align with Google’s OAuth branding guidelines.
Revising privacy policy to include Google’s Limited Use Policy and Google API Services User Data Policy
Verify domain
Verify sensitive scopes

Verification pending updates

Replied with the fixes and screenshots as evidence.

15th Jun - Received second email requesting an additional requirement to make privacy policy explicitly accessible via the homepage. Replied with updates and screenshots as evidence.

18th Jun - Received approval email.

The app is verified!

Learnings

Overall, the process took 11 days. I have linked here the full email conversation.

The review process is mainly handled via email. The console information is just a duplication. I was surprised the process was done via Email. All of the submissions and forms were done on the Cloud console screen so I thought the communications would also be using that platform. What’s more confusing is that on submission you don’t receive a confirmation email immediately.

The cadence of replies was fine and in general quite informative. There was a point raised on the “Validation of App Functionality” that was slightly unclear to me but in the end, I figured out it was in fact that the branding was incorrect.

Explicitly mention the scopes you require in additional details. There was a point raised about a scope that I used before but was not added to the request. It was only a scope I used for testing so I didn’t require it anymore. If you used any scopes for testing but do not use them anymore, definitely mention them in the additional details section.

Start the process early before you are ready for production. If I could go again, I would start this process upfront so that I could have it ready before the launch. Because I didn’t do that, people who installed Meeting Dolphin in the past 11 days would see the warning screen and I wonder how many users gave up after seeing it.

Final thoughts

In comparison with my experience Google Chrome Extension submission process, I think this was more convoluted due to it being an Email flow. I hope that they would change this to a flow using the console itself.