Quick Start
Sign up, scan your first extension, and connect Google Workspace in under ten minutes.
This guide gets you from zero to a fully-connected Extension Auditor workspace in three short steps.
1. Create an account
Sign up at extensionauditor.com/auth/sign-up. You can use email + password or "Continue with Google".
Personal accounts are great for ad-hoc analysis — paste an extension URL and get an instant security report. To inventory and govern extensions across an organisation, you'll need a team account, which is created from the home page after sign-in via Create Team Account.
2. Scan your first extension
From the home page (or /scan), paste either:
- A Chrome Web Store URL, e.g.
https://chromewebstore.google.com/detail/<extension-id> - A 32-character extension ID, e.g.
blemhmgimpnomifkjoinlelbmgoljddm
Within a few seconds you'll see:
- A risk score (LOW / MEDIUM / HIGH / CRITICAL) with the reasoning behind it
- A permission breakdown with each requested permission classified by sensitivity
- The extension's publisher reputation — verified status, other extensions in the portfolio, and prior incident history
- A manifest analysis of CSP, host permissions, content scripts, and other manifest signals
This is the same risk engine that runs on every extension we discover via your Google Workspace integration.
3. Connect Google Workspace
If your organisation manages Chrome browsers via Chrome Browser Cloud Management, you can pull the entire installed-extensions inventory into Extension Auditor in a few minutes.
In your team workspace, go to Settings → Integrations → Google Workspace and pick a setup method:
- Service Account (Recommended) — One-time setup using domain-wide delegation. Survives admin role changes; best for production deployments.
- OAuth — A Super Admin signs in once and grants Chrome Management access. Fastest path if you just want to try it.
The full integration overview, scope list, and a comparison of the two methods is in the Google Workspace integration docs.
What you can do next
Once connected, your dashboard surfaces:
- Discover — every browser, every extension, every user, every org unit
- Monitor — alert rules for permission changes, publisher changes, version updates, removals from the store, etc.
- API — programmatic access to the same data, plus the Risk Engine, via our REST API
Need help?
- Setup issues → Google Workspace troubleshooting
- API questions → API overview
- Anything else → [email protected]