Set up Google Workspace via OAuth
The fastest way to connect Extension Auditor to your Workspace. A Super Admin signs in once and grants Chrome Management access on behalf of the organisation.
This guide walks through connecting Google Workspace to Extension Auditor using OAuth. A Google Workspace Super Admin signs in to Google through Extension Auditor's authorisation flow, and the resulting refresh token is used to keep the integration in sync.
If you'd prefer a setup that doesn't depend on any individual admin's account staying valid, use the Service Account method instead.
Before you begin
Make sure you have:
A Google Workspace account with the Super Admin role.
Chrome Browser Cloud Management enabled for your tenant. The OAuth consent flow will succeed even if CBCM is disabled, but the first sync will fail with a permission error from Google.
An Extension Auditor team workspace. The setup flow lives at:
/home/<your-team-slug>/integrations/google-workspace
In the dashboard: Sidebar → Settings → Integrations → Google Workspace → OAuth.
How it works
When you click Connect with Google OAuth, Extension Auditor redirects you to Google's standard OAuth 2.0 consent screen. Google authenticates you, shows you the list of scopes Extension Auditor is requesting, and — once you approve — issues us:
- A short-lived access token (used immediately to fetch your Workspace's customer ID and kick off the first sync).
- A long-lived refresh token (stored encrypted in our database and used to mint new access tokens for subsequent daily syncs).
Because the refresh token is bound to your individual user account, Google will revoke it if your account is suspended, your password changes in a way that invalidates sessions, your admin role is removed, or you explicitly revoke the grant from your Google account permissions page. If that happens, the integration will start failing with an authentication error and you'll need to reconnect — see Troubleshooting.
Step-by-step
Step 1 — Open the setup wizard
In the Extension Auditor dashboard, navigate to Settings → Integrations, then click Google Workspace. Switch to the OAuth tab. You'll see the prerequisites callout and a single button: Connect with Google OAuth.
Step 2 — Sign in as a Super Admin
Click Connect with Google OAuth. Extension Auditor will redirect you to accounts.google.com. Sign in using a Google Workspace account that has the Super Admin role.
If you have multiple Google accounts in the same browser, Google will show an account picker. Make sure you select the Super Admin account, not a personal Gmail or a regular Workspace user — non-admin accounts will reach the consent screen but the resulting token will fail to call the Chrome Management APIs.
Step 3 — Review and approve the scopes
Google's consent screen lists the nine scopes Extension Auditor is requesting. The screen labels them in plain language ("View Chrome browsers' details", "Manage Chrome extension policies", etc.).
Click Allow to grant the scopes. Google will redirect you back to Extension Auditor at:
/api/private/integrations/google-workspace/callback
You don't interact with that URL directly — Extension Auditor handles the response, exchanges the authorisation code for tokens, and finalises the connection.
Step 4 — First sync
After the redirect, Extension Auditor:
- Stores the encrypted refresh token against your team workspace.
- Calls Google's
customers.getendpoint withmy_customerto resolve your Workspace's real customer ID. - Triggers an immediate background sync to populate browsers, extensions, users, and org units.
You'll see the integration card switch from "Service Account / OAuth" tabs to a Connected state, with totals updating live as the sync progresses.
After this first run, a daily sync runs automatically every 24 hours, and you can trigger a manual run any time with Sync Now.
Maintaining the integration
- The signing admin must remain an active Workspace admin. If their account is suspended, demoted out of Super Admin, or has its password reset in a way that invalidates sessions, the refresh token will be invalidated by Google.
- Don't delete the OAuth grant from
myaccount.google.com/permissionsunless you intend to disconnect Extension Auditor — doing so revokes the refresh token immediately and the next sync will fail. - If your Workspace enforces session-length policies, those apply to interactive sessions and don't affect the OAuth refresh token directly. But if a policy change forces re-consent for OAuth apps, you'll need to reconnect.
When to switch to the Service Account method
Consider migrating to a Service Account integration if any of the following apply:
- The admin who signed in plans to leave the company or change roles.
- You want the integration to survive password resets and other account-state changes.
- Your security policy disallows long-lived refresh tokens issued to individual users.
- You're rolling out Extension Auditor org-wide and want a single, durable, audit-friendly identity for our API calls.
To migrate: disconnect the OAuth integration, then follow the Service Account guide. Discovered data will be re-populated by the new integration's first sync.
What's next
- Configure extension monitors so you're alerted when a discovered extension changes
- Browse the Extensions API to query your discovered inventory programmatically
- Troubleshooting setup errors
- Official Google references:
