Set up Google Workspace via Service Account

Recommended setup. Authorise Extension Auditor's service account in your Google Admin Console using domain-wide delegation. One-time configuration, no token expiry.

This guide walks through connecting Google Workspace to Extension Auditor using a Google Cloud service account with domain-wide delegation. This is the recommended method for production deployments — once delegation is configured, the integration runs unattended and is not tied to any individual admin's account.

Before you begin

Make sure you have:

  • The Super Admin role in your Google Workspace tenant (delegation can only be configured by a Super Admin, even though the integration runs day-to-day under a delegated admin).

  • The email address of a Workspace admin that Extension Auditor should impersonate when calling Google APIs. This is typically a service-only admin account (e.g. [email protected]) with the Chrome management privileges listed in the Google Workspace overview.

  • Your primary Workspace domain (e.g. yourcompany.com).

  • An Extension Auditor team workspace. The setup flow lives at:

    /home/<your-team-slug>/integrations/google-workspace
    

    In the dashboard: Sidebar → Settings → Integrations → Google Workspace → Service Account (Recommended).

How it works

Extension Auditor maintains a single Google Cloud service account whose OAuth client ID is published in the setup wizard. By authorising that client ID inside your Google Admin Console — and granting it the nine Chrome Management scopes — you're telling Google: "this external service may impersonate users in our domain, but only for these specific scopes." The service account then asks Google for a short-lived access token impersonating the admin email you specify, and uses it to call the Chrome and Directory APIs.

This is a standard pattern called domain-wide delegation of authority. It doesn't grant Extension Auditor blanket access to your tenant — it grants access only for the scopes you authorise, only when impersonating the admin email you configure.

Step-by-step

Step 1 — Open the setup wizard

In the Extension Auditor dashboard, navigate to Settings → Integrations, then click Google Workspace. On the Service Account (Recommended) tab you'll see a six-step guided flow with the values you need to copy. Keep that tab open in your browser — you'll come back to it in Step 4.

Step 2 — Copy our Service Account Client ID

The wizard shows a numeric Client ID (currently 102249932937757513383). This is the unique identity of Extension Auditor's service account in Google's directory. Copy it — Google's Admin Console asks for it in the next step.

The Client ID is fixed for the platform and is also displayed inside the in-app setup wizard, which is the source of truth. If the value here ever differs, trust the value shown in the wizard.

Step 3 — Open the Domain-Wide Delegation page in Google Admin

Click Open Domain-Wide Delegation Settings in the wizard, or go directly to:

https://admin.google.com/ac/owl/domainwidedelegation

This is Security → Access and data control → API controls → Domain-wide delegation in the Google Admin Console.

You must be signed in to Google as a Super Admin to see this page.

Step 4 — Add Extension Auditor as a delegated client

  1. Click Add new.

  2. In Client ID, paste the value from Step 2.

  3. In OAuth scopes (comma-delimited), paste this exact list:

    https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly,https://www.googleapis.com/auth/chrome.management.reports.readonly,https://www.googleapis.com/auth/chrome.management.appdetails.readonly,https://www.googleapis.com/auth/chrome.management.policy.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.device.chromebrowsers,https://www.googleapis.com/auth/chrome.management.policy,https://www.googleapis.com/auth/admin.directory.orgunit
    

    The setup wizard has a Copy button next to this list — use that rather than re-typing.

  4. Click Authorize.

Google will store the delegation. The change usually applies within a minute or two, but Google occasionally takes longer — if the connection test in Step 6 fails immediately, wait a few minutes and try again.

Heads up on scopes: paste the entire list as one comma-separated string. If even one scope is missing or misspelled, the connection test will report a "scope mismatch" error and the integration will refuse to save. Do not add extra scopes.

Step 5 — Enter your admin email and domain

Back in the Extension Auditor wizard:

  • Workspace Admin Email — the address Extension Auditor should impersonate when calling Google APIs. This must be a real Workspace user with the privileges listed in the prerequisites. Most customers create a dedicated extension-auditor-svc@<your-domain> account so that audit logs clearly attribute Extension Auditor's API calls.
  • Workspace Domain — your primary Workspace domain (e.g. yourcompany.com). Don't include https:// or any subdomain.

Step 6 — Test the connection

Click Test Connection. Extension Auditor will:

  1. Mint a delegated access token impersonating the admin email above.
  2. Call the Chrome Browser Cloud Management API with that token.
  3. Report success or surface the exact Google error.

A green Connection Verified banner means delegation is wired up correctly. If you get an error, see Troubleshooting.

Step 7 — Save and connect

The Save & Connect button stays disabled until the connection test passes. Once it does, click Save & Connect. Extension Auditor will:

  1. Persist the integration record (admin email + domain + auth method) for your team.
  2. Resolve your real Google customer ID by calling customers.get with my_customer.
  3. Kick off an immediate first sync — you'll see browser, extension, and user counts populate over the next few minutes.

After this, a daily sync runs automatically every 24 hours, and you can trigger a manual run any time with Sync Now.

Rotating or revoking the integration

  • To rotate the impersonated admin (e.g. if extension-auditor-svc@… is being decommissioned): disconnect the integration in Extension Auditor, then re-run the setup wizard with the new admin email. The Client ID and Admin Console delegation entry don't need to change.
  • To revoke entirely: open https://admin.google.com/ac/owl/domainwidedelegation, find the row for Extension Auditor's Client ID, and delete it. Then disconnect the integration in Extension Auditor. Either step alone is sufficient — but doing both ensures no stale tokens and no stale records.

What's next