Only show these results:

Google Workspace Service Accounts

A service account is a special type of Google account that represents a non-human user that needs to authenticate and be authorized to access data in Google APIs. Only Google Calendar is supported.

In this guide, you'll learn how to set up your service account and authorize users.

Google Workspace Service Accounts Setup

Create Service Account

  1. Open Service Accounts in Google Cloud Platform.
  2. Select your project and click Create Service Account.

Service Account Details

  1. Fill in the Service account name, Service account ID ,and Service account description fields.
  2. Click Create and Continue.
  3. You can also complete the two optional steps if you'd like to grant the account access to a project or grant users access to the account.

Create Service Account

Create Service Account Key

  1. Select the account from the list of service accounts.
  2. Click Keys.
  3. Select Add Key.
  4. Click Create new key.
  5. Select JSON and a new key will be downloaded. Make sure to store this key somewhere safe.

Create a new key. Google Service Accounts

Delegate Domain Wide Authority

You'll need your Client ID for this step. You can access it in two ways:

  • The key you downloaded above will have the Client ID.
  • The Unique ID on the Details page.

You can get your Client ID from the service accounts JSON download.
Shows the Google service account keys JSON download with the client ID highlighted.

You can also get your Client ID from the details page.
Shows the Google Service Account details page with the client ID highlighted.

  1. Log in to the Google Workspace Admin console.

  2. From the Main menu, click Security > Access and data control > API controls.

  3. In the Domain wide delegation pane, select Manage Domain Wide Delegation.

  4. Click Add New.

  5. Enter the Client ID obtained from the service account creation steps above.

  6. In the OAuth Scopes field, enter the following text:,,,   
  7. Click Authorize.

Authenticate Users

To authenticate a user using a service account's credentials, pass the user email as email_address. The settings object will contain the service account's credentials.

Aliases and Service Accounts

You must use the real account and not an alias when authenticating users with service accounts. The domain names for the service account and the user must match. For example, if the service account credential is under but the user account is, it'll fail.

curl -X POST -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "[email protected]", # Account to be authenticated
"provider": "gmail",
"settings": {
"service_account_json": { # Service account credentials
"type": "service_account",
"project_id": "my-google-app-123456",
"private_key_id": "68915b4e55baac9191dd32e0be784687c6873b14",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIE....fZ1F8=\n-----END PRIVATE KEY-----\n",
"client_email": "tes[email protected]",
"client_id": "10569134234239528168761",
"auth_uri": "",
"token_uri": "",
"auth_provider_x509_cert_url": "",
"client_x509_cert_url": ""
"scopes": "calendar"