Only show these results:

A service account is a special type of Google account intended to represent a non-human user that needs to authenticate and be authorized to access data in Google APIs.

Google Workspace Service Accounts Set Up

  1. Open the Service Accounts page in the Google Developer Console. You may need to create a project if you haven’t created one—you can name it “Nylas Integration” or something else descriptive.
  2. Select and open the project.
  3. Click "Create Service Account".

Create Service Account

  1. In the "Create service account" form:
    1. Type a name for the service account (e.g. “Nylas Service Account”) and click "Create".
    2. The next screen will ask for an optional role. You can skip this step.
    3. The following screen will offer an option to grant users access to this service account. You can skip that option and proceed with creating a key.
    4. Select JSON for the key type and click "Create". This will download a file to your computer. Store this file securely.
    5. Click Done.

Service Account Details

  1. Copy the client ID from the credentials file.
  2. Go to your Google Workspace domain’s Admin console.
  3. Select "Security" from the list of controls.
  4. Select "Advanced settings", then under Authentication, "Manage API client access":
    1. In the "Client Name" field, enter the client ID from step 6.
    2. In the "One or More API Scopes" field, enter
https://www.googleapis.com/auth/userinfo.email,https://www.googleapis.com/auth/userinfo.profile,https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/admin.directory.user.readonly   
  1. Click Authrorize.

Google Workspace Manage API

And you're done

The JSON file generated in step 5 is essential—keep it safe. This file is a credential, so don’t store it in public places, etc. You will use this credential with the Native Authentication APIs.

Authenticate Users

To authenticate a user using a service account's credentials, pass the user email as email_address. The settings object will contain the service account's credentials.

Aliases and Service Accounts

You must use the real account, rather than an alias, when authenticating users with service accounts. The domain names for the service account and the user must match. For example, if the service account credential is under @contoso.com but the user account is @bravo.com, it will fail.

curl -X POST https://api.nylas.com/connect/authorize -d '{
"client_id": "nylas_client_id",
"name": "Nyla the Cheetah",
"email_address": "nyla@gmail.com", # Account to be authenticated
"provider": "gmail",
"settings": {
"service_account_json": { # Service account credentials
"type": "service_account",
"project_id": "my-google-app-123456",
"private_key_id": "68915b4e55baac9191dd32e0be784687c6873b14",
"private_key": "-----BEGIN PRIVATE KEY-----\nMIIE....fZ1F8=\n-----END PRIVATE KEY-----\n",
"client_email": "test-service-account@my-google-app-123456.iam.gserviceaccount.com",
"client_id": "10569134234239528168761",
"auth_uri": "https://accounts.google.com/o/oauth2/auth",
"token_uri": "https://oauth2.googleapis.com/token",
"auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
"client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/test-service-account%40my-google-app-123456.iam.gserviceaccount.com"
}
}
"scopes": "calendar"
}'