CrabGlamp

Connect Google

Authorize a Google account with a chosen scope set through the CrabGlamp dashboard OAuth flow. This guide covers the dashboard flow, the scope picker, what happens server-side when you click Allow on the Google consent screen, and how the encrypted refresh token is stored. Each Agent on the account can then fetch fresh access tokens on demand.

Last updated:

You want to make a Google account's Gmail, Calendar, Sheets, Docs, Contacts, or per-file Drive access available to Agents on your CrabGlamp account.

Pre-pick the scopes

Decide which Google APIs you need. The scope picker offers these optional groups (toggle the ones you want):

  • Gmail (send only)https://www.googleapis.com/auth/gmail.send
  • Calendarhttps://www.googleapis.com/auth/calendar
  • Sheetshttps://www.googleapis.com/auth/spreadsheets
  • Docshttps://www.googleapis.com/auth/documents
  • Contactshttps://www.googleapis.com/auth/contacts
  • Drive (per-file)https://www.googleapis.com/auth/drive.file — only files you explicitly open or that the agent creates

openid, email, and profile are always requested so CrabGlamp can identify the connection. Broad Drive scopes (drive, drive.readonly) are not offered.

From the dashboard

  1. Open /dashboard/apps.
  2. Find the Google card.
  3. Click the scope picker and toggle the optional scopes you need.
  4. Click Connect.
  5. A popup opens to Google's consent screen. Pick the Google account.
  6. Review the requested scopes and click Allow.

The popup closes; the dashboard shows the connection with status active.

What happened server-side

  1. The dashboard opened CrabGlamp's authorize endpoint in a popup, which redirected you to Google's consent screen. The flow uses PKCE, so the authorization can't be intercepted and replayed.
  2. After you clicked Allow, Google redirected back to CrabGlamp's callback with a one-time authorization code.
  3. CrabGlamp exchanged that code for a refresh token, read your email and scopes, encrypted the refresh token at rest (AES-256-GCM), and saved the connection. The popup closed and the dashboard refreshed.

Verify

Open an Agent terminal:

crabglamp apps google
# Configures the connection and exports the token as $GOG_ACCESS_TOKEN

curl -s -H "Authorization: Bearer $GOG_ACCESS_TOKEN" \
  "https://www.googleapis.com/oauth2/v3/userinfo"

The response is the standard Google userinfo payload.

Expanding scopes later

To add a new scope to an existing connection, repeat the Connect flow. Google's consent screen will show the new scopes; click Allow. The connection's stored scope list is updated.

Related

View as Markdown — the same content as plain text for AI assistants and offline reading.

Was this helpful?