Source: https://crabglamp.com/docs/app-integrations/tutorial/get-started Last updated: 2026-06-09 Type: tutorial App integrations is an OAuth broker. CrabGlamp holds your Google, GitHub, or Spotify refresh token (encrypted at rest with AES-256-GCM) and serves fresh access tokens to Agents on demand. v1 supports Google, GitHub, and Spotify. This tutorial uses Google because it has the broadest API surface. The same flow works for GitHub and Spotify. ## Authorize Google from the dashboard Open `/dashboard/apps`. Click **Connect** under the Google card. A popup opens to Google's consent screen. Pick the Google account you want to expose to Agents and review the scopes: - **Required** — `openid`, `email`, `profile` (so the proxy can identify the connection). - **Optional** — Calendar, Sheets, Docs, Contacts, Gmail (send), and per-file Drive — toggle the ones you want before clicking Authorize. Click **Allow** in the Google popup. The popup closes; the dashboard shows the new connection with its email, scopes, and "active" status. Behind the scenes CrabGlamp completed the OAuth handshake with Google (using PKCE), exchanged the authorization for a refresh token, and stored that token encrypted at rest (AES-256-GCM). You never see or handle the token yourself. ## List connections from the Agent CLI Open the Agent's code-server tab and open a terminal. Run: ```sh crabglamp apps list ``` You see the Google connection along with any other providers you have authorized. The connection ID and scope list match what the dashboard shows. ## Use the connection from the Agent Run: ```sh crabglamp apps google ``` This configures the Google connection on the Agent and writes the current access token to `$GOG_ACCESS_TOKEN` (in `~/.crabglamp/apps.env`, sourced by your shell). CrabGlamp refreshes the token from the stored refresh token whenever it is close to expiring, so you always have a current one; if it expires mid-session, `crabglamp apps refresh google` fetches a fresh one. Use the env var directly with the Google API: ```sh curl -s -H "Authorization: Bearer $GOG_ACCESS_TOKEN" \ "https://www.googleapis.com/oauth2/v3/userinfo" ``` The response is the standard Google userinfo payload — email, name, locale. ## What happens if you revoke at the provider Open Google's third-party app permissions page and revoke "CrabGlamp." The next time an Agent fetches a token, the refresh fails and the CrabGlamp token endpoint returns 410 to the Agent and marks the connection errored. The dashboard surfaces the error state the next time an Agent tries to use the connection, so you can re-authorize from the dashboard. ## What is next Read [the App integrations reference](/docs/app-integrations/reference) for the full list of supported providers, scopes per provider, token TTLs, and the API shape. To connect more Google accounts or expand scopes, follow [Connect Google](/docs/app-integrations/how-to/connect-google). To fetch tokens programmatically from non-CLI clients, follow [Fetch a fresh access token from an Agent](/docs/app-integrations/how-to/fetch-a-fresh-access-token-from-an-agent). To understand the storage model, read [OAuth and token storage](/docs/app-integrations/explanation/oauth-and-token-storage).