Summary
gws auth login presents an interactive scope picker with 9 scopes, but several supported services require scopes that aren't listed. Users who enable these services via -s (e.g., people, chat) get 403 Request had insufficient authentication scopes errors because the auth flow never requests the necessary scopes.
Affected Services & Missing Scopes
| Service |
Required Scope |
In Picker? |
| People (contacts) |
contacts.readonly |
No |
| People (directory) |
directory.readonly |
No |
| Chat (spaces) |
chat.spaces |
No |
| Chat (messages) |
chat.messages |
No |
The MCP server config (gws mcp -s drive,gmail,calendar,sheets,docs,slides,chat,people) exposes these services, but the auth token doesn't have the right scopes to call them.
Current Picker (9 scopes)
[x] Google Drive https://www.googleapis.com/auth/drive
[x] Google Sheets https://www.googleapis.com/auth/spreadsheets
[x] Gmail https://www.googleapis.com/auth/gmail.modify
[x] Google Calendar https://www.googleapis.com/auth/calendar
[x] Google Docs https://www.googleapis.com/auth/documents
[x] Google Slides https://www.googleapis.com/auth/presentations
[x] Google Tasks https://www.googleapis.com/auth/tasks
[x] Cloud Pub/Sub https://www.googleapis.com/auth/pubsub
[x] Cloud Platform https://www.googleapis.com/auth/cloud-platform
Workaround
- Run
gws auth login (starts local listener on a random port)
- Copy the generated OAuth URL
- Manually append missing scopes to the
scope= query parameter
- Open the modified URL in the browser instead of the original
- The redirect completes against the CLI's listener and the token is saved with all scopes
This works but is not discoverable and error-prone.
Suggested Fix
One or both of:
- Expand the picker — dynamically include scopes for all services passed via
-s or all supported services
- Add a
--scopes flag — e.g., gws auth login --scopes "contacts.readonly,directory.readonly,chat.spaces,chat.messages" to append additional scopes to the auth request
Environment
@googleworkspace/cli v0.7.0- macOS (Darwin 24.6.0)
- Used as an MCP server with Claude Code
Summary
gws auth loginpresents an interactive scope picker with 9 scopes, but several supported services require scopes that aren't listed. Users who enable these services via-s(e.g.,people,chat) get403 Request had insufficient authentication scopeserrors because the auth flow never requests the necessary scopes.Affected Services & Missing Scopes
contacts.readonlydirectory.readonlychat.spaceschat.messagesThe MCP server config (
gws mcp -s drive,gmail,calendar,sheets,docs,slides,chat,people) exposes these services, but the auth token doesn't have the right scopes to call them.Current Picker (9 scopes)
Workaround
gws auth login(starts local listener on a random port)scope=query parameterThis works but is not discoverable and error-prone.
Suggested Fix
One or both of:
-sor all supported services--scopesflag — e.g.,gws auth login --scopes "contacts.readonly,directory.readonly,chat.spaces,chat.messages"to append additional scopes to the auth requestEnvironment
@googleworkspace/cliv0.7.0