Google Workspace MCP Server

Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools.

Includes a full featured CLI & Code Mode for use with tools like Claude Code and Codex!

The most feature-complete Google Workspace MCP server, it can do things that Google's own tooling and the built in integrations with Claude and ChatGPT can't even dream of. With Remote OAuth2.1 multi-user support, fine-grained editing tools and the most extensive coverage of any Google Workspace tool in existance, Workspace MCP is in a different class. Offering native OAuth 2.1, stateless mode and external auth server support, it's also the only Workspace MCP you can host for your whole organization centrally & securely!

Support for all free Google accounts & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces. Interested in a private, managed cloud instance? That can be arranged.

See it in action:

Overview

Workspace MCP is the single most complete MCP server, the only that integrates all major Google Workspace services with AI assistants and all agent platforms. The entire toolset is available for CLI usage supporting both local and remote instances.

Related MCP server: google-workspace-mcp-server

Features

12 services  —  Gmail · Drive · Calendar · Docs · Sheets · Slides · Forms · Chat · Apps Script · Tasks · Contacts · Search

📧 Gmail — Complete email management, end-to-end coverage 📁 Drive — File operations with sharing, permissions, Office files, PDFs & images 📅 Calendar — Full event management with advanced features 📝 Docs — Deep, fine-grained editing, formatting & comments 📊 Sheets — Flexible cell management, formatting & conditional rules 🖼️ Slides — Presentation creation, updates & content manipulation 📋 Forms — Creation, publish settings & response management 💬 Chat — Space management, messaging & reactions

⚡ Apps Script — Cross-application workflow automation  Projects · deployments · versions · execution · debugging

✅ Tasks — Task & list management with hierarchy 👤 Contacts — People API with groups & batch operations 🔍 Custom Search — Programmable Search Engine integration

🔐 Authentication & Security OAuth 2.0 & 2.1 · auto token refresh · multi-user bearer tokens · transport-aware callbacks · CORS proxy

Security & Compliance

For Security Teams

This server sends no data anywhere except Google's APIs, on behalf of the authenticated user, using your own OAuth client credentials. There is no telemetry, no usage reporting, no analytics, no license server, and no SaaS dependency. The entire data path is: your infrastructure → Google APIs.

• Fully open source — every line is auditable in this repo

• Your OAuth client, your GCP project — credentials never leave your environment

• You control the scopes — read-only, granular per-service permissions, or full access

• You control the network — deploy behind your reverse proxy, in your VPC, on your own terms

• No third-party services — no intermediary servers, no token relays, no hosted backends

• Stateless mode — zero disk writes for locked-down container environments

• Sensitive path blocking — local file reads default to the managed attachment directory, and validate_file_path() still blocks .env* files plus common home-directory credential stores such as ~/.ssh/ and ~/.aws/ even if ALLOWED_FILE_DIRS is broadened

Full dependency tree in pyproject.toml, pinned in uv.lock.

For Legal & Procurement

This project is MIT licensed — not "open core," not "source available," not "free with a CLA." There is no dual licensing, no commercial tier gating features, and no contributor license agreement.

• Use commercially without restriction — build products, sell services, deploy internally

• Fork, embed, redistribute — MIT requires only attribution

• No CLA — contributions remain under MIT

• No telemetry to disclose — nothing to flag in a privacy review

• No network effects — the server never contacts any endpoint you didn't configure

• Standard dependency licenses — MIT, Apache 2.0, and BSD throughout the dependency chain; no copyleft, no AGPL

The license is 21 lines and says what it means.

Quick Start

Set credentials → pick a launch command → connect your client

💡 New to Workspace MCP? Check out the Interactive Quick Start Guide → with step-by-step setup, screenshots, and troubleshooting tips!

Confidential Client Quick Start

# 1. Credentials
export GOOGLE_OAUTH_CLIENT_ID="..."
export GOOGLE_OAUTH_CLIENT_SECRET="..."

# 2. Launch — pick a tier
uvx workspace-mcp --tool-tier core       # essential tools
uvx workspace-mcp --tool-tier extended   # core + management ops
uvx workspace-mcp --tool-tier complete   # everything

# Or cherry-pick services
uv run main.py --tools gmail drive calendar

Secretless / Public OAuth 2.1 (PKCE) Quick Start

# 1. Credentials
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
export WORKSPACE_MCP_PORT=8000
export GOOGLE_OAUTH_REDIRECT_URI="http://localhost:${WORKSPACE_MCP_PORT}/oauth2callback"
export OAUTHLIB_INSECURE_TRANSPORT=1
# Leave GOOGLE_OAUTH_CLIENT_SECRET unset for public PKCE clients
export FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY="$(openssl rand -hex 32)"

# 2. Launch — OAuth 2.1 requires HTTP transport
uvx workspace-mcp --transport streamable-http --tool-tier core
uvx workspace-mcp --transport streamable-http --tool-tier extended
uvx workspace-mcp --transport streamable-http --tool-tier complete

# Or cherry-pick services
uv run main.py --transport streamable-http --tools gmail drive calendar

Credential setup → · All launch options → · Tier details →

*Required for development only. Claude Desktop stores credentials securely in the OS keychain — set them once in the extension pane.

Quick Start — Connect Claude to Google Workspace

The recommended setup is to run an instance and connect Claude to it via a Connector. Full instructions at workspacemcp.com/quick-start.

Prerequisites

Python 3.10+ · uv/uvx · Google Cloud Project with OAuth 2.0 credentials

If you want the GCS credential store backend, install the optional dependency first:

uv sync --extra gcs
# or
pip install "workspace-mcp[gcs]"

Configuration

1. Create Project — Open Console → → Create new project

2. Create OAuth Credentials — APIs & Services → Credentials → Create Credentials → OAuth Client ID

   • Choose Desktop Application for a public PKCE client (no redirect URIs needed) or Web Application for a confidential client

   • Download and note your Client ID and, if issued, Client Secret

3. Enable APIs — APIs & Services → Library, then enable each service:

   Calendar	Drive	Gmail	Docs
   Sheets	Slides	Forms	Tasks
   Chat	People	Custom Search	Apps Script

4. Set Credentials — see Environment Variable Reference above, or:

   export GOOGLE_OAUTH_CLIENT_ID="your-client-id"
   export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"

   For public OAuth 2.1 PKCE clients, omit GOOGLE_OAUTH_CLIENT_SECRET and set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY instead.

Full OAuth documentation → · Credential setup details →

Google Custom Search Setup

1. Create Search Engine

programmablesearchengine.google.com
/controlpanel/create

→ Configure sites or entire web
→ Note your Engine ID (cx)

Open Control Panel →

2. Get API Key

developers.google.com
/custom-search/v1/overview

→ Create/select project
→ Enable Custom Search API
→ Create credentials (API Key)

Get API Key →

3. Set Variables

export GOOGLE_PSE_API_KEY=\
  "your-api-key"
export GOOGLE_PSE_ENGINE_ID=\
  "your-engine-id"

Configure in environment

Complete Setup Process:

1. Create Search Engine - Visit the Control Panel

   • Choose "Search the entire web" or specify sites

   • Copy the Search Engine ID (looks like: 017643444788157684527:6ivsjbpxpqw)

2. Enable API & Get Key - Visit Google Developers Console

   • Enable "Custom Search API" in your project

   • Create credentials → API Key

   • Restrict key to Custom Search API (recommended)

3. Configure Environment - Add to your shell or .env:

   export GOOGLE_PSE_API_KEY="AIzaSy..."
   export GOOGLE_PSE_ENGINE_ID="01764344478..."

≡ Full Documentation →

Start the Server

📌 Transport Mode Guidance: Use streamable HTTP mode (--transport streamable-http) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. For Claude Desktop, run an instance and connect via a Connector. Stdio mode is a legacy fallback. For deployments, prefer OAuth 2.1 with stateless mode (MCP_ENABLE_OAUTH21=true, WORKSPACE_MCP_STATELESS_MODE=true) unless you need local attachment or credential storage.

OAuth state safety: Legacy stdio starts a local-only OAuth callback server. In single-user mode only, it may recover a missing Google state parameter by consuming the most recent pending local OAuth state. This fallback is intentionally disabled outside single-user mode because it can cross session boundaries. Do not enable or emulate this behavior in streamable HTTP, hosted, or multi-user deployments; those modes must require an explicit state match.

▶ Legacy Mode

uv run main.py

⚠️ Stdio mode (incomplete MCP clients only)

◆ HTTP Mode (Recommended)

export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
uv run main.py \
  --transport streamable-http

✅ Full MCP spec compliance & OAuth 2.1

@ Single User

uv run main.py \
  --single-user

Simplified authentication ⚠️ Cannot be used with OAuth 2.1 mode

▶ Selective Tool Loading

# Load specific services only
uv run main.py --tools gmail drive calendar
uv run main.py --tools sheets docs

# Combine with other flags
uv run main.py --single-user --tools gmail

🔒 Read-Only Mode

# Requests only read-only scopes & disables write tools
uv run main.py --read-only

# Combine with specific tools or tiers
uv run main.py --tools gmail drive --read-only
uv run main.py --tool-tier core --read-only

Read-only mode provides secure, restricted access by:

• Requesting only *.readonly OAuth scopes (e.g., gmail.readonly, drive.readonly)

• Automatically filtering out tools that require write permissions at startup

• Allowing read operations: list, get, search, and export across all services

🔐 Granular Permissions

# Per-service permission levels
uv run main.py --permissions gmail:organize drive:readonly

# Combine permissions with tier filtering
uv run main.py --permissions gmail:send drive:full --tool-tier core

Granular permissions mode provides service-by-service scope control:

• Format: service:level (one entry per service)

• Gmail levels: readonly, organize, drafts, send, full (cumulative)

• Tasks levels: readonly, manage, full (cumulative; manage allows create/update/move but denies delete and clear_completed)

• Other services currently support: readonly, full

• --permissions and --read-only are mutually exclusive

• --permissions cannot be combined with --tools; enabled services are determined by the --permissions entries (optionally filtered by --tool-tier)

• With --tool-tier, only tier-matched tools are enabled and only services that have tools in the selected tier are imported

The WORKSPACE_MCP_TOOLS, WORKSPACE_MCP_TOOL_TIER, WORKSPACE_MCP_READ_ONLY, and WORKSPACE_MCP_PERMISSIONS environment variables provide the same controls for plugin and container installs. Empty strings are ignored. Non-empty malformed values fail closed at startup. Explicit CLI flags take precedence over mutually exclusive env vars.

Advanced legacy stdio sidecar

# Optional bridge only for local legacy stdio sessions
WORKSPACE_MCP_HTTP_PORT=8001 uv run main.py
workspace-cli --url http://127.0.0.1:8001/mcp list

The sidecar is disabled unless WORKSPACE_MCP_HTTP_PORT is set. It only exists to bridge local workspace-cli calls into a legacy stdio server. Do not use it for normal Claude Code, VS Code, hosted, or multi-user deployments; use streamable HTTP with OAuth 2.1 instead. When enabled, it validates ports in the 1..65535 range, binds to 127.0.0.1, and logs a warning if the port is already in use while keeping stdio running.

★ Tool Tiers

uv run main.py --tool-tier core      # ● Essential tools only
uv run main.py --tool-tier extended  # ◐ Core + additional
uv run main.py --tool-tier complete  # ○ All available tools

◆ Docker Deployment

docker build -t workspace-mcp .
docker run -p 8000:8000 -v $(pwd):/app \
  -e MCP_ENABLE_OAUTH21=true \
  -e GOOGLE_OAUTH_CLIENT_ID="..." \
  workspace-mcp --transport streamable-http

# With tool selection via environment variables
docker run -e TOOL_TIER=core workspace-mcp
docker run -e TOOLS="gmail drive calendar" workspace-mcp

Available Services: gmail • drive • calendar • docs • sheets • forms • tasks • contacts • chat • search

CLI

The workspace-cli command lists tools and calls them against a running server — with encrypted, disk-backed OAuth token caching so you only authenticate once. On first run it opens a browser for Google consent; subsequent runs reuse the cached tokens automatically.

Tokens are stored encrypted at ~/.workspace-mcp/cli-tokens/ using a Fernet key auto-generated at ~/.workspace-mcp/.cli-encryption-key.

To use workspace-cli globally, you'll want to start in this repo and run uv tool install .

Once complete, you'll have workspace-cli available globally via workspace-cli

Note: there is a public (but abandoned) pypi package with the same name - do not use uvx, as it will pull the wrong thing.

▶ List Tools

uv run workspace-cli list
uv run workspace-cli --url https://custom.server/mcp list

# Or, if installed globally:
workspace-cli list
workspace-cli --url https://custom.server/mcp list

View all available tools

◆ Call a Tool

uv run workspace-cli call search_gmail_messages \
  query="is:unread" max_results=5

Execute a tool with key=value arguments

Set URL for remote endpoints with --url or the WORKSPACE_MCP_URL environment variable.

The upstream FastMCP CLI is also bundled and provides additional commands for schema inspection, client installation, and editor discovery. Note that fastmcp uses in-memory token storage, so each invocation may re-trigger the OAuth flow.

fastmcp inspect fastmcp_server.py                        # print tools, resources, prompts
fastmcp install claude-code fastmcp_server.py             # one-command client setup
fastmcp install cursor fastmcp_server.py
fastmcp discover                                          # find servers configured in editors

See fastmcp --help or the FastMCP CLI docs for the full command reference.

Tool Tiers

The server organizes tools into three progressive tiers for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.

Available Tiers

● Core (--tool-tier core) Essential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.

● Extended (--tool-tier extended) Core functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.

● Complete (--tool-tier complete) Full API access including comments, headers/footers, publishing settings, and administrative functions. For power users needing maximum functionality.

Important Notes

▶ Start with core and upgrade as needed ▶ Tiers are cumulative – each includes all previous ▶ Mix and match with --tools for specific services ▶ Configuration in core/tool_tiers.yaml ▶ Authentication included in all tiers

Usage Examples

# Basic tier selection
uv run main.py --tool-tier core                            # Start with essential tools only
uv run main.py --tool-tier extended                        # Expand to include management features
uv run main.py --tool-tier complete                        # Enable all available functionality

# Selective service loading with tiers
uv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services
uv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only
uv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets

# Combine tier selection with granular permission levels
uv run main.py --permissions gmail:organize drive:full --tool-tier core

📋 Credential Configuration

🚀 Environment Variables

export GOOGLE_OAUTH_CLIENT_ID=\
  "your-client-id"
export GOOGLE_OAUTH_CLIENT_SECRET=\
  "your-secret"

Best for production

📁 File-based

# Download & place in project root
client_secret.json

# Or specify custom path
export GOOGLE_CLIENT_SECRET_PATH=\
  /path/to/secret.json

Traditional method

⚡ .env File

cp .env.oauth21 .env
# Edit .env with credentials

Best for development

Loading Priority

1. Environment variables (export VAR=value)

2. .env file in project root (warning - if you run via uvx rather than uv run from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)

3. client_secret.json via GOOGLE_CLIENT_SECRET_PATH

4. Default client_secret.json in project root

Why Environment Variables?

• ✅ Docker/K8s ready - Native container support

• ✅ Cloud platforms - Heroku, Railway, Vercel

• ✅ CI/CD pipelines - GitHub Actions, Jenkins

• ✅ No secrets in git - Keep credentials secure

• ✅ Easy rotation - Update without code changes

🧰 Available Tools

Note: All tools support automatic authentication via @require_google_service() decorators with 30-minute service caching.

📖 Looking for detailed parameters? Visit the Complete Documentation → for comprehensive tool reference, examples, and API guides!

📅 Google Calendar calendar_tools.py

📁 Google Drive drive_tools.py

📧 Gmail gmail_tools.py

Both send_gmail_message and draft_gmail_message support attachments via two methods:

Option 1: File Path (local server only)

attachments=[{"path": "/path/to/report.pdf"}]

Reads file from disk, auto-detects MIME type. Optional filename override.

Option 2: Base64 Content (works everywhere)

attachments=[{
    "filename": "report.pdf",
    "content": "JVBERi0xLjQK...",  # base64-encoded
    "mime_type": "application/pdf"   # optional
}]

⚠️ Centrally Hosted Servers: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use Option 2 with base64-encoded content. Your MCP client must encode files before sending.

When downloading Gmail attachments (get_gmail_attachment_content) or Drive files (get_drive_file_download_url), files are saved to a persistent local directory rather than a temporary folder in the working directory.

Default location: ~/.workspace-mcp/attachments/

Files are saved with their original filename plus a short UUID suffix for uniqueness (e.g., invoice_a1b2c3d4.pdf). In stdio mode, the tool returns the absolute file path for direct filesystem access. In HTTP mode, it returns a download URL via the /attachments/{file_id} endpoint.

To customize the storage directory:

export WORKSPACE_ATTACHMENT_DIR="/path/to/custom/dir"

Saved files expire after 1 hour and are cleaned up automatically.

📝 Google Docs docs_tools.py

📊 Google Sheets sheets_tools.py

🖼️ Google Slides slides_tools.py

📋 Google Forms forms_tools.py

✓ Google Tasks tasks_tools.py

👤 Google Contacts contacts_tools.py

💬 Google Chat chat_tools.py

🔍 Google Custom Search search_tools.py

⚡ Google Apps Script apps_script_tools.py

Tool Tier Legend: ● Core — Essential tools for basic functionality · Minimal API usage · Getting started ● Extended — Core + additional features · Regular usage · Expanded capabilities ● Complete — All available tools including advanced features · Power users · Full API access

Connect to Claude Desktop

The recommended way to use Google Workspace MCP with Claude Desktop is to run a server instance and connect Claude to it via a Connector. This provides proper OAuth flow, multi-user support, and the best experience.

See the Quick Start Guide for setup instructions.

⚠️ Note: Stdio mode is a legacy fallback for clients that don't support Connectors. Prefer the Connector-based approach above.

OAuth callback caveat: The legacy stdio callback path includes a local recovery fallback for rare Google redirects that omit the state parameter, but only when --single-user is active. That recovery can only be safe in a single-user local process; in HTTP or hosted multi-user scenarios it could consume another user's pending OAuth state. There is no environment variable to enable this globally.

1. Open Claude Desktop Settings → Developer → Edit Config

   • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json

   • Windows: %APPDATA%\Claude\claude_desktop_config.json

2. Add the server configuration:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

Connect to LM Studio

Add a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1",
      }
    }
  }
}

2. Advanced / Cross-Platform Installation

If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.

Instant CLI (uvx)

# Requires Python 3.10+ and uvx
# First, set credentials (see Credential Configuration above)
uvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar

Note: Configure OAuth credentials before running. Supports environment variables, .env file, or client_secret.json.

Local Development Setup

# Install everything needed for linting, tests, and release tooling
uv sync --group dev

# Run the same linter that git hooks invoke automatically
uv run ruff check .

# Execute the full test suite (async fixtures require pytest-asyncio)
uv run pytest

• uv sync --group test installs only the testing stack if you need a slimmer environment.

• MCP_ENABLE_OAUTH21=true GOOGLE_OAUTH_CLIENT_ID=... uv run main.py --transport streamable-http launches the HTTP server with your checked-out code for manual verification.

• Ruff is part of the dev group because pre-push hooks call ruff check automatically—run it locally before committing to avoid hook failures.

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and, for confidential clients, GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional Google-side configuration needed. Public PKCE clients are also supported: if you omit GOOGLE_OAUTH_CLIENT_SECRET, set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY explicitly.

When to use OAuth 2.1:

• Multiple users accessing the same MCP server instance

• Need for bearer token authentication instead of passing user emails

• Building web applications or APIs on top of the MCP server

• Production environments requiring secure session management

• Browser-based clients requiring CORS support

⚠️ Important: Mutually exclusive authentication modes

OAuth 2.1 mode (MCP_ENABLE_OAUTH21=true) cannot be used together with --single-user or service account mode:

• Single-user mode: For legacy clients that pass user emails in tool calls

• OAuth 2.1 mode: For modern multi-user scenarios with bearer token authentication

• Service account mode: For headless/server-to-server use via domain-wide delegation

Choose one authentication method - combining incompatible modes will result in a startup error.

Enabling OAuth 2.1: To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.

# OAuth 2.1 requires HTTP transport mode
export MCP_ENABLE_OAUTH21=true
uv run main.py --transport streamable-http

If MCP_ENABLE_OAUTH21 is not set to true, the server uses legacy authentication. In streamable-http mode, legacy authentication binds to 127.0.0.1 by default to keep cached Google credentials local. Set WORKSPACE_MCP_HOST explicitly only for trusted networks; use OAuth 2.1 for remote or shared HTTP deployments.

Streamable HTTP requests with an Origin header are checked against loopback origins, WORKSPACE_EXTERNAL_URL, and OAUTH_ALLOWED_ORIGINS to reduce DNS-rebinding risk. Non-browser MCP clients that omit Origin are unaffected.

vscode-webview origins: Origins with the vscode-webview:// scheme are scoped per-extension using the authority component (e.g. vscode-webview://publisher.extension). Adding a vscode-webview URI to OAUTH_ALLOWED_ORIGINS permits only the specific extension identified by that authority; other extensions are rejected.

FastMCP ships a native GoogleProvider that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:

1. Dynamic Client Registration: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID and, when configured, client secret under the hood.

2. CORS & Browser Compatibility: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom /oauth2/* routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.

The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.

Restricting DCR client redirect URIs:

By default, any client going through Dynamic Client Registration can declare any redirect_uri. For publicly-exposed deployments, this is a phishing vector — an attacker can register a client with a redirect_uri they control and harvest authorization codes from tricked users. Set WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS to a comma-separated allowlist of permitted URIs:

# Public deployment — restrict to Claude's hosted OAuth callbacks
export WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS="https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback"

# Add Claude Code CLI (loopback redirects on ephemeral ports)
export WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS="https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback,http://localhost:*/callback,http://127.0.0.1:*/callback"

Patterns use FastMCP's matcher: * wildcards any port or path component; *.example.com matches subdomains. Leaving the variable unset preserves the default DCR behaviour (any URI accepted), which is appropriate for local development but unsafe for public deployments.

Stateless Mode (Container-Friendly)

The server supports a stateless mode designed for containerized environments where file system writes should be avoided:

Enabling Stateless Mode:

# Stateless mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
export WORKSPACE_MCP_STATELESS_MODE=true
uv run main.py --transport streamable-http

Key Features:

• No file system writes: Credentials are never written to disk

• No debug logs: File-based logging is completely disabled

• Memory-only sessions: All tokens stored in memory via OAuth 2.1 session store

• Container-ready: Perfect for Docker, Kubernetes, and serverless deployments

• Token per request: Each request must include a valid Bearer token

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true

• Incompatible with single-user mode

• Clients must handle OAuth flow and send valid tokens with each request

This mode is ideal for:

• Cloud deployments where persistent storage is unavailable

• Multi-tenant environments requiring strict isolation

• Containerized applications with read-only filesystems

• Serverless functions and ephemeral compute environments

MCP Inspector: No additional configuration needed with desktop OAuth client.

Claude Code: No additional configuration needed with desktop OAuth client.

OAuth Proxy Storage Backends

The server supports pluggable storage backends for OAuth proxy state management via FastMCP 2.13.0+. Choose a backend based on your deployment needs.

Available Backends:

Configuration:

# Memory storage (fast, no persistence)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=memory

# Disk storage (persists across restarts)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=disk
export WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY=~/.fastmcp/oauth-proxy

# Valkey/Redis storage (distributed, multi-server)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=redis.example.com
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=6379

Disk support requires workspace-mcp[disk] (or py-key-value-aio[disk]) when installing from source. The official Docker image includes the disk extra by default. Valkey support is optional. Install workspace-mcp[valkey] (or py-key-value-aio[valkey]) only if you enable the Valkey backend. Windows: building valkey-glide from source requires MSVC C++ build tools with C11 support. If you see aws-lc-sys C11 errors, set CFLAGS=/std:c11.

Encryption: Disk and Valkey storage are encrypted with Fernet. The encryption key is derived from FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY if set, otherwise from GOOGLE_OAUTH_CLIENT_SECRET. Public OAuth 2.1 client setups without a client secret must set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY.

External OAuth 2.1 Provider Mode

The server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.

Enabling External OAuth 2.1 Provider Mode:

# External OAuth provider mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
export EXTERNAL_OAUTH21_PROVIDER=true
uv run main.py --transport streamable-http

How It Works:

• Protocol-level auth enabled: All MCP requests (including initialize and tools/list) require a valid Bearer token, following the standard OAuth 2.1 flow. Unauthenticated requests receive a 401 with resource metadata pointing to Google's authorization server.

• External OAuth flow: Your external system handles the OAuth flow and obtains Google access tokens (ya29.*)

• Token validation: Server validates bearer tokens by calling Google's userinfo API

• Multi-user support: Each request is authenticated independently based on its bearer token

• Resource metadata discovery: The server serves /.well-known/oauth-protected-resource (RFC 9728) advertising Google as the authorization server and the required scopes

Key Features:

• No local OAuth flow: Server does not provide /authorize, /token, or /register endpoints — only resource metadata

• Bearer token only: All authentication via Authorization: Bearer <token> headers

• Stateless by design: Works seamlessly with WORKSPACE_MCP_STATELESS_MODE=true

• External identity providers: Integrate with your existing authentication infrastructure

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true

• OAuth client ID still required for token validation; client secret is optional for public clients (GOOGLE_OAUTH_CLIENT_ID, optional GOOGLE_OAUTH_CLIENT_SECRET)

• External system must obtain valid Google OAuth access tokens (ya29.*)

• Each tool call request must include valid bearer token

Use Cases:

• Integrating with existing authentication systems

• Custom OAuth flows managed by your application

• API gateways that handle authentication upstream

• Multi-tenant SaaS applications with centralized auth

• Mobile or web apps with their own OAuth implementation

Service Account Mode (Domain-Wide Delegation)

WARNING: This mode uses Google Workspace domain-wide delegation, which grants the service account the ability to impersonate any user in your domain for the configured scopes. This is powerful and dangerous — do not use this unless you fully understand the security implications. A misconfigured service account with broad scopes can read, modify, and delete data across every user in your organization. Only use this in tightly controlled environments where you know exactly what you're doing.

Service account mode allows the server to authenticate using a Google Cloud service account with domain-wide delegation instead of interactive OAuth flows. The service account impersonates a single configured domain user for all API calls.

When to use service account mode:

• Headless or unattended environments where no browser is available for OAuth consent

• Server-to-server integrations that need to act on behalf of a specific domain user

• CI/CD pipelines or automation scripts

• Environments where you cannot or do not want to manage per-user OAuth tokens

Enabling Service Account Mode:

# Option 1: Key file on disk
export GOOGLE_SERVICE_ACCOUNT_KEY_FILE="/path/to/service-account-key.json"
export USER_GOOGLE_EMAIL="user@yourdomain.com"
uv run main.py

# Option 2: Inline JSON key (e.g., from a secret manager)
export GOOGLE_SERVICE_ACCOUNT_KEY_JSON='{"type":"service_account","project_id":"...","private_key":"...","client_email":"..."}'
export USER_GOOGLE_EMAIL="user@yourdomain.com"
uv run main.py

Prerequisites:

1. A Google Cloud service account with a JSON key

2. Domain-wide delegation enabled for the service account in your Google Workspace Admin Console (Security → API controls → Domain-wide delegation)

3. The required OAuth scopes authorized for the service account's client ID in the Admin Console

4. USER_GOOGLE_EMAIL set to the domain user the service account will impersonate

Incompatibilities:

• Cannot be combined with --single-user mode

• Cannot be combined with MCP_ENABLE_OAUTH21=true

• Only one key source may be provided — set either GOOGLE_SERVICE_ACCOUNT_KEY_FILE or GOOGLE_SERVICE_ACCOUNT_KEY_JSON, not both

Key Behaviors:

• The OAuth callback server is not started (no interactive auth needed)

• Credentials directory permission checks are skipped

• When a tool call supplies user_google_email, service account mode uses that email as the domain-wide delegation impersonation subject.

• USER_GOOGLE_EMAIL is still required and serves as the fallback when no caller email is provided.

• The service account key is validated at startup (checks for required fields and correct type)

Per-Request Impersonation:

The caller-supplied user_google_email on each tool call is used as the DWD impersonation subject instead of the static USER_GOOGLE_EMAIL. This lets a single server instance act on behalf of multiple domain users.

# Optional: restrict which domains may be impersonated
export DWD_ALLOWED_DOMAINS="corp.com,subsidiary.io"

• If DWD_ALLOWED_DOMAINS is set, only emails whose domain appears in the comma-separated list are accepted; all others raise an authentication error.

• If DWD_ALLOWED_DOMAINS is unset, any email accepted by the service account's delegation scope is allowed.

VS Code MCP Client Support

✅ Recommended: VS Code MCP extension properly supports the full MCP specification. Always use HTTP transport mode for proper OAuth 2.1 authentication.

{
    "servers": {
        "google-workspace": {
            "url": "http://localhost:8000/mcp/",
            "type": "http"
        }
    }
}

Note: Make sure to start the server with --transport streamable-http when using VS Code MCP. For remote or shared HTTP endpoints, see the OAuth 2.1 note in the HTTP Mode section.

Origin validation: VS Code webview clients send a vscode-webview://<extension-id> origin, which is rejected by default. Add the specific origin to OAUTH_ALLOWED_ORIGINS (e.g. OAUTH_ALLOWED_ORIGINS=vscode-webview://your.extension-id) to permit it. Connections to a localhost/127.0.0.1 URL are allowed without extra configuration.

Claude Code MCP Client Support

✅ Recommended: Claude Code is a modern MCP client that properly supports the full MCP specification. Always use HTTP transport mode with Claude Code for proper OAuth 2.1 authentication and multi-user support.

# Start the server in HTTP mode first
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
uv run main.py --transport streamable-http

# Then add to Claude Code
claude mcp add --transport http workspace-mcp http://localhost:8000/mcp

# Optional: install the bundled Claude skill for better Workspace tool routing
mkdir -p ~/.claude/skills
ln -s "$(pwd)/skills/managing-google-workspace" ~/.claude/skills/managing-google-workspace

Or copy skills/managing-google-workspace into ~/.claude/skills/managing-google-workspace if you prefer not to symlink it.

Reverse Proxy Setup

If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you have two configuration options:

Problem: When behind a reverse proxy, the server constructs OAuth URLs using internal ports (e.g., http://localhost:8000) but external clients need the public URL (e.g., https://your-domain.com).

Solution 1: Set WORKSPACE_EXTERNAL_URL for all OAuth endpoints:

# This configures all OAuth endpoints to use your external URL
export WORKSPACE_EXTERNAL_URL="https://your-domain.com"

Solution 2: Set GOOGLE_OAUTH_REDIRECT_URI for just the callback:

# This only overrides the OAuth callback URL
export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback"

You also have options for: | OAUTH_CUSTOM_REDIRECT_URIS (optional) | Comma-separated list of additional redirect URIs | | OAUTH_ALLOWED_ORIGINS (optional) | Comma-separated list of additional CORS origins |

Important:

• Use WORKSPACE_EXTERNAL_URL when all OAuth endpoints should use the external URL (recommended for reverse proxy setups)

• Use GOOGLE_OAUTH_REDIRECT_URI when you only need to override the callback URL

• The redirect URI must exactly match what's configured in your Google Cloud Console

• Your reverse proxy must forward OAuth-related requests (/oauth2callback, /oauth2/*, /.well-known/*) to the MCP server

# Configure credentials first (see Credential Configuration section)

# Start with specific tools only
uvx workspace-mcp --tools gmail drive calendar tasks

# Start with tool tiers (recommended for most users)
uvx workspace-mcp --tool-tier core      # Essential tools
uvx workspace-mcp --tool-tier extended  # Core + additional features
uvx workspace-mcp --tool-tier complete  # All tools

# Start in HTTP mode for debugging
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
uvx workspace-mcp --transport streamable-http

Requires Python 3.10+ and uvx. The package is available on PyPI.

Development Installation

For development or customization:

git clone https://github.com/taylorwilsdon/google_workspace_mcp.git
cd google_workspace_mcp
uv run main.py

Development Installation (For Contributors):

{
  "mcpServers": {
    "google_workspace": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/repo/google_workspace_mcp",
        "main.py"
      ],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

HTTP Mode (For debugging or web interfaces)

If you need to use HTTP mode with Claude Desktop:

{
  "mcpServers": {
    "google_workspace": {
      "command": "npx",
      "args": ["mcp-remote", "http://localhost:8000/mcp"]
    }
  }
}

Note: Make sure to start the server with --transport streamable-http when using HTTP mode. For remote or shared HTTP endpoints, also enable OAuth 2.1 with MCP_ENABLE_OAUTH21=true and GOOGLE_OAUTH_CLIENT_ID.

First-Time Authentication

Legacy local authentication uses the Google OAuth consent flow. In stdio mode, the server tries to open the browser automatically so long Google OAuth URLs do not wrap in terminals or get corrupted during copy/paste, which improves reliability of the redirect flow.

• In stdio mode, the server starts a local callback listener and tries to open the Google authorization page in your browser automatically.

• If the browser cannot be opened, the tool response includes the authorization URL to open manually.

• In streamable-http / OAuth 2.1 mode, use your MCP client's OAuth flow instead; the server does not try to open a browser on the host running the HTTP service.

• When a legacy local auth tool call provides user_google_email, the server adds that value as login_hint on the Google authorization URL so Google can pre-select the account on the consent screen. This applies to the stdio flow whether the server opens the browser or returns the URL; streamable-http / OAuth 2.1 flows still rely on the MCP client's OAuth flow.

Example:

user_google_email="alex@example.com"
Authorization URL: https://accounts.google.com/o/oauth2/v2/auth?...&login_hint=alex%40example.com

When calling a tool:

1. If an opened browser page appears, complete Google authorization there.

2. If no browser opens, open the returned authorization URL manually and complete Google authorization there.

3. After successful authorization, the callback page displays the authenticated email address.

4. Retry the original tool call with that email as user_google_email; the server needs this value to associate the stored Google credentials with the tool request, so the original request is not authorized until it is retried.

5. Server completes authentication using the stored Google credentials.

◆ Development

Project Structure

google_workspace_mcp/
├── auth/              # Authentication system with decorators
├── core/              # MCP server and utilities
├── g{service}/        # Service-specific tools
├── main.py            # Server entry point
├── client_secret.json # OAuth credentials (not committed)
└── pyproject.toml     # Dependencies

Adding New Tools

from auth.service_decorator import require_google_service

@require_google_service("drive", "drive_read")  # Service + scope group
async def your_new_tool(service, param1: str, param2: int = 10):
    """Tool description"""
    # service is automatically injected and cached
    result = service.files().list().execute()
    return result  # Return native Python objects

Architecture Highlights

• Service Caching: 30-minute TTL reduces authentication overhead

• Scope Management: Centralized in SCOPE_GROUPS for easy maintenance

• Error Handling: Native exceptions instead of manual error construction

• Multi-Service Support: @require_multiple_services() for complex tools

Credential Store System

The server includes an abstract credential store API with pluggable backends for managing Google OAuth credentials:

Features:

• Abstract Interface: CredentialStore base class defines standard operations (get, store, delete, list users)

• Local File Storage: LocalDirectoryCredentialStore — plaintext JSON files protected by filesystem permissions (0o600 / 0o700)

• GCS-Backed Storage: GCSCredentialStore — stores each user's credentials as an object in a Google Cloud Storage bucket. Supports atomic read-modify-write via generation preconditions, first-class Cloud IAM / Audit Logs integration, and transparent bucket-level CMEK encryption at rest

• Configurable Storage: Environment variables select backend and location

• Multi-User Support: Store and manage credentials for multiple Google accounts

• Automatic Directory Creation: Storage directory is created automatically if it doesn't exist (local backend)

Configuration:

# Install the optional dependency if you plan to use the GCS backend:
# uv sync --extra gcs
# or: pip install "workspace-mcp[gcs]"
#
# Select backend (default: local_directory). Supported: local_directory, gcs
export WORKSPACE_MCP_CREDENTIAL_STORE_BACKEND="gcs"

# --- local_directory options ---
export WORKSPACE_MCP_CREDENTIALS_DIR="/path/to/credentials"
# Backward-compatible alias:
export GOOGLE_MCP_CREDENTIALS_DIR="/path/to/credentials"

# Default directory locations (if no directory env var is set):
# - ~/.google_workspace_mcp/credentials (if home directory accessible)
# - ./.credentials (fallback)

# --- gcs options ---
export WORKSPACE_MCP_GCS_BUCKET="my-workspace-mcp-tokens"   # required
export WORKSPACE_MCP_GCS_PREFIX="credentials/"              # optional
export WORKSPACE_MCP_GCS_REQUIRE_CMEK="true"                # optional; see below

Backend selection:

• local_directory (default): Plaintext JSON records. Suitable for local development and single-user stdio mode. Existing pre-URL-encoding local credential filenames remain readable during migration; new writes use the URL-encoded filename mapping unless a legacy file already exists for that user.

• gcs: Stores credentials as objects in a GCS bucket using the JSON API. Authenticates via Application Default Credentials — on Cloud Run this means the runtime service account needs roles/storage.objectUser (or equivalent) on the bucket. Does not support list_users() — designed for multi-user OAuth 2.1 mode where users are looked up individually by email.

CMEK enforcement (gcs backend):

By default GCS encrypts objects with Google-managed keys. For customer-managed encryption, set a default KMS key on the bucket (e.g. via Terraform's google_storage_bucket.encryption.default_kms_key_name). All credentials written to the bucket will inherit the key transparently — no application-level key to manage.

To guard against accidentally deploying against a bucket without CMEK, set WORKSPACE_MCP_GCS_REQUIRE_CMEK=true. The store will verify the bucket has a default KMS key at startup and refuse to initialize otherwise. Note that this check reads bucket metadata, so the runtime service account additionally needs storage.buckets.get — grant roles/storage.bucketViewer on the bucket (or a custom role containing storage.buckets.get) in addition to the object-level role. roles/storage.objectUser alone covers only object operations.

Usage Example:

from auth.credential_store import get_credential_store, LocalDirectoryCredentialStore

# Get the global credential store instance
store = get_credential_store()

# Store credentials for a user
store.store_credential("user@example.com", credentials)

# Retrieve credentials
creds = store.get_credential("user@example.com")

# List all users with stored credentials (local_directory backend only;
# GCSCredentialStore intentionally does not support enumeration — use the
# upstream identity provider to enumerate users instead).
if isinstance(store, LocalDirectoryCredentialStore):
    users = store.list_users()

The credential store automatically handles credential serialization, expiry parsing, and provides error handling for storage operations.

⊠ Security

• Prompt Injection: This MCP server has the capability to retrieve your email, calendar events and drive files. Those emails, events and files could potentially contain prompt injections - i.e. hidden white text that tells it to forward your emails to a different address. You should exercise caution and in general, only connect trusted data to an LLM!

• Credentials: Never commit .env, client_secret.json or the .credentials/ directory to source control!

• OAuth Callback: Uses http://localhost:8000/oauth2callback for development (requires OAUTHLIB_INSECURE_TRANSPORT=1). If another process is already using port 8000, set WORKSPACE_MCP_PORT to a free port to avoid conflicts — e.g. export WORKSPACE_MCP_PORT=8123. If you use a web/confidential OAuth client (not the recommended Desktop client), also update the redirect URI in Google Cloud Console to match the new port (e.g. http://localhost:8123/oauth2callback); Desktop and PKCE clients do not require this.

• Transport-Aware Callbacks: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes

• Production: Use HTTPS & OAuth 2.1 and configure accordingly

• Scope Minimization: Tools request only necessary permissions

• Local File Access Control: Tools that read local files (e.g., attachments, file:// uploads) are restricted to the managed attachment directory by default. Override this with the ALLOWED_FILE_DIRS environment variable if you intentionally need broader access:

  # Colon-separated list of directories (semicolon on Windows) from which local file reads are permitted
  export ALLOWED_FILE_DIRS="/home/user/documents:/data/shared"

  The managed attachment directory is controlled by WORKSPACE_ATTACHMENT_DIR and remains allowed even when ALLOWED_FILE_DIRS is set. Regardless of the allowlist, access to sensitive paths (.env, .ssh/, .aws/, /etc/shadow, credential files, etc.) is always blocked.

• Indirect Prompt Injection: In agentic clients, email bodies, documents, and calendar events can contain malicious instructions that try to coerce the model into exfiltrating local files. Do not broaden ALLOWED_FILE_DIRS unless you trust the client, the model behavior, and the data sources it can read.

≡ License

MIT License - see LICENSE file for details.

Validations: