Google Workspace Code MCP

Important: This is an alternative experiment, not my primary setup

If you are looking for the Google Workspace integration I actually use day-to-day, use this skill instead:

• Primary skill: https://github.com/mitsuhiko/agent-stuff/tree/main/skills/google-workspace

This repository is an alternative code-first MCP experiment built around one execute tool. It is intentionally aligned with the ideas in:

• Your MCP Doesn’t Need 30 Tools: It Needs Code — https://lucumr.pocoo.org/2025/8/18/code-mcps/

That post explores code-supported/code-first MCP design (fewer fixed tools, more programmable capability).

A local JavaScript/TypeScript MCP server with a single tool: execute.

execute runs JavaScript (or TypeScript with type stripping) and gives that code authenticated access to Google Workspace APIs.

What this server does

• Exposes one MCP tool: execute

• Runs user-provided JavaScript/TypeScript (async function body; TS types stripped)

• Automatically performs OAuth login on first use (browser flow)

• Reuses stored tokens on subsequent calls

• Provides a small runtime API inside executed code:

  • auth — Google OAuth client

  • google — googleapis SDK root

  • workspace — helper methods (call, service, whoAmI)

  • state — persistent mutable object across calls

This follows a code-mode design: one flexible execution tool instead of many fixed tools.

Requirements

• Node.js 20+

• Local desktop/browser access for the initial OAuth sign-in

Install

npm install

Run

npm start

or:

node src/server.js

MCP configuration

This repo already includes .mcp.json:

{
  "mcpServers": {
    "google-workspace-code": {
      "type": "stdio",
      "command": "node",
      "args": [
        "/Users/mitsuhiko/Development/workspace-mcp/src/server.js"
      ],
      "env": {
        "GOOGLE_WORKSPACE_AUTH_MODE": "cloud"
      }
    }
  }
}

If you move the project, update the args path.

Tool contract

Tool name

• execute

Input schema

• script (string, required): JavaScript/TypeScript async function body (TS type syntax is stripped before execution)

• timeoutMs (number, optional): execution timeout in milliseconds (default 30000, max 300000)

• scopes (string[], optional): override OAuth scopes for the call

• resetState (boolean, optional): clears persistent state before execution

Execution environment

Your script runs as an async function body with these variables in scope:

• auth

• google

• workspace

• state

Return values are serialized and sent back as tool output.

Example scripts

1) Who am I + list Drive files

const me = await workspace.whoAmI();
const files = await workspace.call('drive', 'files.list', {
  pageSize: 5,
  fields: 'files(id,name,mimeType)'
});

state.lastEmail = me.email;

return {
  user: me,
  files: files.files,
  remembered: state.lastEmail
};

2) List today’s calendar events

const start = new Date();
start.setHours(0, 0, 0, 0);

const end = new Date(start);
end.setDate(end.getDate() + 1);

return await workspace.call('calendar', 'events.list', {
  calendarId: 'primary',
  timeMin: start.toISOString(),
  timeMax: end.toISOString(),
  singleEvents: true,
  orderBy: 'startTime'
});

OAuth and token storage

• First call without token triggers browser login automatically

• Default config directory: ~/.pi/google-workspace

• Default token path: ~/.pi/google-workspace/token.json

• Default auth mode: cloud (unless overridden)

Environment variables

• GOOGLE_WORKSPACE_CONFIG_DIR

• GOOGLE_WORKSPACE_CREDENTIALS

• GOOGLE_WORKSPACE_TOKEN

• GOOGLE_WORKSPACE_AUTH_MODE (cloud or local)

• GOOGLE_WORKSPACE_CLIENT_ID

• GOOGLE_WORKSPACE_CLOUD_FUNCTION_URL

• GOOGLE_WORKSPACE_CALLBACK_HOST

Security notes

• Uses Node vm for execution convenience, not a hardened sandbox.

• Treat this as trusted local tooling.

• Do not expose this server to untrusted users or networks.