How To See Who Is Banned In Mix It Up App

How to Verify Your App Using Google API with Sensitive Scopes

TL;DR How to get verified

Imagine developing an application using the powerful APIs of Google. Enjoying every moment of it because who wouldn't?

Google APIs are such powerful tools. Just create an app using our own Google account using https://console.developers.google.com/, add some scope that we needed, call the API on the personal application and then — A convenient App is born.

Or at least, this was our plan.

The nightmare before deployment

As a team, we are excited to create an application that manages Google Sheets. Our application acts like IFTTT for shopping mall owners. This will let the user choose a trigger to a certain action then the app will act as the receiver of the trigger to act. One action intends to create spreadsheets, add some worksheets and update the contents of the rows and columns. We use the scopes for Google Sheets (updating the content of the spreadsheet created) and Google Drive (creating spreadsheet files and creating folders if needed).

We've read the documentation and learned the scope and limitations of the project. Meetings after meetings we are hopeful with the deadlines that we can develop it in no time. However, this warning appears because we've used a sensitive scope:

Well, it's fine, we presume. We can still click 'Advanced' and proceed because we know the API we created is a trusted website. After using several accounts for testing, we deployed the application and presented it for official testing. Then, this happens:

Using our account, we can still see the page with the 'Advanced' link, but for the other users, they can't see it. Turns out any unverified app will only have a limited number of emails allowed to use the 'Advanced' link.

We needed to verify the app created on our Google Account. So, we tried clicking the verify button but with no luck, Google was quite strict about the requirements of the app that needs to be verified.

Because of this incident — which would have been prevented if we are not too excited to use the sensitive scopes of Google or at least reading their long documentation regarding this — , we have to adjust the features of the App. We only use the non-sensitive scope of Google Sheets and Google Drive. Yes, this kind of scopes exists but with a limited feature for our application. For example, we can only update the content of a spreadsheet if it was saved by the same application and we cannot create our folder, all we can do is save a spreadsheet on the root folder of Google Drive.

The good thing about this situation is that the client only needs this kind of simple application, but as a developer, we still have the feeling of improving it. But because of the time constraints, we settle for the features done and left on using the scopes allowed.

To save us the time and effort to send a verification process — and read all the requirements needed — , we decided to adjust the features of our app. Instead of using the sensitive scopes, we've used different scopes (drive.appdata and drive.file) that have the same ability with the sensitive scope but with less feature and access to the API. In the case of our app that uses Google Sheets and Google Drive API, it can only manipulate the files the app created, it cannot update or delete the files that were manually created directly by the user in Google Sheets.

The timeline was adjusted along with the requirements of the application. Additional meetings were held to explain the limitations that we encountered and to have additional days to develop and test the new features.

But still, we needed to create an app using those sensitive scopes because of the possibilities and we must be pushed to our limits and eventually faced this kind of process.

We happen to explore the possibilities when we are assigned to create an app using Google Calendar — and unlike the Google Sheets and Google Drive that both have scopes that are not sensitive, all the scopes of Google Calendar are sensitive. We have to use the scopes 'calendar' and 'calendar.events'.

That is why we have no choice but to undergo the verification process for our app that uses the Google Calendar API. Because this is our first time to verify an app, we've committed a couple of mistakes pointed out by Google. But now that our application was verified in two weeks — this includes correction and updates to our application — , we can confirm that it can be verified by using the guides laid out by this tech blog.

Is it worth verifying my application?

Yes, that is why we pave the way and create this blog to save other developers' time on reading a long list of documentation and choosing which is important or not — and to prevent committing mistakes that are supposedly been done before it was pointed out.

So don't give up and keep chasing this pavement.

By the way, another thing that made it more difficult for us is that we are in a different office time for Google Assistance. That's why we need to be careful when we submit a requirement because if there is something that needs to be corrected, we will receive their feedback later at midnight when everyone in the country is sleeping. That's why every time we send a verification application I hope and pray to receive the good news the next morning. Plenty of mornings became unpleasant because of the rejection of the verification application.

This instruction was based on our experience on Google App verification and might differ from any situation from other developers. What we want is to simplify the instruction since google provides a long and confusing — for beginners, at least — requirements and as of this writing. It is really hard to find blog posts that are simple enough to follow with regards to Google app verification.

Things to prepare before the verification process

Just make sure to follow these 6 requirements to have an easier verification process:

1.) We are not Google, don't present like one . Our application is not a product of Google, so they will not allow us to use any of their brand names for our application. For example, naming our application as the 'Google Calendar Scheduling App' is not allowed. Especially when applying it to the domain name and using `google-calendar-scheduling.com`. Using this kind of domain name and application title will lead to a "misleading identity". People may think that it is a product of Google. We can update this by calling it 'Calendar Scheduling App' and can add 'for Google Calendar' or 'powered by Google Calendar', use this identity on the domain: `calendar-scheduling.com` instead. The same goes with the logo, the logo of the app must be different from the logo of the API we are using and will not suggest that the app is a product under Google. For example, if we are using the Google Calendar API, we must not use the Google Calendar logo. We have to come up with an original design or have a free-to-use icon.

2.) Check all domain URLs on the app that they are all authorized domain on the console. Our domains (for example, our callback domain URLs that will receive the code and access token for verification) used on Authorized domains must all be verified domain URLs in our console under domain verification. It must all be public to be accessed by Google. We can check if our domain was verified if the list of domain URLs on the Authorized domain (Oauth Consent Screen tab) can also be found on the list of domains on the 'Domain Verification' tab:

Oauth Consent Screen and Domain Verification section on https://console.developers.google.com/

3.) Create a home page with content that describes the app. This page must contain the whole information of the app. It should answer the following questions: What does it do? Who's going to use it? How does it work? Following the same note about the first item, this page must not imply that this is a product of Google. Unless the term is 'using Google API', refrain from using their name.

4.) Create a privacy policy for the app. For legality purposes, Google needs to see how well we manage all the data we will receive using their API. It must follow any legal actions based on data privacy laws.

5.) Make sure that the scopes requested will appear on the approved scopes by the user. As one of our mistakes, this is very important, especially for the users. The list of scope that appears here at the console,

must also appear at the pop-up verification for the user.

It makes it clear to the user that the scope we are accessing is the one that they allowed when they click submit. It can be done in our Authentication code by including the exact scopes on the request:

Take note that, even though we will not include the other scopes, it will still work as long as the scope was added on the console, the only problem is that it will not appear on the verification pop up for the user. When Google checks our video demo (requirement #6), they will make sure that the pop up for users will show the same scope saved on the console.

6.) Create a video demo for the app, showing the scopes being approved by the user. When our app is done, we must create a video demo of the app. It doesn't need to have a narration or an entire video of the developer explaining everything. Just give them a run-through of the process. After submitting the verification, Google will review the requirements and will email us stating that we need to send them a demo video of the application. We must send a youtube link for this video. If we don't want our application to be in public yet, we can set the video on our youtube account as 'Unlisted'. This way, only the person who knows the link can view the video. Here's an instruction provided online on how to set our youtube video as unlisted and how different it is from private videos: How do I create an unlisted YouTube video?