2025 Growth Unified Hits Major Growth Milestones with 6.5x usage & 4.5x revenue growth
Unified.to
All articles

Connecting Google Workspace Integrations with a Service Account

May 21, 2026

Unified API supports two ways to authenticate Google integrations: the standard interactive OAuth2 flow (a user clicks "Allow"), or a service account for server-to-server access with no human in the loop. This guide covers the service account path: how to create one, how to grant it access to your data, and what to enter in Unified API.

When to use a service account

Use a service account when you want a backend system to access Google data without a user logging in each time — for example, syncing every mailbox in your company, reading a shared Drive, or managing your Workspace directory. For most Workspace data (Gmail, Calendar, Drive files owned by users, etc.) the service account must impersonate a user via domain-wide delegation (DWD). For a few APIs (Analytics, Merchant Center, Campaign Manager) you instead just share the resource with the service account's email — no delegation needed.

Step 1 — Create a Google Cloud project

  1. Go to the Google Cloud Console.
  2. Create a new project (or select an existing one) using the project picker at the top.
  3. Note the Project ID — you'll see it referenced in the key file later.

Step 2 — Enable the APIs you need

  1. Navigate to APIs & Services → Library.
  2. Search for and Enable the API for each integration you'll use:
IntegrationAPI to enable
Google DriveGoogle Drive API
GmailGmail API
Google CalendarGoogle Calendar API
Google SheetsGoogle Sheets API
Google DocsGoogle Docs API
Google SlidesGoogle Slides API
Google FormsGoogle Forms API
Google TasksGoogle Tasks API
Google ContactsPeople API
Google MeetGoogle Meet API + Google Calendar API
Workspace DirectoryAdmin SDK API
If an API isn't enabled, calls will fail with a 403 ... API has not been used in project error.

Step 3 — Create the service account

  1. Go to APIs & Services → Credentials → Create credentials → Service account.
  2. Give it a name (e.g. unified-api-sync) and click Create and continue.
  3. You can skip the optional "grant access" steps for now. Click Done.
  4. You'll land on the service account list. Note its email — it looks like:unified-api-sync@your-project-id.iam.gserviceaccount.com

Step 4 — Generate a key

  1. Click the service account, then open the Keys tab.
  2. Add key → Create new key → JSON → Create.
  3. .json file downloads. Store it securely — Google does not let you re-download it.

The file looks like this (the two fields you need are highlighted):

{  
    "type": "service_account",  
    "project_id": "your-project-id",  
    "private_key_id": "abc123...",  
    "private_key": "-----BEGIN PRIVATE KEY-----\nMIIEv...\n-----END PRIVATE KEY-----\n",    Service Account Private Key  
    "client_email": "unified-api-sync@your-project-id.iam.gserviceaccount.com",             Service Account Email  
    "client_id": "11223344...",  
    "token_uri": "https://oauth2.googleapis.com/token",  
    ...
}

Step 5 — Grant the service account access to your data

This is the step that differs by API. Pick the path that matches your integration.

Path A — Domain-wide delegation (Workspace user data)

Required for Gmail, Calendar, Drive (user files), Sheets, Docs, Slides, Forms, Tasks, Contacts, Meet, and Directory. This lets the service account act as a specific user in your Workspace.

  1. On the service account's detail page, note its Client ID (the numeric client_id from the JSON, also called "Unique ID").
  2. As a Workspace super admin, go to the Admin Console → Security → Access and data control → API controls → Domain-wide delegation.
  3. Click Add new and enter:
    • Client ID: the service account's numeric Client ID.
    • OAuth scopes: a comma-separated list of the scopes for the APIs you'll use (see the scope table below).
  4. Authorize. Changes can take a few minutes to propagate.

Only the scopes you authorize here will work. If you add the Drive integration later, you must come back and add the Drive scope.

Path B — Resource sharing (no delegation)

For APIs where data is owned by an account/property rather than a user, you skip DWD and just grant the service account's email access inside the product:

  • Google Analytics — add the service account email as a user on the GA4 property.
  • Merchant Center — add it as a user in Merchant Center settings.
  • Campaign Manager / Display & Video 360 — add it as a user in the platform.

(These integrations aren't part of the Workspace set covered here but follow the same key-creation steps.)

Step 6 — Scopes per integration

When configuring domain-wide delegation (Path A), authorize the matching scope(s). These are exactly the scopes Unified API requests when minting tokens:

IntegrationScope(s) to authorize
Google Drivehttps://www.googleapis.com/auth/drive
Gmailhttps://mail.google.com/
Google Calendarhttps://www.googleapis.com/auth/calendar
Google Sheetshttps://www.googleapis.com/auth/spreadsheets
Google Docshttps://www.googleapis.com/auth/documents
Google Slideshttps://www.googleapis.com/auth/presentations
Google Formshttps://www.googleapis.com/auth/forms.bodyhttps://www.googleapis.com/auth/forms.responses.readonly
Google Taskshttps://www.googleapis.com/auth/tasks
Google Contactshttps://www.googleapis.com/auth/contacts
Google Meethttps://www.googleapis.com/auth/calendarhttps://www.googleapis.com/auth/meetings.space.readonly
Workspace Directoryhttps://www.googleapis.com/auth/admin.directory.userhttps://www.googleapis.com/auth/admin.directory.grouphttps://www.googleapis.com/auth/admin.directory.group.member

Step 7 — Configure the connection in Unified API

When creating the connection, choose the Service Account authentication option and fill in three fields:

FieldValue
Service Account EmailThe client_email from the JSON key file.
Service Account Private KeyThe private_key from the JSON key file — paste it whole, including the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- lines.
Subject(Optional) The email of the Workspace user to impersonate via domain-wide delegation. Required for most Workspace data (e.g. Gmail needs a mailbox owner). Leave blank only if the service account itself owns the data or you've shared resources directly with it.
That's it. Unified API signs a short-lived JWT with your private key, exchanges it with Google for an access token (caching it until it expires), and uses it for all API calls — no further interaction needed.

Troubleshooting

ErrorLikely cause
unauthorized_clientThe scope isn't authorized in domain-wide delegation, or the Client ID is wrong. Re-check Step 5A.
403 ... has not been used in projectThe API isn't enabled for the project (Step 2).
400 invalid_grant / Invalid JWT SignatureThe private key was pasted incorrectly (truncated, or newlines lost). Re-copy the full private_key value.
Empty results / 404 for a user's dataMissing or wrong Subject — you're querying as the service account itself instead of impersonating the user.
403 Not Authorized to access this resource (Directory)The impersonated Subject must be a Workspace admin with rights to the directory data.

Security notes

  • The private key grants standing access to your data — store it in a secret manager, never in source control.
  • Authorize only the scopes you actually use; broad scopes increase blast radius if the key leaks.
  • Rotate keys periodically (create a new key, update the connection, delete the old key).
All articles