Fostr’s Google Workspace integration connects core services like Gmail, Calendar, and Drive directly into your workflows. This page focuses on access-related questions, including what credentials are needed, who can authorize the integration, and how data visibility is governed across your organization.

Credentials and Authentication Requirements

To enable the Google Workspace integration, administrators must configure OAuth 2.0 credentials within the Google Cloud Console. This process provides the authentication elements necessary for API access, including:

• Client ID
• Client Secret
• Approved OAuth permission scopes for individual services (e.g., Gmail, Drive, Calendar)
• (Optional) Service Account for domain-level synchronization and impersonation

The integration is provisioned primarily at the tenant level, meaning a single organizational authorization can unlock usage across all subscribed users within the Google Workspace domain. Some features, however, may also require user-level consent when individuals need to act on their own behalf (e.g., sending emails from a personal mailbox or accessing private calendar events).

Depending on selected services, the following OAuth scopes may be included in the configuration:

• Gmail
  • https://www.googleapis.com/auth/gmail.readonly
  • https://www.googleapis.com/auth/gmail.modify
  • https://www.googleapis.com/auth/gmail.send
• Drive
  • https://www.googleapis.com/auth/drive.readonly
  • Note: Although this scope permits broad read access, Fostr only interacts with files and folders that users explicitly share or link to workflows. The integration does not enumerate or crawl an entire Drive account.
• Calendar
  • https://www.googleapis.com/auth/calendar.events.readonly

Email addresses do not need to be made public for this integration. Identity resolution is managed internally through secure token exchanges and directory APIs, without exposing open user directories.

Credential Storage and Environment Separation

Once generated, all credentials and associated tokens are securely stored in encrypted form within the Integration record in Fostr. Visibility is restricted to platform administrators and designated integration managers only.

• Secrets and tokens are tied per environment (production, sandbox, staging). Each environment requires its own credential input.
• Fostr automatically manages token refresh using Google OAuth standards.
• If an administrator revokes, rotates, or expires credentials, the integration surfaces clear error messages to assist with remediation.

Permissions and Role Scope

The level of system access granted to Fostr during setup depends entirely on the approved OAuth scopes and the roles used within Google Workspace. Typical permission categories include:

• Read-level scopes – e.g., Gmail message metadata, Drive file/folder metadata, Calendar event details (title, date, organizer).
• Action scopes – e.g., sending email on behalf of a user, updating Gmail labels, or accessing certain Drive files.
• Identity scopes – ensuring correct attribution for actions performed in Fostr, and enabling user-level operations where applicable.

For large-scale, domain-wide usage (e.g., Shared Drives or cross-user data access), administrators are encouraged to configure a service account with delegated permissions, ensuring reliability independent of individual users.

Visibility and Data Behavior Inside Fostr