To configure OAuth for your application, you set up an OAuth workflow, and you enable the Data Portability API OAuth scopes.
Set up an OAuth workflow
To set up an OAuth flow for your application, follow the basic steps in the Google Identity documentation.
Most developers use the Server-side Web Apps flow for obtaining OAuth consent, but you can also use the JavaScript Web Apps flow or the Mobile and Desktop Apps flow.
Exports can take longer than the lifetime of an access token, or the user could grant 30 or 180 days of access. You may need to obtain a refresh token and periodically exchange it for a fresh access token. For more details, see Refreshing an access token for Web Apps and Refreshing an access token for Mobile and Desktop Apps.
Important: OAuth token renewal is only available to users if your OAuth client has a publishing status of In production, not Testing. Additionally, tokens granted to OAuth clients with a Testing publishing status always expire in 7 days even if you select a 30- or 180-day duration. For details, see Setting up your OAuth consent screen.
Data Portability API OAuth scopes
When you configure your Data Portability API application for OAuth, enable the
Data Portability API OAuth scopes that are relevant to your application. Some scopes
are sensitive and restricted and are subject to additional requirements.
When you add the Data Portability API scopes to your OAuth flow, there may be cases where your user gives consent to some but not all of the scopes. Your app must be able to handle these cases by:
- Allowing partial data exports
- Notifying the user that they didn't select all the necessary scopes (and failing gracefully)
- Asking the user for the remaining consents
Additionally, a user chooses whether to grant you access to their data once, or for 30 or 180 days.
- If a user grants you one-time access, your app is allowed to perform one data export for that specific consent. To download the data again, you need a new consent from the user.
- If a user grants you time-based access, your app is allowed to perform data exports for the duration of specified time period or until the user revokes consent.
- You can also choose to apply time filters to your request to export data for a specific range of time, such as the last 6 months.
You should also note that during the OAuth flow, your app does not know which Google Account was used to give consent. The OAuth token your application receives is opaque.
If you are looking for information on how users share data, see Share a copy of your data with a third party.
Scopes restrictions
This section covers restrictions in scopes that result in errors.
Mixed scopes
Requests for Data Portability API scopes (such as, https://www.googleapis.com/auth/dataportability.*) can't be mixed with other scopes (such as, https://www.googleapis.com/auth/userinfo.email). Here is an example of a bad request, with the restricted part bolded:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=client_id&
redirect_uri=redirect_uri&
response_type=token&
scope=https://www.googleapis.com/auth/dataportability.myactivity.search+https://www.googleapis.com/auth/userinfo.email&
include_granted_scopes=false
Previously granted scopes
You should never set include_granted_scopes=true when requesting DPAPI scopes.
Here is an example of a bad request, with the restricted part bolded:
https://accounts.google.com/o/oauth2/v2/auth?
client_id=client_id&
redirect_uri=redirect_uri&
response_type=token&
scope=https://www.googleapis.com/auth/dataportability.myactivity.search&
include_granted_scopes=true
Too many scopes
If your request has too many scopes appended, you may encounter a
400 bad request error. This occurs when the URL length grows beyond what is
supported in browsers. To resolve, split your requests for scopes into multiple
smaller batches and use Incremental authorization to request
consent for each batch.
Scopes categories
For list of all OAuth scopes supported by the Data Portability API and their categories, see Available OAuth scopes. For a list of all resource groups and OAuth scopes supported by a particular service, see the schema reference page for that service.