Google Workspace MCP Server

Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, and Chat through all MCP clients, AI assistants and developer tools.

The most feature-complete Google Workspace MCP server, now with Remote OAuth2.1 multi-user support and 1-click Claude installation.

Support for all free Google accounts (Gmail, Docs, Drive etc) & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces.
Interested in a private cloud instance? That can be arranged.

See it in action:

A quick plug for AI-Enhanced Docs

◆ But why?

This README was written with AI assistance, and here's why that matters

As a solo dev building open source tools, comprehensive documentation often wouldn't happen without AI help. Using agentic dev tools like Roo & Claude Code that understand the entire codebase, AI doesn't just regurgitate generic content - it extracts real implementation details and creates accurate, specific documentation.

In this case, Sonnet 4 took a pass & a human (me) verified them 8/16/25.

Overview

A production-ready MCP server that integrates all major Google Workspace services with AI assistants. It supports both single-user operation and multi-user authentication via OAuth 2.1, making it a powerful backend for custom applications. Built with FastMCP for optimal performance, featuring advanced authentication handling, service caching, and streamlined development patterns.

Simplified Setup: Now uses Google Desktop OAuth clients - no redirect URIs or port configuration needed!

Features

@ Gmail • ≡ Drive • ⧖ Calendar ≡ Docs

Complete Gmail management, end to end coverage
Full calendar management with advanced features
File operations with Office format support
Document creation, editing & comments
Deep, exhaustive support for fine grained editing

≡ Forms • @ Chat • ≡ Sheets • ≡ Slides

Form creation, publish settings & response management
Space management & messaging capabilities
Spreadsheet operations with flexible cell management
Presentation creation, updates & content manipulation

⊠ Authentication & Security

Advanced OAuth 2.0 & OAuth 2.1 support
Automatic token refresh & session management
Transport-aware callback handling
Multi-user bearer token authentication
Innovative CORS proxy architecture

✓ Tasks • ◆ Custom Search • ↻ Transport Support

Full support for all MCP Transports
Task & task list management with hierarchy
Programmable Search Engine (PSE) integration

▶ Quick Start

≡ Quick Reference Card← Essential commands & configs at a glance

⊠ Credentials

export GOOGLE_OAUTH_CLIENT_ID="..."
export GOOGLE_OAUTH_CLIENT_SECRET="..."

Full setup →

▶ Launch Commands

uvx workspace-mcp --tool-tier core
uv run main.py --tools gmail drive

More options →

★ Tool Tiers

● core - Essential tools
◐ extended - Core + extras
○ complete - Everything Details →

1. One-Click Claude Desktop Install (Recommended)

Download: Grab the latest google_workspace_mcp.dxt from the “Releases” page
Install: Double-click the file – Claude Desktop opens and prompts you to Install
Configure: In Claude Desktop → Settings → Extensions → Google Workspace MCP, paste your Google OAuth credentials
Use it: Start a new Claude chat and call any Google Workspace tool

Why DXT?

Desktop Extensions (.dxt) bundle the server, dependencies, and manifest so users go from download → working MCP in one click – no terminal, no JSON editing, no version conflicts.

Required Configuration

◆ Environment Variables _{^{← Click to configure in Claude Desktop}}

Required

Variable	Purpose
`GOOGLE_OAUTH_CLIENT_ID`	OAuth client ID from Google Cloud
`GOOGLE_OAUTH_CLIENT_SECRET`	OAuth client secret
`OAUTHLIB_INSECURE_TRANSPORT=1`	Development only (allows `http://` redirect)

Optional

Variable	Purpose
`USER_GOOGLE_EMAIL`	Default email for single-user auth
`GOOGLE_PSE_API_KEY`	API key for Custom Search
`GOOGLE_PSE_ENGINE_ID`	Search Engine ID for Custom Search
`MCP_ENABLE_OAUTH21`	Set to `true` for OAuth 2.1 support
`EXTERNAL_OAUTH21_PROVIDER`	Set to `true` for external OAuth flow with bearer tokens (requires OAuth 2.1)
`WORKSPACE_MCP_STATELESS_MODE`	Set to `true` for stateless operation (requires OAuth 2.1)

Claude Desktop stores these securely in the OS keychain; set them once in the extension pane.

Prerequisites

Python 3.10+
uvx (for instant installation) or uv (for development)
Google Cloud Project with OAuth 2.0 credentials

Configuration

◆ Google Cloud Setup _{^{← OAuth 2.0 credentials & API enablement}}

1. Create Project

console.cloud.google.com

→ Create new project
→ Note project name

_{Open Console →}

2. OAuth Credentials

APIs & Services → Credentials
→ Create Credentials
→ OAuth Client ID
→ Desktop Application

_{Download & save credentials}

3. Enable APIs

APIs & Services → Library

Search & enable:
Calendar, Drive, Gmail,
Docs, Sheets, Slides,
Forms, Tasks, Chat, Search

_{See quick links below}

≡ OAuth Credential Setup Guide _{^{← Step-by-step instructions}}

Complete Setup Process:

Create OAuth 2.0 Credentials - Visit Google Cloud Console
- Create a new project (or use existing)
- Navigate to APIs & Services → Credentials
- Click Create Credentials → OAuth Client ID
- Choose Desktop Application as the application type (no redirect URIs needed!)
- Download credentials and note the Client ID and Client Secret
Enable Required APIs - In APIs & Services → Library
- Search for and enable each required API
- Or use the quick links below for one-click enabling

Configure Environment - Set your credentials:

export GOOGLE_OAUTH_CLIENT_ID="your-client-id"
export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"

≡ Full Documentation →

⊥ Quick API Enable Links _{^{← One-click enable each Google API}}

You can enable each one by clicking the links below (make sure you're logged into the Google Cloud Console and have the correct project selected):

Enable Google Calendar API
Enable Google Drive API
Enable Gmail API
Enable Google Docs API
Enable Google Sheets API
Enable Google Slides API
Enable Google Forms API
Enable Google Tasks API
Enable Google Chat API
Enable Google Custom Search API

1.1. Credentials: See Credential Configuration for detailed setup options

Environment Configuration:

◆ Environment Variables _{^{← Configure your runtime environment}}

◆ Development Mode

export OAUTHLIB_INSECURE_TRANSPORT=1

_{Allows HTTP redirect URIs}

@ Default User

export USER_GOOGLE_EMAIL=\
  [email protected]

_{Single-user authentication}

◆ Custom Search

export GOOGLE_PSE_API_KEY=xxx
export GOOGLE_PSE_ENGINE_ID=yyy

_{Optional: Search API setup}

Server Configuration:

◆ Server Settings _{^{← Customize ports, URIs & proxies}}

◆ Base Configuration

export WORKSPACE_MCP_BASE_URI=
  http://localhost
export WORKSPACE_MCP_PORT=8000

_{Server URL & port settings}

↻ Proxy Support

export MCP_ENABLE_OAUTH21=
  true

_{Leverage multi-user OAuth2.1 clients}

@ Default Email

export USER_GOOGLE_EMAIL=\
  [email protected]

_{Skip email in auth flows in single user mode}

≡ Configuration Details _{^{← Learn more about each setting}}

Variable	Description	Default
`WORKSPACE_MCP_BASE_URI`	Base server URI (no port)	`http://localhost`
`WORKSPACE_MCP_PORT`	Server listening port	`8000`
`WORKSPACE_EXTERNAL_URL`	External URL for reverse proxy setups	None
`GOOGLE_OAUTH_REDIRECT_URI`	Override OAuth callback URL	Auto-constructed
`USER_GOOGLE_EMAIL`	Default auth email	None

Google Custom Search Setup

◆ Custom Search Configuration _{^{← Enable web search capabilities}}

1. Create Search Engine

programmablesearchengine.google.com
/controlpanel/create

→ Configure sites or entire web
→ Note your Engine ID (cx)

_{Open Control Panel →}

2. Get API Key

developers.google.com
/custom-search/v1/overview

→ Create/select project
→ Enable Custom Search API
→ Create credentials (API Key)

_{Get API Key →}

3. Set Variables

export GOOGLE_PSE_API_KEY=\
  "your-api-key"
export GOOGLE_PSE_ENGINE_ID=\
  "your-engine-id"

_{Configure in environment}

≡ Quick Setup Guide _{^{← Step-by-step instructions}}

Complete Setup Process:

Create Search Engine - Visit the Control Panel
- Choose "Search the entire web" or specify sites
- Copy the Search Engine ID (looks like: 017643444788157684527:6ivsjbpxpqw)
Enable API & Get Key - Visit Google Developers Console
- Enable "Custom Search API" in your project
- Create credentials → API Key
- Restrict key to Custom Search API (recommended)

Configure Environment - Add to your shell or .env:

export GOOGLE_PSE_API_KEY="AIzaSy..."
export GOOGLE_PSE_ENGINE_ID="01764344478..."

≡ Full Documentation →

Start the Server

▶ Launch Commands _{^{← Choose your startup mode}}

▶ Quick Start

uv run main.py

_{Default stdio mode}

◆ HTTP Mode

uv run main.py \
  --transport streamable-http

_{Web interfaces & debugging}

@ Single User

uv run main.py \
  --single-user

_{Simplified authentication}

◆ Advanced Options _{^{← Tool selection, tiers & Docker}}

▶ Selective Tool Loading

# Load specific services only
uv run main.py --tools gmail drive calendar
uv run main.py --tools sheets docs

# Combine with other flags
uv run main.py --single-user --tools gmail

★ Tool Tiers

uv run main.py --tool-tier core      # ● Essential tools only
uv run main.py --tool-tier extended  # ◐ Core + additional
uv run main.py --tool-tier complete  # ○ All available tools

◆ Docker Deployment

docker build -t workspace-mcp .
docker run -p 8000:8000 -v $(pwd):/app \
  workspace-mcp --transport streamable-http

# With tool selection via environment variables
docker run -e TOOL_TIER=core workspace-mcp
docker run -e TOOLS="gmail drive calendar" workspace-mcp

Available Services: gmail • drive • calendar • docs • sheets • forms • tasks • chat • search

Tool Tiers

The server organizes tools into three progressive tiers for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.

Available Tiers

● Core (--tool-tier core) Essential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.

● Extended (--tool-tier extended) Core functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.

● Complete (--tool-tier complete) Full API access including comments, headers/footers, publishing settings, and administrative functions. For power users needing maximum functionality.

Important Notes

▶ Start with core and upgrade as needed ▶ Tiers are cumulative – each includes all previous ▶ Mix and match with --tools for specific services ▶ Configuration in core/tool_tiers.yaml ▶ Authentication included in all tiers

Usage Examples

# Basic tier selection
uv run main.py --tool-tier core                            # Start with essential tools only
uv run main.py --tool-tier extended                        # Expand to include management features
uv run main.py --tool-tier complete                        # Enable all available functionality

# Selective service loading with tiers
uv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services
uv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only
uv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets

📋 Credential Configuration

🔑 OAuth Credentials Setup _{^{← Essential for all installations}}

🚀 Environment Variables

export GOOGLE_OAUTH_CLIENT_ID=\
  "your-client-id"
export GOOGLE_OAUTH_CLIENT_SECRET=\
  "your-secret"

_{Best for production}

📁 File-based

# Download & place in project root
client_secret.json

# Or specify custom path
export GOOGLE_CLIENT_SECRET_PATH=\
  /path/to/secret.json

_{Traditional method}

⚡ .env File

cp .env.oauth21 .env
# Edit .env with credentials

_{Best for development}

📖 Credential Loading Details _{^{← Understanding priority & best practices}}

Loading Priority

Environment variables (export VAR=value)
.env file in project root (warning - if you run via uvx rather than uv run from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)
client_secret.json via GOOGLE_CLIENT_SECRET_PATH
Default client_secret.json in project root

Why Environment Variables?

✅ Docker/K8s ready - Native container support
✅ Cloud platforms - Heroku, Railway, Vercel
✅ CI/CD pipelines - GitHub Actions, Jenkins
✅ No secrets in git - Keep credentials secure
✅ Easy rotation - Update without code changes

🧰 Available Tools

Note: All tools support automatic authentication via @require_google_service() decorators with 30-minute service caching.

📅 Google Calendar _{calendar_tools.py}

Tool	Tier	Description
`list_calendars`	Core	List accessible calendars
`get_events`	Core	Retrieve events with time range filtering
`create_event`	Core	Create events with attachments & reminders
`modify_event`	Core	Update existing events
`delete_event`	Extended	Remove events

📁 Google Drive _{drive_tools.py}

Tool	Tier	Description
`search_drive_files`	Core	Search files with query syntax
`get_drive_file_content`	Core	Read file content (Office formats)
`create_drive_file`	Core	Create files or fetch from URLs
`list_drive_items`	Extended	List folder contents
`update_drive_file`	Extended	Update file metadata, move between folders

📧 Gmail _{gmail_tools.py}

Tool	Tier	Description
`search_gmail_messages`	Core	Search with Gmail operators
`get_gmail_message_content`	Core	Retrieve message content
`get_gmail_messages_content_batch`	Core	Batch retrieve message content
`send_gmail_message`	Core	Send emails
`get_gmail_thread_content`	Extended	Get full thread content
`modify_gmail_message_labels`	Extended	Modify message labels
`list_gmail_labels`	Extended	List available labels
`manage_gmail_label`	Extended	Create/update/delete labels
`draft_gmail_message`	Extended	Create drafts
`get_gmail_threads_content_batch`	Complete	Batch retrieve thread content
`batch_modify_gmail_message_labels`	Complete	Batch modify labels
`start_google_auth`	Complete	Initialize authentication

📝 Google Docs _{docs_tools.py}

Tool	Tier	Description
`get_doc_content`	Core	Extract document text
`create_doc`	Core	Create new documents
`modify_doc_text`	Core	Modify document text
`search_docs`	Extended	Find documents by name
`find_and_replace_doc`	Extended	Find and replace text
`list_docs_in_folder`	Extended	List docs in folder
`insert_doc_elements`	Extended	Add tables, lists, page breaks
`insert_doc_image`	Complete	Insert images from Drive/URLs
`update_doc_headers_footers`	Complete	Modify headers and footers
`batch_update_doc`	Complete	Execute multiple operations
`inspect_doc_structure`	Complete	Analyze document structure
`export_doc_to_pdf`	Extended	Export document to PDF
`create_table_with_data`	Complete	Create data tables
`debug_table_structure`	Complete	Debug table issues
`*_document_comments`	Complete	Read, Reply, Create, Resolve

📊 Google Sheets _{sheets_tools.py}

Tool	Tier	Description
`read_sheet_values`	Core	Read cell ranges
`modify_sheet_values`	Core	Write/update/clear cells
`create_spreadsheet`	Core	Create new spreadsheets
`list_spreadsheets`	Extended	List accessible spreadsheets
`get_spreadsheet_info`	Extended	Get spreadsheet metadata
`create_sheet`	Complete	Add sheets to existing files
`*_sheet_comment`	Complete	Read/create/reply/resolve comments

🖼️ Google Slides _{slides_tools.py}

Tool	Tier	Description
`create_presentation`	Core	Create new presentations
`get_presentation`	Core	Retrieve presentation details
`batch_update_presentation`	Extended	Apply multiple updates
`get_page`	Extended	Get specific slide information
`get_page_thumbnail`	Extended	Generate slide thumbnails
`*_presentation_comment`	Complete	Read/create/reply/resolve comments

📝 Google Forms _{forms_tools.py}

Tool	Tier	Description
`create_form`	Core	Create new forms
`get_form`	Core	Retrieve form details & URLs
`set_publish_settings`	Complete	Configure form settings
`get_form_response`	Complete	Get individual responses
`list_form_responses`	Extended	List all responses with pagination

✓ Google Tasks _{tasks_tools.py}

Tool	Tier	Description
`list_tasks`	Core	List tasks with filtering
`get_task`	Core	Retrieve task details
`create_task`	Core	Create tasks with hierarchy
`update_task`	Core	Modify task properties
`delete_task`	Extended	Remove tasks
`move_task`	Complete	Reposition tasks
`clear_completed_tasks`	Complete	Hide completed tasks
`*_task_list`	Complete	List/get/create/update/delete task lists

💬 Google Chat _{chat_tools.py}

Tool	Tier	Description
`list_spaces`	Extended	List chat spaces/rooms
`get_messages`	Core	Retrieve space messages
`send_message`	Core	Send messages to spaces
`search_messages`	Core	Search across chat history

🔍 Google Custom Search _{search_tools.py}

Tool	Tier	Description
`search_custom`	Core	Perform web searches
`get_search_engine_info`	Complete	Retrieve search engine metadata
`search_custom_siterestrict`	Extended	Search within specific domains

Tool Tier Legend:

• Core: Essential tools for basic functionality • Minimal API usage • Getting started
• Extended: Core tools + additional features • Regular usage • Expanded capabilities
• Complete: All available tools including advanced features • Power users • Full API access

Connect to Claude Desktop

The server supports two transport modes:

Stdio Mode (Default - Recommended for Claude Desktop)

In general, you should use the one-click DXT installer package for Claude Desktop. If you are unable to for some reason, you can configure it manually via claude_desktop_config.json

Manual Claude Configuration (Alternative)

📝 Claude Desktop JSON Config _{^{← Click for manual setup instructions}}

Open Claude Desktop Settings → Developer → Edit Config
- macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
- Windows: %APPDATA%\Claude\claude_desktop_config.json
Add the server configuration:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

2. Advanced / Cross-Platform Installation

If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.

Instant CLI (uvx)

⚡ Quick Start with uvx _{^{← No installation required!}}

# Requires Python 3.10+ and uvx
# First, set credentials (see Credential Configuration above)
uvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar

Note: Configure OAuth credentials before running. Supports environment variables, .env file, or client_secret.json.

Local Development Setup

🛠️ Developer Workflow _{^{← Install deps, lint, and test}}

# Install everything needed for linting, tests, and release tooling
uv sync --group dev

# Run the same linter that git hooks invoke automatically
uv run ruff check .

# Execute the full test suite (async fixtures require pytest-asyncio)
uv run pytest

uv sync --group test installs only the testing stack if you need a slimmer environment.
uv run main.py --transport streamable-http launches the server with your checked-out code for manual verification.
Ruff is part of the dev group because pre-push hooks call ruff check automatically—run it locally before committing to avoid hook failures.

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional configuration needed!

When to use OAuth 2.1:

Multiple users accessing the same MCP server instance
Need for bearer token authentication instead of passing user emails
Building web applications or APIs on top of the MCP server
Production environments requiring secure session management
Browser-based clients requiring CORS support

Enabling OAuth 2.1: To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.

# OAuth 2.1 requires HTTP transport mode
export MCP_ENABLE_OAUTH21=true
uv run main.py --transport streamable-http

If MCP_ENABLE_OAUTH21 is not set to true, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.

🔐 How the FastMCP GoogleProvider handles OAuth _{^{← Advanced OAuth 2.1 details}}

FastMCP ships a native GoogleProvider that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:

Dynamic Client Registration: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID/secret under the hood.
CORS & Browser Compatibility: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom /oauth2/* routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.

The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.

Stateless Mode (Container-Friendly)

The server supports a stateless mode designed for containerized environments where file system writes should be avoided:

Enabling Stateless Mode:

# Stateless mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export WORKSPACE_MCP_STATELESS_MODE=true
uv run main.py --transport streamable-http

Key Features:

No file system writes: Credentials are never written to disk
No debug logs: File-based logging is completely disabled
Memory-only sessions: All tokens stored in memory via OAuth 2.1 session store
Container-ready: Perfect for Docker, Kubernetes, and serverless deployments
Token per request: Each request must include a valid Bearer token

Requirements:

Must be used with MCP_ENABLE_OAUTH21=true
Incompatible with single-user mode
Clients must handle OAuth flow and send valid tokens with each request

This mode is ideal for:

Cloud deployments where persistent storage is unavailable
Multi-tenant environments requiring strict isolation
Containerized applications with read-only filesystems
Serverless functions and ephemeral compute environments

MCP Inspector: No additional configuration needed with desktop OAuth client.

Claude Code Inspector: No additional configuration needed with desktop OAuth client.

External OAuth 2.1 Provider Mode

The server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.

Enabling External OAuth 2.1 Provider Mode:

# External OAuth provider mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export EXTERNAL_OAUTH21_PROVIDER=true
uv run main.py --transport streamable-http

How It Works:

Protocol-level auth disabled: MCP handshake (initialize) and tools/list do not require authentication
Tool-level auth required: All tool calls must include Authorization: Bearer <token> header
External OAuth flow: Your external system handles the OAuth flow and obtains Google access tokens
Token validation: Server validates bearer tokens via Google's tokeninfo API
Multi-user support: Each request is authenticated independently based on its bearer token

Key Features:

No local OAuth flow: Server does not provide OAuth callback endpoints or manage OAuth state
Bearer token only: All authentication via Authorization headers
Stateless by design: Works seamlessly with WORKSPACE_MCP_STATELESS_MODE=true
External identity providers: Integrate with your existing authentication infrastructure
Tool discovery: Clients can list available tools without authentication

Requirements:

Must be used with MCP_ENABLE_OAUTH21=true
OAuth credentials still required for token validation (GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET)
External system must obtain valid Google OAuth access tokens (ya29.*)
Each tool call request must include valid bearer token

Use Cases:

Integrating with existing authentication systems
Custom OAuth flows managed by your application
API gateways that handle authentication upstream
Multi-tenant SaaS applications with centralized auth
Mobile or web apps with their own OAuth implementation

VS Code MCP Client Support

🆚 VS Code Configuration _{^{← Setup for VS Code MCP extension}}

{
    "servers": {
        "google-workspace": {
            "url": "http://localhost:8000/mcp/",
            "type": "http"
        }
    }
}

Reverse Proxy Setup

If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you have two configuration options:

Problem: When behind a reverse proxy, the server constructs OAuth URLs using internal ports (e.g., http://localhost:8000) but external clients need the public URL (e.g., https://your-domain.com).

Solution 1: Set WORKSPACE_EXTERNAL_URL for all OAuth endpoints:

# This configures all OAuth endpoints to use your external URL
export WORKSPACE_EXTERNAL_URL="https://your-domain.com"

Solution 2: Set GOOGLE_OAUTH_REDIRECT_URI for just the callback:

# This only overrides the OAuth callback URL
export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback"

Important:

Use WORKSPACE_EXTERNAL_URL when all OAuth endpoints should use the external URL (recommended for reverse proxy setups)
Use GOOGLE_OAUTH_REDIRECT_URI when you only need to override the callback URL
The redirect URI must exactly match what's configured in your Google Cloud Console
Your reverse proxy must forward OAuth-related requests (/oauth2callback, /oauth2/*, /.well-known/*) to the MCP server

🚀 Advanced uvx Commands _{^{← More startup options}}

# Configure credentials first (see Credential Configuration section)

# Start with specific tools only
uvx workspace-mcp --tools gmail drive calendar tasks

# Start with tool tiers (recommended for most users)
uvx workspace-mcp --tool-tier core      # Essential tools
uvx workspace-mcp --tool-tier extended  # Core + additional features
uvx workspace-mcp --tool-tier complete  # All tools

# Start in HTTP mode for debugging
uvx workspace-mcp --transport streamable-http

Requires Python 3.10+ and uvx. The package is available on PyPI.

Development Installation

For development or customization:

git clone https://github.com/taylorwilsdon/google_workspace_mcp.git
cd google_workspace_mcp
uv run main.py

Development Installation (For Contributors):

🔧 Developer Setup JSON _{^{← For contributors & customization}}

{
  "mcpServers": {
    "google_workspace": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/repo/google_workspace_mcp",
        "main.py"
      ],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

HTTP Mode (For debugging or web interfaces)

If you need to use HTTP mode with Claude Desktop:

{
  "mcpServers": {
    "google_workspace": {
      "command": "npx",
      "args": ["mcp-remote", "http://localhost:8000/mcp"]
    }
  }
}

Note: Make sure to start the server with --transport streamable-http when using HTTP mode.

First-Time Authentication

The server uses Google Desktop OAuth for simplified authentication:

No redirect URIs needed: Desktop OAuth clients handle authentication without complex callback URLs
Automatic flow: The server manages the entire OAuth process transparently
Transport-agnostic: Works seamlessly in both stdio and HTTP modes

When calling a tool:

Server returns authorization URL
Open URL in browser and authorize
Google provides an authorization code
Paste the code when prompted (or it's handled automatically)
Server completes authentication and retries your request

◆ Development

Project Structure

google_workspace_mcp/
├── auth/              # Authentication system with decorators
├── core/              # MCP server and utilities
├── g{service}/        # Service-specific tools
├── main.py            # Server entry point
├── client_secret.json # OAuth credentials (not committed)
└── pyproject.toml     # Dependencies

Adding New Tools

from auth.service_decorator import require_google_service

@require_google_service("drive", "drive_read")  # Service + scope group
async def your_new_tool(service, param1: str, param2: int = 10):
    """Tool description"""
    # service is automatically injected and cached
    result = service.files().list().execute()
    return result  # Return native Python objects

Architecture Highlights

Service Caching: 30-minute TTL reduces authentication overhead
Scope Management: Centralized in SCOPE_GROUPS for easy maintenance
Error Handling: Native exceptions instead of manual error construction
Multi-Service Support: @require_multiple_services() for complex tools

Credential Store System

The server includes an abstract credential store API and a default backend for managing Google OAuth credentials with support for multiple storage backends:

Features:

Abstract Interface: CredentialStore base class defines standard operations (get, store, delete, list users)
Local File Storage: LocalDirectoryCredentialStore implementation stores credentials as JSON files
Configurable Storage: Environment variable GOOGLE_MCP_CREDENTIALS_DIR sets storage location
Multi-User Support: Store and manage credentials for multiple Google accounts
Automatic Directory Creation: Storage directory is created automatically if it doesn't exist

Configuration:

# Optional: Set custom credentials directory
export GOOGLE_MCP_CREDENTIALS_DIR="/path/to/credentials"

# Default locations (if GOOGLE_MCP_CREDENTIALS_DIR not set):
# - ~/.google_workspace_mcp/credentials (if home directory accessible)
# - ./.credentials (fallback)

Usage Example:

from auth.credential_store import get_credential_store

# Get the global credential store instance
store = get_credential_store()

# Store credentials for a user
store.store_credential("[email protected]", credentials)

# Retrieve credentials
creds = store.get_credential("[email protected]")

# List all users with stored credentials
users = store.list_users()

The credential store automatically handles credential serialization, expiry parsing, and provides error handling for storage operations.

⊠ Security

Credentials: Never commit .env, client_secret.json or the .credentials/ directory to source control!
OAuth Callback: Uses http://localhost:8000/oauth2callback for development (requires OAUTHLIB_INSECURE_TRANSPORT=1)
Transport-Aware Callbacks: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes
Production: Use HTTPS & OAuth 2.1 and configure accordingly
Scope Minimization: Tools request only necessary permissions

≡ License

MIT License - see LICENSE file for details.

Validations: