Back to Overview

Google OAuth App Setup

Create a Google OAuth app to enable Google Login, Google Calendar sync, and Google Meet room creation.

Luka Breitig — Technical Product Builder & AI Developer
Luka Breitig

Technical Product Builder & AI Developer

Before you begin

  • A Google account (personal or Google Workspace)
  • A domain with HTTPS configured (Google rejects plain HTTP redirect URIs)
  • Tymeslot installed and running at your domain

By the end of this guide, you will have a single Google Cloud project configured for Google Login, Google Calendar sync, and Google Meet room creation.

One App, Three Features

A single Google Cloud project covers all three Google integrations in Tymeslot. You only need to go through this setup once.

  • Google Login — let users sign in with their Google account
  • Google Calendar — sync availability and create booking events automatically
  • Google Meet — auto-create Meet rooms for every booked meeting

Google Cloud Console (formerly called Google Developers Console) is where you create and manage this OAuth app. All three integrations draw from the same credentials.

1 Create a Google Cloud Project

  1. Go to console.cloud.google.com.
  2. Click [Select a project] in the top navigation bar, then click [New Project] in the dialog that opens.
  3. Enter a name — "Tymeslot" works well — and click [Create].
  4. After a few seconds, you are taken to the project dashboard. Confirm the project name appears in the top navigation bar before continuing.

Already have a Google Cloud project?

You can use an existing project. Select it from the [Select a project] picker and continue from Step 2. All steps below apply equally to new and existing projects.

2 Enable Required APIs

Navigate to [APIs & Services][Library] in the left sidebar. Search for and enable each API listed below. After clicking [Enable] on each, you are taken to its management page — a [Manage] button confirms it is active.

  • Google Calendar API

    Required for Calendar sync and for Meet room creation (Meet uses Calendar events).

  • Google People API

    Required for reading the user's name and profile photo on Google Login.

  • Google Meet API

    Only needed if you plan to use Google Meet room creation. Skip this if you are only setting up Google Login or Calendar sync.

Enable each API one at a time: search by name, click the result card, then click [Enable]. Return to the Library between each one.

3 Configure the OAuth Consent Screen

Navigate to [APIs & Services][OAuth consent screen]. This is the screen your users will see when they authorize access to their Google account.

  1. User Type: choose External unless your organization uses Google Workspace and you only want to allow sign-in from accounts within your organization. Click [Create].
  2. Fill in App name ("Tymeslot"), User support email, and Developer contact information.
  3. Under Authorized domains, add your domain (e.g., yourdomain.com).
  4. Click [Save and Continue] through the Scopes and Test users screens — Tymeslot requests the required scopes at runtime during the OAuth flow, so you do not need to pre-configure them here.
  5. Review the Summary page. Your consent screen is now saved.

App needs verification

If Google shows an "App needs verification" banner, your app is in testing mode. You can add up to 100 accounts under [Test users] so they can sign in during development. When you are ready to open login to everyone, click [Publish App] and complete Google's verification process. Apps requesting Calendar access receive additional scrutiny — provide a clear description of how you use the data.

4 Create OAuth Credentials

Navigate to [APIs & Services][Credentials][Create Credentials][OAuth 2.0 Client IDs].

  1. Application type: choose Web application.
  2. Name: "Tymeslot" (this label is internal; users do not see it).
  3. Under Authorized redirect URIs, click [Add URI] and enter:
    https://yourdomain.com/auth/google/callback
  4. Click [Create]. A dialog appears with your Client ID and Client Secret — copy both values now. You can view them again later from the Credentials list, but it is easy to lose track.

redirect_uri_mismatch error

If login fails with a redirect_uri_mismatch error, the callback URL registered in Google does not exactly match the one Tymeslot is sending. Copy the exact URL shown on Tymeslot's error page and add it to the [Authorized redirect URIs] list. The match is case-sensitive and includes the scheme (https://), port if any, and path with no trailing slash.

5 Configure Environment Variables

Add the following to your Tymeslot environment configuration and restart the server. 

# Enable Google Login
ENABLE_GOOGLE_AUTH=true

# OAuth credentials (from the dialog in Step 4)
GOOGLE_CLIENT_ID=123456789-abcdefg.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=GOCSPX-xxxxxxxxxxxxxxxx

# Random secret used to sign the OAuth state parameter
GOOGLE_STATE_SECRET=your-random-32-char-secret

Generate a secure state secret with: 

openssl rand -hex 32

ENABLE_GOOGLE_AUTH is optional for Calendar and Meet

Setting ENABLE_GOOGLE_AUTH=true enables the Google Login button on your sign-in page. You can omit this variable if you only want Google Calendar or Meet integration without offering Google as a sign-in method — the same credentials are used for all three.

Common Errors

"This app is blocked"

Your OAuth consent screen is in testing mode and the account trying to sign in is not in the [Test users] list. Add the user's Google account email under [APIs & Services][OAuth consent screen][Test users], or publish the app to remove the restriction entirely.

"Access blocked: Authorization Error"

This typically means the OAuth consent screen has not been saved, or required APIs have not been enabled. Return to Step 2 and confirm that each API shows a [Manage] button, then repeat Step 3.

Calendar sync fails after login succeeds

Calendar access uses an additional OAuth scope that is requested when a user connects Calendar from their settings, not at login time. If this step fails, confirm the Google Calendar API is enabled in the Library (Step 2) and that your domain is listed in the consent screen's Authorized domains.

Frequently Asked Questions

Google shows a 'This app isn't verified' warning — is that normal?

Yes, this is expected for self-hosted instances that have not gone through Google's verification process. Users can click [Advanced] and then [Go to (your app name) (unsafe)] to proceed. For a private or internal deployment this is acceptable. If you are running a public-facing instance, consider submitting for verification through the OAuth consent screen — apps requesting Calendar access receive additional scrutiny, so provide a clear description of how the data is used.

I added the redirect URI but Google still returns a redirect_uri_mismatch error — why?

The URI must match exactly: same scheme (https://), same domain, same path, and no trailing slash. Changes to authorized redirect URIs can also take a few minutes to propagate after saving. Wait a moment and try again, or open the Credentials page to confirm the URI was saved correctly.

Do I need to add test users on the OAuth consent screen?

Only if your app is in Testing publishing status. In Testing mode, only accounts explicitly listed under [Test users] can authorize the app — all others see a "This app is blocked" error. To open login to any Google account, click [Publish App] on the OAuth consent screen to switch to In production status.

What's the difference between the 'Internal' and 'External' user type?

Internal restricts sign-in to accounts within your Google Workspace organization. Users outside the organization cannot authorize the app at all. External allows any Google account to sign in, subject to your publishing status (Testing vs. In production). Choose Internal if you are deploying Tymeslot exclusively for your team and everyone has a Google Workspace account under your domain.

My Google OAuth credentials stopped working — what should I check?

Start with the [Credentials] page in Google Cloud Console and confirm the OAuth 2.0 client still exists and has not been deleted or regenerated. Next, check the [OAuth consent screen] to confirm the app is not in a restricted state. If your project had a billing issue or policy violation, Google may have suspended the project — check the [IAM & Admin][Settings] page for any project-level warnings.

Verification Checklist

Confirm each of the following after restarting Tymeslot:
  • A Sign in with Google button appears on the login page.
  • Clicking it redirects to Google's account picker, then back to Tymeslot without error.
  • Your name and profile photo from Google appear in your Tymeslot account.
  • A Google Calendar connection option is visible under DashboardSettingsIntegrations.
  • If using Meet: a Google Meet option is visible under the Video integrations section.

🔗 Related Articles

Read Microsoft Azure App Setup

Microsoft Azure App Setup

Register a Microsoft Azure app to enable Microsoft Login, Outlook Calendar sync, and Teams room creation.

Read GitHub Login Setup

GitHub Login Setup

Let users sign in with their GitHub account. A two-minute setup with no special API scopes required.

Read Generic SSO (OAuth / OIDC)

Generic SSO (OAuth / OIDC)

Connect any OAuth 2.0 / OpenID Connect identity provider for single sign-on. Supports Keycloak, Authentik, Lemonldap::NG, Okta, Azure AD, and more.