Google Workspace MCP Server

Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools. Now includes a full featured CLI for use with tools like Claude Code and Codex!

The most feature-complete Google Workspace MCP server, with Remote OAuth2.1 multi-user support and 1-click Claude installation.

Support for all free Google accounts (Gmail, Docs, Drive etc) & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces.

Interested in a private, managed cloud instance? That can be arranged.

---

See it in action:

---

A quick plug for AI-Enhanced Docs

◆ But why?

This README was written with AI assistance, and here's why that matters

As a solo dev building open source tools, comprehensive documentation often wouldn't happen without AI help. Using agentic dev tools like Roo & Claude Code that understand the entire codebase, AI doesn't just regurgitate generic content - it extracts real implementation details and creates accurate, specific documentation.

In this case, Sonnet 4 took a pass & a human (me) verified them 2/16/26.

Overview

A production-ready MCP server that integrates all major Google Workspace services with AI assistants. It supports both single-user operation and multi-user authentication via OAuth 2.1, making it a powerful backend for custom applications. Built with FastMCP for optimal performance, featuring advanced authentication handling, service caching, and streamlined development patterns.

Simplified Setup: Now uses Google Desktop OAuth clients - no redirect URIs or port configuration needed!

Features

@ Gmail • ≡ Drive • ⧖ Calendar ≡ Docs

• Complete Gmail management, end to end coverage
• Full calendar management with advanced features
• File operations with Office format support
• Document creation, editing & comments
• Deep, exhaustive support for fine grained editing

---

≡ Forms • @ Chat • ≡ Sheets • ≡ Slides

• Form creation, publish settings & response management
• Space management & messaging capabilities
• Spreadsheet operations with flexible cell management
• Presentation creation, updates & content manipulation

---

◆ Apps Script

• Automate cross-application workflows with custom code
• Execute existing business logic and custom functions
• Manage script projects, deployments & versions
• Debug and modify Apps Script code programmatically
• Bridge Google Workspace services through automation

⊠ Authentication & Security

• Advanced OAuth 2.0 & OAuth 2.1 support
• Automatic token refresh & session management
• Transport-aware callback handling
• Multi-user bearer token authentication
• Innovative CORS proxy architecture

---

✓ Tasks • 👤 Contacts • ◆ Custom Search

• Task & task list management with hierarchy
• Contact management via People API with groups
• Programmable Search Engine (PSE) integration

---

Quick Start

Quick Reference Card - Essential commands & configs at a glance

Credentials

export GOOGLE_OAUTH_CLIENT_ID="..."
export GOOGLE_OAUTH_CLIENT_SECRET="..."

Full setup →

Launch Commands

uvx workspace-mcp --tool-tier core
uv run main.py --tools gmail drive

More options →

Tool Tiers

• core - Essential tools
• extended - Core + extras
• complete - Everything Details →

1. One-Click Claude Desktop Install (Recommended)

1. Download: Grab the latest google_workspace_mcp.dxt from the “Releases” page
2. Install: Double-click the file – Claude Desktop opens and prompts you to Install
3. Configure: In Claude Desktop → Settings → Extensions → Google Workspace MCP, paste your Google OAuth credentials
4. Use it: Start a new Claude chat and call any Google Workspace tool

Why DXT?

Desktop Extensions (.dxt) bundle the server, dependencies, and manifest so users go from download → working MCP in one click – no terminal, no JSON editing, no version conflicts.

Required Configuration

Environment Variables ← Click to configure in Claude Desktop

Required

Variable	Purpose
GOOGLE_OAUTH_CLIENT_ID	OAuth client ID from Google Cloud
GOOGLE_OAUTH_CLIENT_SECRET	OAuth client secret
OAUTHLIB_INSECURE_TRANSPORT=1	Development only (allows http:// redirect)

Optional

Variable	Purpose
USER_GOOGLE_EMAIL	Default email for single-user auth
GOOGLE_PSE_API_KEY	API key for Custom Search
GOOGLE_PSE_ENGINE_ID	Search Engine ID for Custom Search
MCP_ENABLE_OAUTH21	Set to true for OAuth 2.1 support
EXTERNAL_OAUTH21_PROVIDER	Set to true for external OAuth flow with bearer tokens (requires OAuth 2.1)
WORKSPACE_MCP_STATELESS_MODE	Set to true for stateless operation (requires OAuth 2.1)

Claude Desktop stores these securely in the OS keychain; set them once in the extension pane.

---

---

Prerequisites

• Python 3.10+
• uvx (for instant installation) or uv (for development)
• Google Cloud Project with OAuth 2.0 credentials

Configuration

Google Cloud Setup ← OAuth 2.0 credentials & API enablement

1. Create Project

console.cloud.google.com

→ Create new project
→ Note project name

Open Console →

2. OAuth Credentials

APIs & Services → Credentials
→ Create Credentials
→ OAuth Client ID
→ Desktop Application

Download & save credentials

3. Enable APIs

APIs & Services → Library

Search & enable:
Calendar, Drive, Gmail,
Docs, Sheets, Slides,
Forms, Tasks, People,
Chat, Search

See quick links below

OAuth Credential Setup Guide ← Step-by-step instructions

Complete Setup Process:

1. Create OAuth 2.0 Credentials - Visit Google Cloud Console

   • Create a new project (or use existing)
   • Navigate to APIs & Services → Credentials
   • Click Create Credentials → OAuth Client ID
   • Choose Desktop Application as the application type (no redirect URIs needed!)
   • Download credentials and note the Client ID and Client Secret

2. Enable Required APIs - In APIs & Services → Library

   • Search for and enable each required API
   • Or use the quick links below for one-click enabling

3. Configure Environment - Set your credentials:

   export GOOGLE_OAUTH_CLIENT_ID="your-client-id"
   export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"
   

Full Documentation →

Quick API Enable Links ← One-click enable each Google API You can enable each one by clicking the links below (make sure you're logged into the Google Cloud Console and have the correct project selected):

• Enable Google Calendar API
• Enable Google Drive API
• Enable Gmail API
• Enable Google Docs API
• Enable Google Sheets API
• Enable Google Slides API
• Enable Google Forms API
• Enable Google Tasks API
• Enable Google Chat API
• Enable Google People API
• Enable Google Custom Search API
• Enable Google Apps Script API

1.1. Credentials: See Credential Configuration for detailed setup options

2. Environment Configuration:

◆ Environment Variables ← Configure your runtime environment

◆ Development Mode

export OAUTHLIB_INSECURE_TRANSPORT=1

Allows HTTP redirect URIs

@ Default User

export USER_GOOGLE_EMAIL=\
  your.email@gmail.com

Single-user authentication

◆ Custom Search

export GOOGLE_PSE_API_KEY=xxx
export GOOGLE_PSE_ENGINE_ID=yyy

Optional: Search API setup

3. Server Configuration:

◆ Server Settings ← Customize ports, URIs & proxies

◆ Base Configuration

export WORKSPACE_MCP_BASE_URI=
  http://localhost
export WORKSPACE_MCP_PORT=8000
export WORKSPACE_MCP_HOST=0.0.0.0  # Use 127.0.0.1 for localhost-only

Server URL & port settings

↻ Proxy Support

export MCP_ENABLE_OAUTH21=
  true

Leverage multi-user OAuth2.1 clients

@ Default Email

export USER_GOOGLE_EMAIL=\
  your.email@gmail.com

Skip email in auth flows in single user mode

≡ Configuration Details ← Learn more about each setting

Variable	Description	Default
WORKSPACE_MCP_BASE_URI	Base server URI (no port)	http://localhost
WORKSPACE_MCP_PORT	Server listening port	8000
WORKSPACE_MCP_HOST	Server bind host	0.0.0.0
WORKSPACE_EXTERNAL_URL	External URL for reverse proxy setups	None
WORKSPACE_ATTACHMENT_DIR	Directory for downloaded attachments	~/.workspace-mcp/attachments/
GOOGLE_OAUTH_REDIRECT_URI	Override OAuth callback URL	Auto-constructed
USER_GOOGLE_EMAIL	Default auth email	None

Google Custom Search Setup

◆ Custom Search Configuration ← Enable web search capabilities

1. Create Search Engine

programmablesearchengine.google.com
/controlpanel/create

→ Configure sites or entire web
→ Note your Engine ID (cx)

Open Control Panel →

2. Get API Key

developers.google.com
/custom-search/v1/overview

→ Create/select project
→ Enable Custom Search API
→ Create credentials (API Key)

Get API Key →

3. Set Variables

export GOOGLE_PSE_API_KEY=\
  "your-api-key"
export GOOGLE_PSE_ENGINE_ID=\
  "your-engine-id"

Configure in environment

≡ Quick Setup Guide ← Step-by-step instructions

Complete Setup Process:

1. Create Search Engine - Visit the Control Panel

   • Choose "Search the entire web" or specify sites
   • Copy the Search Engine ID (looks like: 017643444788157684527:6ivsjbpxpqw)

2. Enable API & Get Key - Visit Google Developers Console

   • Enable "Custom Search API" in your project
   • Create credentials → API Key
   • Restrict key to Custom Search API (recommended)

3. Configure Environment - Add to your shell or .env:

   export GOOGLE_PSE_API_KEY="AIzaSy..."
   export GOOGLE_PSE_ENGINE_ID="01764344478..."
   

≡ Full Documentation →

Start the Server

📌 Transport Mode Guidance: Use streamable HTTP mode (--transport streamable-http) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. Stdio mode is only for clients with incomplete MCP specification support.

▶ Launch Commands ← Choose your startup mode

▶ Legacy Mode

uv run main.py

⚠️ Stdio mode (incomplete MCP clients only)

◆ HTTP Mode (Recommended)

uv run main.py \
  --transport streamable-http

✅ Full MCP spec compliance & OAuth 2.1

@ Single User

uv run main.py \
  --single-user

Simplified authentication ⚠️ Cannot be used with OAuth 2.1 mode

◆ Advanced Options ← Tool selection, tiers & Docker

▶ Selective Tool Loading

# Load specific services only
uv run main.py --tools gmail drive calendar
uv run main.py --tools sheets docs

# Combine with other flags
uv run main.py --single-user --tools gmail

🔒 Read-Only Mode

# Requests only read-only scopes & disables write tools
uv run main.py --read-only

# Combine with specific tools or tiers
uv run main.py --tools gmail drive --read-only
uv run main.py --tool-tier core --read-only

Read-only mode provides secure, restricted access by:

• Requesting only *.readonly OAuth scopes (e.g., gmail.readonly, drive.readonly)
• Automatically filtering out tools that require write permissions at startup
• Allowing read operations: list, get, search, and export across all services

★ Tool Tiers

uv run main.py --tool-tier core      # ● Essential tools only
uv run main.py --tool-tier extended  # ◐ Core + additional
uv run main.py --tool-tier complete  # ○ All available tools

◆ Docker Deployment

docker build -t workspace-mcp .
docker run -p 8000:8000 -v $(pwd):/app \
  workspace-mcp --transport streamable-http

# With tool selection via environment variables
docker run -e TOOL_TIER=core workspace-mcp
docker run -e TOOLS="gmail drive calendar" workspace-mcp

Available Services: gmail • drive • calendar • docs • sheets • forms • tasks • contacts • chat • search

CLI Mode

The server supports a CLI mode for direct tool invocation without running the full MCP server. This is ideal for scripting, automation, and use by coding agents (Codex, Claude Code).

▶ CLI Commands ← Direct tool execution from command line

▶ List Tools

workspace-mcp --cli
workspace-mcp --cli list
workspace-mcp --cli list --json

View all available tools

◆ Tool Help

workspace-mcp --cli search_gmail_messages --help

Show parameters and documentation

▶ Run with Arguments

workspace-mcp --cli search_gmail_messages \
  --args '{"query": "is:unread"}'

Execute tool with inline JSON

◆ Pipe from Stdin

echo '{"query": "is:unread"}' | \
  workspace-mcp --cli search_gmail_messages

Pass arguments via stdin

≡ CLI Usage Details ← Complete reference

Command Structure:

workspace-mcp --cli [command] [options]

Commands:

Command	Description
list (default)	List all available tools
``	Execute the specified tool
--help	Show detailed help for a tool

Options:

Option	Description
--args, -a	JSON string with tool arguments
--json, -j	Output in JSON format (for list command)
--help, -h	Show help for a tool

Examples:

# List all Gmail tools
workspace-mcp --cli list | grep gmail

# Search for unread emails
workspace-mcp --cli search_gmail_messages --args '{"query": "is:unread", "max_results": 5}'

# Get calendar events for today
workspace-mcp --cli get_events --args '{"calendar_id": "primary", "time_min": "2024-01-15T00:00:00Z"}'

# Create a Drive file from a URL
workspace-mcp --cli create_drive_file --args '{"name": "doc.pdf", "source_url": "https://example.com/file.pdf"}'

# Combine with jq for processing
workspace-mcp --cli list --json | jq '.tools[] | select(.name | contains("gmail"))'

Notes:

• CLI mode uses OAuth 2.0 (same credentials as server mode)
• Authentication flows work the same way - browser opens for first-time auth
• Results are printed to stdout; errors go to stderr
• Exit code 0 on success, 1 on error

Tool Tiers

The server organizes tools into three progressive tiers for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.

Available Tiers

● Core (--tool-tier core) Essential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.

● Extended (--tool-tier extended) Core functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.

● Complete (--tool-tier complete) Full API access including comments, headers/footers, publishing settings, and administrative functions. For power users needing maximum functionality.

Important Notes

▶ Start with core and upgrade as needed ▶ Tiers are cumulative – each includes all previous ▶ Mix and match with --tools for specific services ▶ Configuration in core/tool_tiers.yaml ▶ Authentication included in all tiers

Usage Examples

# Basic tier selection
uv run main.py --tool-tier core                            # Start with essential tools only
uv run main.py --tool-tier extended                        # Expand to include management features
uv run main.py --tool-tier complete                        # Enable all available functionality

# Selective service loading with tiers
uv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services
uv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only
uv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets

📋 Credential Configuration

🔑 OAuth Credentials Setup ← Essential for all installations

🚀 Environment Variables

export GOOGLE_OAUTH_CLIENT_ID=\
  "your-client-id"
export GOOGLE_OAUTH_CLIENT_SECRET=\
  "your-secret"

Best for production

📁 File-based

# Download & place in project root
client_secret.json

# Or specify custom path
export GOOGLE_CLIENT_SECRET_PATH=\
  /path/to/secret.json

Traditional method

⚡ .env File

cp .env.oauth21 .env
# Edit .env with credentials

Best for development

📖 Credential Loading Details ← Understanding priority & best practices

Loading Priority

1. Environment variables (export VAR=value)
2. .env file in project root (warning - if you run via uvx rather than uv run from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)
3. client_secret.json via GOOGLE_CLIENT_SECRET_PATH
4. Default client_secret.json in project root

Why Environment Variables?

• ✅ Docker/K8s ready - Native container support
• ✅ Cloud platforms - Heroku, Railway, Vercel
• ✅ CI/CD pipelines - GitHub Actions, Jenkins
• ✅ No secrets in git - Keep credentials secure
• ✅ Easy rotation - Update without code changes

---

🧰 Available Tools

Note: All tools support automatic authentication via @require_google_service() decorators with 30-minute service caching.

📅 Google Calendar calendar_tools.py

Tool	Tier	Description
list_calendars	Core	List accessible calendars
get_events	Core	Retrieve events with time range filtering
create_event	Core	Create events with attachments & reminders
modify_event	Core	Update existing events
delete_event	Extended	Remove events

📁 Google Drive drive_tools.py

Tool	Tier	Description
search_drive_files	Core	Search files with query syntax
get_drive_file_content	Core	Read file content (Office formats)
get_drive_file_download_url	Core	Download Drive files to local disk
create_drive_file	Core	Create files or fetch from URLs
create_drive_folder	Core	Create empty folders in Drive or shared drives
import_to_google_doc	Core	Import files (MD, DOCX, HTML, etc.) as Google Docs
share_drive_file	Core	Share file with users/groups/domains/anyone
get_drive_shareable_link	Core	Get shareable links for a file
list_drive_items	Extended	List folder contents
copy_drive_file	Extended	Copy existing files (templates) with optional renaming
update_drive_file	Extended	Update file metadata, move between folders
batch_share_drive_file	Extended	Share file with multiple recipients
update_drive_permission	Extended	Modify permission role
remove_drive_permission	Extended	Revoke file access
transfer_drive_ownership	Extended	Transfer file ownership to another user
set_drive_file_permissions	Extended	Set link sharing and file-level sharing settings
get_drive_file_permissions	Complete	Get detailed file permissions
check_drive_file_public_access	Complete	Check public sharing status

📧 Gmail gmail_tools.py

Tool	Tier	Description
search_gmail_messages	Core	Search with Gmail operators
get_gmail_message_content	Core	Retrieve message content
get_gmail_messages_content_batch	Core	Batch retrieve message content
send_gmail_message	Core	Send emails
get_gmail_thread_content	Extended	Get full thread content
modify_gmail_message_labels	Extended	Modify message labels
list_gmail_labels	Extended	List available labels
manage_gmail_label	Extended	Create/update/delete labels
draft_gmail_message	Extended	Create drafts
get_gmail_threads_content_batch	Complete	Batch retrieve thread content
batch_modify_gmail_message_labels	Complete	Batch modify labels
start_google_auth	Complete	Legacy OAuth 2.0 auth (disabled when OAuth 2.1 is enabled)

📎 Email Attachments ← Send emails with files

Both send_gmail_message and draft_gmail_message support attachments via two methods:

Option 1: File Path (local server only)

attachments=[{"path": "/path/to/report.pdf"}]

Reads file from disk, auto-detects MIME type. Optional filename override.

Option 2: Base64 Content (works everywhere)

attachments=[{
    "filename": "report.pdf",
    "content": "JVBERi0xLjQK...",  # base64-encoded
    "mime_type": "application/pdf"   # optional
}]

⚠️ Centrally Hosted Servers: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use Option 2 with base64-encoded content. Your MCP client must encode files before sending.

📥 Downloaded Attachment Storage ← Where downloaded files are saved

When downloading Gmail attachments (get_gmail_attachment_content) or Drive files (get_drive_file_download_url), files are saved to a persistent local directory rather than a temporary folder in the working directory.

Default location: ~/.workspace-mcp/attachments/

Files are saved with their original filename plus a short UUID suffix for uniqueness (e.g., invoice_a1b2c3d4.pdf). In stdio mode, the tool returns the absolute file path for direct filesystem access. In HTTP mode, it returns a download URL via the /attachments/{file_id} endpoint.

To customize the storage directory:

export WORKSPACE_ATTACHMENT_DIR="/path/to/custom/dir"

Saved files expire after 1 hour and are cleaned up automatically.

📝 Google Docs docs_tools.py

Tool	Tier	Description
get_doc_content	Core	Extract document text
create_doc	Core	Create new documents
modify_doc_text	Core	Modify document text (formatting + links)
search_docs	Extended	Find documents by name
find_and_replace_doc	Extended	Find and replace text
list_docs_in_folder	Extended	List docs in folder
insert_doc_elements	Extended	Add tables, lists, page breaks
update_paragraph_style	Extended	Apply heading styles, lists (bulleted/numbered with nesting), and paragraph formatting
get_doc_as_markdown	Extended	Export document as formatted Markdown with optional comments
insert_doc_image	Complete	Insert images from Drive/URLs
update_doc_headers_footers	Complete	Modify headers and footers
batch_update_doc	Complete	Execute multiple operations
inspect_doc_structure	Complete	Analyze document structure
export_doc_to_pdf	Extended	Export document to PDF
create_table_with_data	Complete	Create data tables
debug_table_structure	Complete	Debug table issues
*_document_comments	Complete	Read, Reply, Create, Resolve

📊 Google Sheets sheets_tools.py

Tool	Tier	Description
read_sheet_values	Core	Read cell ranges
modify_sheet_values	Core	Write/update/clear cells
create_spreadsheet	Core	Create new spreadsheets
list_spreadsheets	Extended	List accessible spreadsheets
get_spreadsheet_info	Extended	Get spreadsheet metadata
format_sheet_range	Extended	Apply colors, number formats, text wrapping, alignment, bold/italic, font size
create_sheet	Complete	Add sheets to existing files
*_sheet_comment	Complete	Read/create/reply/resolve comments

🖼️ Google Slides slides_tools.py

Tool	Tier	Description
create_presentation	Core	Create new presentations
get_presentation	Core	Retrieve presentation details
batch_update_presentation	Extended	Apply multiple updates
get_page	Extended	Get specific slide information
get_page_thumbnail	Extended	Generate slide thumbnails
*_presentation_comment	Complete	Read/create/reply/resolve comments

📝 Google Forms forms_tools.py

Tool	Tier	Description
create_form	Core	Create new forms
get_form	Core	Retrieve form details & URLs
set_publish_settings	Complete	Configure form settings
get_form_response	Complete	Get individual responses
list_form_responses	Extended	List all responses with pagination
batch_update_form	Complete	Apply batch updates (questions, settings)

✓ Google Tasks tasks_tools.py

Tool	Tier	Description
list_tasks	Core	List tasks with filtering
get_task	Core	Retrieve task details
create_task	Core	Create tasks with hierarchy
update_task	Core	Modify task properties
delete_task	Extended	Remove tasks
move_task	Complete	Reposition tasks
clear_completed_tasks	Complete	Hide completed tasks
*_task_list	Complete	List/get/create/update/delete task lists

👤 Google Contacts contacts_tools.py

Tool	Tier	Description
search_contacts	Core	Search contacts by name, email, phone
get_contact	Core	Retrieve detailed contact info
list_contacts	Core	List contacts with pagination
create_contact	Core	Create new contacts
update_contact	Extended	Update existing contacts
delete_contact	Extended	Delete contacts
list_contact_groups	Extended	List contact groups/labels
get_contact_group	Extended	Get group details with members
batch_*_contacts	Complete	Batch create/update/delete contacts
*_contact_group	Complete	Create/update/delete contact groups
modify_contact_group_members	Complete	Add/remove contacts from groups

💬 Google Chat chat_tools.py

Tool	Tier	Description
list_spaces	Extended	List chat spaces/rooms
get_messages	Core	Retrieve space messages
send_message	Core	Send messages to spaces
search_messages	Core	Search across chat history
create_reaction	Core	Add emoji reaction to a message
download_chat_attachment	Extended	Download attachment from a chat message

🔍 Google Custom Search search_tools.py

Tool	Tier	Description
search_custom	Core	Perform web searches
get_search_engine_info	Complete	Retrieve search engine metadata
search_custom_siterestrict	Extended	Search within specific domains

Google Apps Script apps_script_tools.py

Tool	Tier	Description
list_script_projects	Core	List accessible Apps Script projects
get_script_project	Core	Get complete project with all files
get_script_content	Core	Retrieve specific file content
create_script_project	Core	Create new standalone or bound project
update_script_content	Core	Update or create script files
run_script_function	Core	Execute function with parameters
create_deployment	Extended	Create new script deployment
list_deployments	Extended	List all project deployments
update_deployment	Extended	Update deployment configuration
delete_deployment	Extended	Remove deployment
list_script_processes	Extended	View recent executions and status

Tool Tier Legend:

• • Core: Essential tools for basic functionality • Minimal API usage • Getting started
• • Extended: Core tools + additional features • Regular usage • Expanded capabilities
• • Complete: All available tools including advanced features • Power users • Full API access

---

Connect to Claude Desktop

The server supports two transport modes:

Stdio Mode (Legacy - For Clients with Incomplete MCP Support)

⚠️ Important: Stdio mode is a legacy fallback for clients that don't properly implement the MCP specification with OAuth 2.1 and streamable HTTP support. Claude Code and other modern MCP clients should use streamable HTTP mode (--transport streamable-http) for proper OAuth flow and multi-user support.

In general, you should use the one-click DXT installer package for Claude Desktop. If you are unable to for some reason, you can configure it manually via claude_desktop_config.json

Manual Claude Configuration (Alternative)

📝 Claude Desktop JSON Config ← Click for manual setup instructions

1. Open Claude Desktop Settings → Developer → Edit Config

   • macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
   • Windows: %APPDATA%\Claude\claude_desktop_config.json

2. Add the server configuration:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

Connect to LM Studio

Add a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1",
      }
    }
  }
}

2. Advanced / Cross-Platform Installation

If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.

Instant CLI (uvx)

⚡ Quick Start with uvx ← No installation required!

# Requires Python 3.10+ and uvx
# First, set credentials (see Credential Configuration above)
uvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar

Note: Configure OAuth credentials before running. Supports environment variables, .env file, or client_secret.json.

Local Development Setup

🛠️ Developer Workflow ← Install deps, lint, and test

# Install everything needed for linting, tests, and release tooling
uv sync --group dev

# Run the same linter that git hooks invoke automatically
uv run ruff check .

# Execute the full test suite (async fixtures require pytest-asyncio)
uv run pytest

• uv sync --group test installs only the testing stack if you need a slimmer environment.
• uv run main.py --transport streamable-http launches the server with your checked-out code for manual verification.
• Ruff is part of the dev group because pre-push hooks call ruff check automatically—run it locally before committing to avoid hook failures.

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional configuration needed!

When to use OAuth 2.1:

• Multiple users accessing the same MCP server instance
• Need for bearer token authentication instead of passing user emails
• Building web applications or APIs on top of the MCP server
• Production environments requiring secure session management
• Browser-based clients requiring CORS support

⚠️ Important: OAuth 2.1 and Single-User Mode are mutually exclusive

OAuth 2.1 mode (MCP_ENABLE_OAUTH21=true) cannot be used together with the --single-user flag:

• Single-user mode: For legacy clients that pass user emails in tool calls
• OAuth 2.1 mode: For modern multi-user scenarios with bearer token authentication

Choose one authentication method - using both will result in a startup error.

Enabling OAuth 2.1: To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.

# OAuth 2.1 requires HTTP transport mode
export MCP_ENABLE_OAUTH21=true
uv run main.py --transport streamable-http

If MCP_ENABLE_OAUTH21 is not set to true, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.

🔐 How the FastMCP GoogleProvider handles OAuth ← Advanced OAuth 2.1 details

FastMCP ships a native GoogleProvider that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:

1. Dynamic Client Registration: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID/secret under the hood.

2. CORS & Browser Compatibility: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom /oauth2/* routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.

The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.

Stateless Mode (Container-Friendly)

The server supports a stateless mode designed for containerized environments where file system writes should be avoided:

Enabling Stateless Mode:

# Stateless mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export WORKSPACE_MCP_STATELESS_MODE=true
uv run main.py --transport streamable-http

Key Features:

• No file system writes: Credentials are never written to disk
• No debug logs: File-based logging is completely disabled
• Memory-only sessions: All tokens stored in memory via OAuth 2.1 session store
• Container-ready: Perfect for Docker, Kubernetes, and serverless deployments
• Token per request: Each request must include a valid Bearer token

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true
• Incompatible with single-user mode
• Clients must handle OAuth flow and send valid tokens with each request

This mode is ideal for:

• Cloud deployments where persistent storage is unavailable
• Multi-tenant environments requiring strict isolation
• Containerized applications with read-only filesystems
• Serverless functions and ephemeral compute environments

MCP Inspector: No additional configuration needed with desktop OAuth client.

Claude Code: No additional configuration needed with desktop OAuth client.

OAuth Proxy Storage Backends

The server supports pluggable storage backends for OAuth proxy state management via FastMCP 2.13.0+. Choose a backend based on your deployment needs.

Available Backends:

Backend	Best For	Persistence	Multi-Server
Memory	Development, testing	❌	❌
Disk	Single-server production	✅	❌
Valkey/Redis	Distributed production	✅	✅

Configuration:

# Memory storage (fast, no persistence)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=memory

# Disk storage (persists across restarts)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=disk
export WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY=~/.fastmcp/oauth-proxy

# Valkey/Redis storage (distributed, multi-server)
export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=redis.example.com
export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=6379

Valkey support is optional. Install workspace-mcp[valkey] (or py-key-value-aio[valkey]) only if you enable the Valkey backend. Windows: building valkey-glide from source requires MSVC C++ build tools with C11 support. If you see aws-lc-sys C11 errors, set CFLAGS=/std:c11.

🔐 Valkey/Redis Configuration Options

Variable	Default	Description
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST	localhost	Valkey/Redis host
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT	6379	Port (6380 auto-enables TLS)
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_DB	0	Database number
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USE_TLS	auto	Enable TLS (auto if port 6380)
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USERNAME	-	Authentication username
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PASSWORD	-	Authentication password
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_REQUEST_TIMEOUT_MS	5000	Request timeout for remote hosts
WORKSPACE_MCP_OAUTH_PROXY_VALKEY_CONNECTION_TIMEOUT_MS	10000	Connection timeout for remote hosts

Encryption: Disk and Valkey storage are encrypted with Fernet. The encryption key is derived from FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY if set, otherwise from GOOGLE_OAUTH_CLIENT_SECRET.

External OAuth 2.1 Provider Mode

The server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.

Enabling External OAuth 2.1 Provider Mode:

# External OAuth provider mode requires OAuth 2.1 to be enabled
export MCP_ENABLE_OAUTH21=true
export EXTERNAL_OAUTH21_PROVIDER=true
uv run main.py --transport streamable-http

How It Works:

• Protocol-level auth disabled: MCP handshake (initialize) and tools/list do not require authentication
• Tool-level auth required: All tool calls must include Authorization: Bearer header
• External OAuth flow: Your external system handles the OAuth flow and obtains Google access tokens
• Token validation: Server validates bearer tokens via Google's tokeninfo API
• Multi-user support: Each request is authenticated independently based on its bearer token

Key Features:

• No local OAuth flow: Server does not provide OAuth callback endpoints or manage OAuth state
• Bearer token only: All authentication via Authorization headers
• Stateless by design: Works seamlessly with WORKSPACE_MCP_STATELESS_MODE=true
• External identity providers: Integrate with your existing authentication infrastructure
• Tool discovery: Clients can list available tools without authentication

Requirements:

• Must be used with MCP_ENABLE_OAUTH21=true
• OAuth credentials still required for token validation (GOOGLE_OAUTH_CLIENT_ID, GOOGLE_OAUTH_CLIENT_SECRET)
• External system must obtain valid Google OAuth access tokens (ya29.*)
• Each tool call request must include valid bearer token

Use Cases:

• Integrating with existing authentication systems
• Custom OAuth flows managed by your application
• API gateways that handle authentication upstream
• Multi-tenant SaaS applications with centralized auth
• Mobile or web apps with their own OAuth implementation

VS Code MCP Client Support

✅ Recommended: VS Code MCP extension properly supports the full MCP specification. Always use HTTP transport mode for proper OAuth 2.1 authentication.

🆚 VS Code Configuration ← Setup for VS Code MCP extension

{
    "servers": {
        "google-workspace": {
            "url": "http://localhost:8000/mcp/",
            "type": "http"
        }
    }
}

Note: Make sure to start the server with --transport streamable-http when using VS Code MCP.

Claude Code MCP Client Support

✅ Recommended: Claude Code is a modern MCP client that properly supports the full MCP specification. Always use HTTP transport mode with Claude Code for proper OAuth 2.1 authentication and multi-user support.

🆚 Claude Code Configuration ← Setup for Claude Code MCP support

# Start the server in HTTP mode first
uv run main.py --transport streamable-http

# Then add to Claude Code
claude mcp add --transport http workspace-mcp http://localhost:8000/mcp

Reverse Proxy Setup

If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you have two configuration options:

Problem: When behind a reverse proxy, the server constructs OAuth URLs using internal ports (e.g., http://localhost:8000) but external clients need the public URL (e.g., https://your-domain.com).

Solution 1: Set WORKSPACE_EXTERNAL_URL for all OAuth endpoints:

# This configures all OAuth endpoints to use your external URL
export WORKSPACE_EXTERNAL_URL="https://your-domain.com"

Solution 2: Set GOOGLE_OAUTH_REDIRECT_URI for just the callback:

# This only overrides the OAuth callback URL
export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback"

You also have options for: | OAUTH_CUSTOM_REDIRECT_URIS (optional) | Comma-separated list of additional redirect URIs | | OAUTH_ALLOWED_ORIGINS (optional) | Comma-separated list of additional CORS origins |

Important:

• Use WORKSPACE_EXTERNAL_URL when all OAuth endpoints should use the external URL (recommended for reverse proxy setups)
• Use GOOGLE_OAUTH_REDIRECT_URI when you only need to override the callback URL
• The redirect URI must exactly match what's configured in your Google Cloud Console
• Your reverse proxy must forward OAuth-related requests (/oauth2callback, /oauth2/*, /.well-known/*) to the MCP server

🚀 Advanced uvx Commands ← More startup options

# Configure credentials first (see Credential Configuration section)

# Start with specific tools only
uvx workspace-mcp --tools gmail drive calendar tasks

# Start with tool tiers (recommended for most users)
uvx workspace-mcp --tool-tier core      # Essential tools
uvx workspace-mcp --tool-tier extended  # Core + additional features
uvx workspace-mcp --tool-tier complete  # All tools

# Start in HTTP mode for debugging
uvx workspace-mcp --transport streamable-http

Requires Python 3.10+ and uvx. The package is available on PyPI.

Development Installation

For development or customization:

git clone https://github.com/taylorwilsdon/google_workspace_mcp.git
cd google_workspace_mcp
uv run main.py

Development Installation (For Contributors):

🔧 Developer Setup JSON ← For contributors & customization

{
  "mcpServers": {
    "google_workspace": {
      "command": "uv",
      "args": [
        "run",
        "--directory",
        "/path/to/repo/google_workspace_mcp",
        "main.py"
      ],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

HTTP Mode (For debugging or web interfaces)

If you need to use HTTP mode with Claude Desktop:

{
  "mcpServers": {
    "google_workspace": {
      "command": "npx",
      "args": ["mcp-remote", "http://localhost:8000/mcp"]
    }
  }
}

Note: Make sure to start the server with --transport streamable-http when using HTTP mode.

First-Time Authentication

The server uses Google Desktop OAuth for simplified authentication:

• No redirect URIs needed: Desktop OAuth clients handle authentication without complex callback URLs
• Automatic flow: The server manages the entire OAuth process transparently
• Transport-agnostic: Works seamlessly in both stdio and HTTP modes

When calling a tool:

1. Server returns authorization URL
2. Open URL in browser and authorize
3. Google provides an authorization code
4. Paste the code when prompted (or it's handled automatically)
5. Server completes authentication and retries your request

---

◆ Development

Project Structure

google_workspace_mcp/
├── auth/              # Authentication system with decorators
├── core/              # MCP server and utilities
├── g{service}/        # Service-specific tools
├── main.py            # Server entry point
├── client_secret.json # OAuth credentials (not committed)
└── pyproject.toml     # Dependencies

Adding New Tools

from auth.service_decorator import require_google_service

@require_google_service("drive", "drive_read")  # Service + scope group
async def your_new_tool(service, param1: str, param2: int = 10):
    """Tool description"""
    # service is automatically injected and cached
    result = service.files().list().execute()
    return result  # Return native Python objects

Architecture Highlights

• Service Caching: 30-minute TTL reduces authentication overhead
• Scope Management: Centralized in SCOPE_GROUPS for easy maintenance
• Error Handling: Native exceptions instead of manual error construction
• Multi-Service Support: @require_multiple_services() for complex tools

Credential Store System

The server includes an abstract credential store API and a default backend for managing Google OAuth credentials with support for multiple storage backends:

Features:

• Abstract Interface: CredentialStore base class defines standard operations (get, store, delete, list users)
• Local File Storage: LocalDirectoryCredentialStore implementation stores credentials as JSON files
• Configurable Storage: Environment variable GOOGLE_MCP_CREDENTIALS_DIR sets storage location
• Multi-User Support: Store and manage credentials for multiple Google accounts
• Automatic Directory Creation: Storage directory is created automatically if it doesn't exist

Configuration:

# Optional: Set custom credentials directory
export GOOGLE_MCP_CREDENTIALS_DIR="/path/to/credentials"

# Default locations (if GOOGLE_MCP_CREDENTIALS_DIR not set):
# - ~/.google_workspace_mcp/credentials (if home directory accessible)
# - ./.credentials (fallback)

Usage Example:

from auth.credential_store import get_credential_store

# Get the global credential store instance
store = get_credential_store()

# Store credentials for a user
store.store_credential("user@example.com", credentials)

# Retrieve credentials
creds = store.get_credential("user@example.com")

# List all users with stored credentials
users = store.list_users()

The credential store automatically handles credential serialization, expiry parsing, and provides error handling for storage operations.

---

⊠ Security

• Credentials: Never commit .env, client_secret.json or the .credentials/ directory to source control!
• OAuth Callback: Uses http://localhost:8000/oauth2callback for development (requires OAUTHLIB_INSECURE_TRANSPORT=1)
• Transport-Aware Callbacks: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes
• Production: Use HTTPS & OAuth 2.1 and configure accordingly
• Scope Minimization: Tools request only necessary permissions
• Local File Access Control: Tools that read local files (e.g., attachments, file:// uploads) are restricted to the user's home directory by default. Override this with the ALLOWED_FILE_DIRS environment variable:

  # Colon-separated list of directories (semicolon on Windows) from which local file reads are permitted
  export ALLOWED_FILE_DIRS="/home/user/documents:/data/shared"
  

  Regardless of the allowlist, access to sensitive paths (.env, .ssh/, .aws/, /etc/shadow, credential files, etc.) is always blocked.

---

---

≡ License

MIT License - see LICENSE file for details.

---

Validations: