Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools. Now includes a full featured CLI for use with tools like Claude Code and Codex! The most feature-complete Google Workspace MCP server, with Remote OAuth2.1 multi-user support and 1-click Claude installation. See it in a
Add this skill
npx mdskills install taylorwilsdon/google-workspace-mcpComprehensive Google Workspace integration with excellent OAuth handling and wide API coverage
1<!-- mcp-name: io.github.taylorwilsdon/workspace-mcp -->23<div align="center">45# <span style="color:#cad8d9">Google Workspace MCP Server</span> <img src="https://github.com/user-attachments/assets/b89524e4-6e6e-49e6-ba77-00d6df0c6e5c" width="80" align="right" />67[](https://opensource.org/licenses/MIT)8[](https://www.python.org/downloads/)9[](https://pypi.org/project/workspace-mcp/)10[](https://pepy.tech/projects/workspace-mcp)11[](https://workspacemcp.com)1213*Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools. Now includes a full featured CLI for use with tools like Claude Code and Codex!*1415**The most feature-complete Google Workspace MCP server**, with Remote OAuth2.1 multi-user support and 1-click Claude installation.161718###### Support for all free Google accounts (Gmail, Docs, Drive etc) & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces. <br/><br /> Interested in a private, managed cloud instance? [That can be arranged.](https://workspacemcp.com/workspace-mcp-cloud)192021</div>2223<div align="center">24<a href="https://glama.ai/mcp/servers/@taylorwilsdon/google_workspace_mcp">25 <img width="195" src="https://glama.ai/mcp/servers/@taylorwilsdon/google_workspace_mcp/badge" alt="Google Workspace Server MCP server" align="center"/>26</a>27<a href="https://www.pulsemcp.com/servers/taylorwilsdon-google-workspace">28<img width="456" src="https://github.com/user-attachments/assets/0794ef1a-dc1c-447d-9661-9c704d7acc9d" align="center"/>29</a>30</div>3132---333435**See it in action:**36<div align="center">37 <video width="400" src="https://github.com/user-attachments/assets/a342ebb4-1319-4060-a974-39d202329710"></video>38</div>3940---4142### A quick plug for AI-Enhanced Docs43<details>44<summary>◆ <b>But why?</b></summary>4546**This README was written with AI assistance, and here's why that matters**47>48> As a solo dev building open source tools, comprehensive documentation often wouldn't happen without AI help. Using agentic dev tools like **Roo** & **Claude Code** that understand the entire codebase, AI doesn't just regurgitate generic content - it extracts real implementation details and creates accurate, specific documentation.49>50> In this case, Sonnet 4 took a pass & a human (me) verified them 2/16/26.51</details>5253## <span style="color:#adbcbc">Overview</span>5455A production-ready MCP server that integrates all major Google Workspace services with AI assistants. It supports both single-user operation and multi-user authentication via OAuth 2.1, making it a powerful backend for custom applications. Built with FastMCP for optimal performance, featuring advanced authentication handling, service caching, and streamlined development patterns.5657**Simplified Setup**: Now uses Google Desktop OAuth clients - no redirect URIs or port configuration needed!585960## <span style="color:#adbcbc">Features</span>6162<table align="center" style="width: 100%; max-width: 100%;">63<tr>64<td width="50%" valign="top">6566**<span style="color:#72898f">@</span> Gmail** • **<span style="color:#72898f">≡</span> Drive** • **<span style="color:#72898f">⧖</span> Calendar** **<span style="color:#72898f">≡</span> Docs**67- Complete Gmail management, end to end coverage68- Full calendar management with advanced features69- File operations with Office format support70- Document creation, editing & comments71- Deep, exhaustive support for fine grained editing7273---7475**<span style="color:#72898f">≡</span> Forms** • **<span style="color:#72898f">@</span> Chat** • **<span style="color:#72898f">≡</span> Sheets** • **<span style="color:#72898f">≡</span> Slides**76- Form creation, publish settings & response management77- Space management & messaging capabilities78- Spreadsheet operations with flexible cell management79- Presentation creation, updates & content manipulation8081---8283**<span style="color:#72898f">◆</span> Apps Script**84- Automate cross-application workflows with custom code85- Execute existing business logic and custom functions86- Manage script projects, deployments & versions87- Debug and modify Apps Script code programmatically88- Bridge Google Workspace services through automation8990</td>91<td width="50%" valign="top">9293**<span style="color:#72898f">⊠</span> Authentication & Security**94- Advanced OAuth 2.0 & OAuth 2.1 support95- Automatic token refresh & session management96- Transport-aware callback handling97- Multi-user bearer token authentication98- Innovative CORS proxy architecture99100---101102**<span style="color:#72898f">✓</span> Tasks** • **<span style="color:#72898f">👤</span> Contacts** • **<span style="color:#72898f">◆</span> Custom Search**103- Task & task list management with hierarchy104- Contact management via People API with groups105- Programmable Search Engine (PSE) integration106107</td>108</tr>109</table>110111---112113## Quick Start114115<details>116<summary><b>Quick Reference Card</b> - Essential commands & configs at a glance</summary>117118<table>119<tr><td width="33%" valign="top">120121**Credentials**122```bash123export GOOGLE_OAUTH_CLIENT_ID="..."124export GOOGLE_OAUTH_CLIENT_SECRET="..."125```126[Full setup →](#credential-configuration)127128</td><td width="33%" valign="top">129130**Launch Commands**131```bash132uvx workspace-mcp --tool-tier core133uv run main.py --tools gmail drive134```135[More options →](#start-the-server)136137</td><td width="34%" valign="top">138139**Tool Tiers**140- `core` - Essential tools141- `extended` - Core + extras142- `complete` - Everything143[Details →](#tool-tiers)144145</td></tr>146</table>147148</details>149150### 1. One-Click Claude Desktop Install (Recommended)1511521. **Download:** Grab the latest `google_workspace_mcp.dxt` from the “Releases” page1532. **Install:** Double-click the file – Claude Desktop opens and prompts you to **Install**1543. **Configure:** In Claude Desktop → **Settings → Extensions → Google Workspace MCP**, paste your Google OAuth credentials1554. **Use it:** Start a new Claude chat and call any Google Workspace tool156157>158**Why DXT?**159> Desktop Extensions (`.dxt`) bundle the server, dependencies, and manifest so users go from download → working MCP in **one click** – no terminal, no JSON editing, no version conflicts.160161#### Required Configuration162<details>163<summary><b>Environment Variables</b> <sub><sup>← Click to configure in Claude Desktop</sup></sub></summary>164165<table>166<tr><td width="50%" valign="top">167168**Required**169| Variable | Purpose |170|----------|---------|171| `GOOGLE_OAUTH_CLIENT_ID` | OAuth client ID from Google Cloud |172| `GOOGLE_OAUTH_CLIENT_SECRET` | OAuth client secret |173| `OAUTHLIB_INSECURE_TRANSPORT=1` | Development only (allows `http://` redirect) |174175</td><td width="50%" valign="top">176177**Optional**178| Variable | Purpose |179|----------|---------|180| `USER_GOOGLE_EMAIL` | Default email for single-user auth |181| `GOOGLE_PSE_API_KEY` | API key for Custom Search |182| `GOOGLE_PSE_ENGINE_ID` | Search Engine ID for Custom Search |183| `MCP_ENABLE_OAUTH21` | Set to `true` for OAuth 2.1 support |184| `EXTERNAL_OAUTH21_PROVIDER` | Set to `true` for external OAuth flow with bearer tokens (requires OAuth 2.1) |185| `WORKSPACE_MCP_STATELESS_MODE` | Set to `true` for stateless operation (requires OAuth 2.1) |186187</td></tr>188</table>189190Claude Desktop stores these securely in the OS keychain; set them once in the extension pane.191</details>192193---194195<div align="center">196 <video width="832" src="https://github.com/user-attachments/assets/83cca4b3-5e94-448b-acb3-6e3a27341d3a"></video>197</div>198199---200201### Prerequisites202203- **Python 3.10+**204- **[uvx](https://github.com/astral-sh/uv)** (for instant installation) or [uv](https://github.com/astral-sh/uv) (for development)205- **Google Cloud Project** with OAuth 2.0 credentials206207### Configuration208209<details open>210<summary><b>Google Cloud Setup</b> <sub><sup>← OAuth 2.0 credentials & API enablement</sup></sub></summary>211212<table>213<tr>214<td width="33%" align="center">215216**1. Create Project**217```text218console.cloud.google.com219220→ Create new project221→ Note project name222```223<sub>[Open Console →](https://console.cloud.google.com/)</sub>224225</td>226<td width="33%" align="center">227228**2. OAuth Credentials**229```text230APIs & Services → Credentials231→ Create Credentials232→ OAuth Client ID233→ Desktop Application234```235<sub>Download & save credentials</sub>236237</td>238<td width="34%" align="center">239240**3. Enable APIs**241```text242APIs & Services → Library243244Search & enable:245Calendar, Drive, Gmail,246Docs, Sheets, Slides,247Forms, Tasks, People,248Chat, Search249```250<sub>See quick links below</sub>251252</td>253</tr>254<tr>255<td colspan="3">256257<details>258<summary><b>OAuth Credential Setup Guide</b> <sub><sup>← Step-by-step instructions</sup></sub></summary>259260**Complete Setup Process:**2612621. **Create OAuth 2.0 Credentials** - Visit [Google Cloud Console](https://console.cloud.google.com/)263 - Create a new project (or use existing)264 - Navigate to **APIs & Services → Credentials**265 - Click **Create Credentials → OAuth Client ID**266 - Choose **Desktop Application** as the application type (no redirect URIs needed!)267 - Download credentials and note the Client ID and Client Secret2682692. **Enable Required APIs** - In **APIs & Services → Library**270 - Search for and enable each required API271 - Or use the quick links below for one-click enabling2722733. **Configure Environment** - Set your credentials:274 ```bash275 export GOOGLE_OAUTH_CLIENT_ID="your-client-id"276 export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"277 ```278279[Full Documentation →](https://developers.google.com/workspace/guides/auth-overview)280281</details>282283</td>284</tr>285</table>286287<details>288 <summary><b>Quick API Enable Links</b> <sub><sup>← One-click enable each Google API</sup></sub></summary>289 You can enable each one by clicking the links below (make sure you're logged into the Google Cloud Console and have the correct project selected):290291* [Enable Google Calendar API](https://console.cloud.google.com/flows/enableapi?apiid=calendar-json.googleapis.com)292* [Enable Google Drive API](https://console.cloud.google.com/flows/enableapi?apiid=drive.googleapis.com)293* [Enable Gmail API](https://console.cloud.google.com/flows/enableapi?apiid=gmail.googleapis.com)294* [Enable Google Docs API](https://console.cloud.google.com/flows/enableapi?apiid=docs.googleapis.com)295* [Enable Google Sheets API](https://console.cloud.google.com/flows/enableapi?apiid=sheets.googleapis.com)296* [Enable Google Slides API](https://console.cloud.google.com/flows/enableapi?apiid=slides.googleapis.com)297* [Enable Google Forms API](https://console.cloud.google.com/flows/enableapi?apiid=forms.googleapis.com)298* [Enable Google Tasks API](https://console.cloud.google.com/flows/enableapi?apiid=tasks.googleapis.com)299* [Enable Google Chat API](https://console.cloud.google.com/flows/enableapi?apiid=chat.googleapis.com)300* [Enable Google People API](https://console.cloud.google.com/flows/enableapi?apiid=people.googleapis.com)301* [Enable Google Custom Search API](https://console.cloud.google.com/flows/enableapi?apiid=customsearch.googleapis.com)302* [Enable Google Apps Script API](https://console.cloud.google.com/flows/enableapi?apiid=script.googleapis.com)303304</details>305306</details>3073081.1. **Credentials**: See [Credential Configuration](#credential-configuration) for detailed setup options3093102. **Environment Configuration**:311312<details open>313<summary>◆ <b>Environment Variables</b> <sub><sup>← Configure your runtime environment</sup></sub></summary>314315<table>316<tr>317<td width="33%" align="center">318319**◆ Development Mode**320```bash321export OAUTHLIB_INSECURE_TRANSPORT=1322```323<sub>Allows HTTP redirect URIs</sub>324325</td>326<td width="33%" align="center">327328**@ Default User**329```bash330export USER_GOOGLE_EMAIL=\331 your.email@gmail.com332```333<sub>Single-user authentication</sub>334335</td>336<td width="34%" align="center">337338**◆ Custom Search**339```bash340export GOOGLE_PSE_API_KEY=xxx341export GOOGLE_PSE_ENGINE_ID=yyy342```343<sub>Optional: Search API setup</sub>344345</td>346</tr>347</table>348349</details>3503513. **Server Configuration**:352353<details open>354<summary>◆ <b>Server Settings</b> <sub><sup>← Customize ports, URIs & proxies</sup></sub></summary>355356<table>357<tr>358<td width="33%" align="center">359360**◆ Base Configuration**361```bash362export WORKSPACE_MCP_BASE_URI=363 http://localhost364export WORKSPACE_MCP_PORT=8000365export WORKSPACE_MCP_HOST=0.0.0.0 # Use 127.0.0.1 for localhost-only366```367<sub>Server URL & port settings</sub>368369</td>370<td width="33%" align="center">371372**↻ Proxy Support**373```bash374export MCP_ENABLE_OAUTH21=375 true376```377<sub>Leverage multi-user OAuth2.1 clients</sub>378379</td>380<td width="34%" align="center">381382**@ Default Email**383```bash384export USER_GOOGLE_EMAIL=\385 your.email@gmail.com386```387<sub>Skip email in auth flows in single user mode</sub>388389</td>390</tr>391</table>392393<details>394<summary>≡ <b>Configuration Details</b> <sub><sup>← Learn more about each setting</sup></sub></summary>395396| Variable | Description | Default |397|----------|-------------|---------|398| `WORKSPACE_MCP_BASE_URI` | Base server URI (no port) | `http://localhost` |399| `WORKSPACE_MCP_PORT` | Server listening port | `8000` |400| `WORKSPACE_MCP_HOST` | Server bind host | `0.0.0.0` |401| `WORKSPACE_EXTERNAL_URL` | External URL for reverse proxy setups | None |402| `WORKSPACE_ATTACHMENT_DIR` | Directory for downloaded attachments | `~/.workspace-mcp/attachments/` |403| `GOOGLE_OAUTH_REDIRECT_URI` | Override OAuth callback URL | Auto-constructed |404| `USER_GOOGLE_EMAIL` | Default auth email | None |405406</details>407408</details>409410### Google Custom Search Setup411412<details>413<summary>◆ <b>Custom Search Configuration</b> <sub><sup>← Enable web search capabilities</sup></sub></summary>414415<table>416<tr>417<td width="33%" align="center">418419**1. Create Search Engine**420```text421programmablesearchengine.google.com422/controlpanel/create423424→ Configure sites or entire web425→ Note your Engine ID (cx)426```427<sub>[Open Control Panel →](https://programmablesearchengine.google.com/controlpanel/create)</sub>428429</td>430<td width="33%" align="center">431432**2. Get API Key**433```text434developers.google.com435/custom-search/v1/overview436437→ Create/select project438→ Enable Custom Search API439→ Create credentials (API Key)440```441<sub>[Get API Key →](https://developers.google.com/custom-search/v1/overview)</sub>442443</td>444<td width="34%" align="center">445446**3. Set Variables**447```bash448export GOOGLE_PSE_API_KEY=\449 "your-api-key"450export GOOGLE_PSE_ENGINE_ID=\451 "your-engine-id"452```453<sub>Configure in environment</sub>454455</td>456</tr>457<tr>458<td colspan="3">459460<details>461<summary>≡ <b>Quick Setup Guide</b> <sub><sup>← Step-by-step instructions</sup></sub></summary>462463**Complete Setup Process:**4644651. **Create Search Engine** - Visit the [Control Panel](https://programmablesearchengine.google.com/controlpanel/create)466 - Choose "Search the entire web" or specify sites467 - Copy the Search Engine ID (looks like: `017643444788157684527:6ivsjbpxpqw`)4684692. **Enable API & Get Key** - Visit [Google Developers Console](https://console.cloud.google.com/)470 - Enable "Custom Search API" in your project471 - Create credentials → API Key472 - Restrict key to Custom Search API (recommended)4734743. **Configure Environment** - Add to your shell or `.env`:475 ```bash476 export GOOGLE_PSE_API_KEY="AIzaSy..."477 export GOOGLE_PSE_ENGINE_ID="01764344478..."478 ```479480≡ [Full Documentation →](https://developers.google.com/custom-search/v1/overview)481482</details>483484</td>485</tr>486</table>487488</details>489490### Start the Server491492> **📌 Transport Mode Guidance**: Use **streamable HTTP mode** (`--transport streamable-http`) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. Stdio mode is only for clients with incomplete MCP specification support.493494<details open>495<summary>▶ <b>Launch Commands</b> <sub><sup>← Choose your startup mode</sup></sub></summary>496497<table>498<tr>499<td width="33%" align="center">500501**▶ Legacy Mode**502```bash503uv run main.py504```505<sub>⚠️ Stdio mode (incomplete MCP clients only)</sub>506507</td>508<td width="33%" align="center">509510**◆ HTTP Mode (Recommended)**511```bash512uv run main.py \513 --transport streamable-http514```515<sub>✅ Full MCP spec compliance & OAuth 2.1</sub>516517</td>518<td width="34%" align="center">519520**@ Single User**521```bash522uv run main.py \523 --single-user524```525<sub>Simplified authentication</sub>526<sub>⚠️ Cannot be used with OAuth 2.1 mode</sub>527528</td>529</tr>530<tr>531<td colspan="3">532533<details>534<summary>◆ <b>Advanced Options</b> <sub><sup>← Tool selection, tiers & Docker</sup></sub></summary>535536**▶ Selective Tool Loading**537```bash538# Load specific services only539uv run main.py --tools gmail drive calendar540uv run main.py --tools sheets docs541542# Combine with other flags543uv run main.py --single-user --tools gmail544```545546547**🔒 Read-Only Mode**548```bash549# Requests only read-only scopes & disables write tools550uv run main.py --read-only551552# Combine with specific tools or tiers553uv run main.py --tools gmail drive --read-only554uv run main.py --tool-tier core --read-only555```556Read-only mode provides secure, restricted access by:557- Requesting only `*.readonly` OAuth scopes (e.g., `gmail.readonly`, `drive.readonly`)558- Automatically filtering out tools that require write permissions at startup559- Allowing read operations: list, get, search, and export across all services560561**★ Tool Tiers**562```bash563uv run main.py --tool-tier core # ● Essential tools only564uv run main.py --tool-tier extended # ◐ Core + additional565uv run main.py --tool-tier complete # ○ All available tools566```567568**◆ Docker Deployment**569```bash570docker build -t workspace-mcp .571docker run -p 8000:8000 -v $(pwd):/app \572 workspace-mcp --transport streamable-http573574# With tool selection via environment variables575docker run -e TOOL_TIER=core workspace-mcp576docker run -e TOOLS="gmail drive calendar" workspace-mcp577```578579**Available Services**: `gmail` • `drive` • `calendar` • `docs` • `sheets` • `forms` • `tasks` • `contacts` • `chat` • `search`580581</details>582583</td>584</tr>585</table>586587</details>588589### CLI Mode590591The server supports a CLI mode for direct tool invocation without running the full MCP server. This is ideal for scripting, automation, and use by coding agents (Codex, Claude Code).592593<details open>594<summary>▶ <b>CLI Commands</b> <sub><sup>← Direct tool execution from command line</sup></sub></summary>595596<table>597<tr>598<td width="50%" align="center">599600**▶ List Tools**601```bash602workspace-mcp --cli603workspace-mcp --cli list604workspace-mcp --cli list --json605```606<sub>View all available tools</sub>607608</td>609<td width="50%" align="center">610611**◆ Tool Help**612```bash613workspace-mcp --cli search_gmail_messages --help614```615<sub>Show parameters and documentation</sub>616617</td>618</tr>619<tr>620<td width="50%" align="center">621622**▶ Run with Arguments**623```bash624workspace-mcp --cli search_gmail_messages \625 --args '{"query": "is:unread"}'626```627<sub>Execute tool with inline JSON</sub>628629</td>630<td width="50%" align="center">631632**◆ Pipe from Stdin**633```bash634echo '{"query": "is:unread"}' | \635 workspace-mcp --cli search_gmail_messages636```637<sub>Pass arguments via stdin</sub>638639</td>640</tr>641</table>642643<details>644<summary>≡ <b>CLI Usage Details</b> <sub><sup>← Complete reference</sup></sub></summary>645646**Command Structure:**647```bash648workspace-mcp --cli [command] [options]649```650651**Commands:**652| Command | Description |653|---------|-------------|654| `list` (default) | List all available tools |655| `<tool_name>` | Execute the specified tool |656| `<tool_name> --help` | Show detailed help for a tool |657658**Options:**659| Option | Description |660|--------|-------------|661| `--args`, `-a` | JSON string with tool arguments |662| `--json`, `-j` | Output in JSON format (for `list` command) |663| `--help`, `-h` | Show help for a tool |664665**Examples:**666```bash667# List all Gmail tools668workspace-mcp --cli list | grep gmail669670# Search for unread emails671workspace-mcp --cli search_gmail_messages --args '{"query": "is:unread", "max_results": 5}'672673# Get calendar events for today674workspace-mcp --cli get_events --args '{"calendar_id": "primary", "time_min": "2024-01-15T00:00:00Z"}'675676# Create a Drive file from a URL677workspace-mcp --cli create_drive_file --args '{"name": "doc.pdf", "source_url": "https://example.com/file.pdf"}'678679# Combine with jq for processing680workspace-mcp --cli list --json | jq '.tools[] | select(.name | contains("gmail"))'681```682683**Notes:**684- CLI mode uses OAuth 2.0 (same credentials as server mode)685- Authentication flows work the same way - browser opens for first-time auth686- Results are printed to stdout; errors go to stderr687- Exit code 0 on success, 1 on error688689</details>690691</details>692693### Tool Tiers694695The server organizes tools into **three progressive tiers** for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.696697<table>698<tr>699<td width="65%" valign="top">700701#### <span style="color:#72898f">Available Tiers</span>702703**<span style="color:#2d5b69">●</span> Core** (`--tool-tier core`)704Essential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.705706**<span style="color:#72898f">●</span> Extended** (`--tool-tier extended`)707Core functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.708709**<span style="color:#adbcbc">●</span> Complete** (`--tool-tier complete`)710Full API access including comments, headers/footers, publishing settings, and administrative functions. For power users needing maximum functionality.711712</td>713<td width="35%" valign="top">714715#### <span style="color:#72898f">Important Notes</span>716717<span style="color:#72898f">▶</span> **Start with `core`** and upgrade as needed718<span style="color:#72898f">▶</span> **Tiers are cumulative** – each includes all previous719<span style="color:#72898f">▶</span> **Mix and match** with `--tools` for specific services720<span style="color:#72898f">▶</span> **Configuration** in `core/tool_tiers.yaml`721<span style="color:#72898f">▶</span> **Authentication** included in all tiers722723</td>724</tr>725</table>726727#### <span style="color:#72898f">Usage Examples</span>728729```bash730# Basic tier selection731uv run main.py --tool-tier core # Start with essential tools only732uv run main.py --tool-tier extended # Expand to include management features733uv run main.py --tool-tier complete # Enable all available functionality734735# Selective service loading with tiers736uv run main.py --tools gmail drive --tool-tier core # Core tools for specific services737uv run main.py --tools gmail --tool-tier extended # Extended Gmail functionality only738uv run main.py --tools docs sheets --tool-tier complete # Full access to Docs and Sheets739```740741## 📋 Credential Configuration742743<details open>744<summary>🔑 <b>OAuth Credentials Setup</b> <sub><sup>← Essential for all installations</sup></sub></summary>745746<table>747<tr>748<td width="33%" align="center">749750**🚀 Environment Variables**751```bash752export GOOGLE_OAUTH_CLIENT_ID=\753 "your-client-id"754export GOOGLE_OAUTH_CLIENT_SECRET=\755 "your-secret"756```757<sub>Best for production</sub>758759</td>760<td width="33%" align="center">761762**📁 File-based**763```bash764# Download & place in project root765client_secret.json766767# Or specify custom path768export GOOGLE_CLIENT_SECRET_PATH=\769 /path/to/secret.json770```771<sub>Traditional method</sub>772773</td>774<td width="34%" align="center">775776**⚡ .env File**777```bash778cp .env.oauth21 .env779# Edit .env with credentials780```781<sub>Best for development</sub>782783</td>784</tr>785<tr>786<td colspan="3">787788<details>789<summary>📖 <b>Credential Loading Details</b> <sub><sup>← Understanding priority & best practices</sup></sub></summary>790791**Loading Priority**7921. Environment variables (`export VAR=value`)7932. `.env` file in project root (warning - if you run via `uvx` rather than `uv run` from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)7943. `client_secret.json` via `GOOGLE_CLIENT_SECRET_PATH`7954. Default `client_secret.json` in project root796797**Why Environment Variables?**798- ✅ **Docker/K8s ready** - Native container support799- ✅ **Cloud platforms** - Heroku, Railway, Vercel800- ✅ **CI/CD pipelines** - GitHub Actions, Jenkins801- ✅ **No secrets in git** - Keep credentials secure802- ✅ **Easy rotation** - Update without code changes803804</details>805806</td>807</tr>808</table>809810</details>811812---813814## 🧰 Available Tools815816> **Note**: All tools support automatic authentication via `@require_google_service()` decorators with 30-minute service caching.817818<table width="100%">819<tr>820<td width="50%" valign="top">821822### 📅 **Google Calendar** <sub>[`calendar_tools.py`](gcalendar/calendar_tools.py)</sub>823824| Tool | Tier | Description |825|------|------|-------------|826| `list_calendars` | **Core** | List accessible calendars |827| `get_events` | **Core** | Retrieve events with time range filtering |828| `create_event` | **Core** | Create events with attachments & reminders |829| `modify_event` | **Core** | Update existing events |830| `delete_event` | Extended | Remove events |831832</td>833<td width="50%" valign="top">834835### 📁 **Google Drive** <sub>[`drive_tools.py`](gdrive/drive_tools.py)</sub>836837| Tool | Tier | Description |838|------|------|-------------|839| `search_drive_files` | **Core** | Search files with query syntax |840| `get_drive_file_content` | **Core** | Read file content (Office formats) |841| `get_drive_file_download_url` | **Core** | Download Drive files to local disk |842| `create_drive_file` | **Core** | Create files or fetch from URLs |843| `create_drive_folder` | **Core** | Create empty folders in Drive or shared drives |844| `import_to_google_doc` | **Core** | Import files (MD, DOCX, HTML, etc.) as Google Docs |845| `share_drive_file` | **Core** | Share file with users/groups/domains/anyone |846| `get_drive_shareable_link` | **Core** | Get shareable links for a file |847| `list_drive_items` | Extended | List folder contents |848| `copy_drive_file` | Extended | Copy existing files (templates) with optional renaming |849| `update_drive_file` | Extended | Update file metadata, move between folders |850| `batch_share_drive_file` | Extended | Share file with multiple recipients |851| `update_drive_permission` | Extended | Modify permission role |852| `remove_drive_permission` | Extended | Revoke file access |853| `transfer_drive_ownership` | Extended | Transfer file ownership to another user |854| `set_drive_file_permissions` | Extended | Set link sharing and file-level sharing settings |855| `get_drive_file_permissions` | Complete | Get detailed file permissions |856| `check_drive_file_public_access` | Complete | Check public sharing status |857858</td>859</tr>860<tr>861862<tr>863<td width="50%" valign="top">864865### 📧 **Gmail** <sub>[`gmail_tools.py`](gmail/gmail_tools.py)</sub>866867| Tool | Tier | Description |868|------|------|-------------|869| `search_gmail_messages` | **Core** | Search with Gmail operators |870| `get_gmail_message_content` | **Core** | Retrieve message content |871| `get_gmail_messages_content_batch` | **Core** | Batch retrieve message content |872| `send_gmail_message` | **Core** | Send emails |873| `get_gmail_thread_content` | Extended | Get full thread content |874| `modify_gmail_message_labels` | Extended | Modify message labels |875| `list_gmail_labels` | Extended | List available labels |876| `manage_gmail_label` | Extended | Create/update/delete labels |877| `draft_gmail_message` | Extended | Create drafts |878| `get_gmail_threads_content_batch` | Complete | Batch retrieve thread content |879| `batch_modify_gmail_message_labels` | Complete | Batch modify labels |880| `start_google_auth` | Complete | Legacy OAuth 2.0 auth (disabled when OAuth 2.1 is enabled) |881882<details>883<summary><b>📎 Email Attachments</b> <sub><sup>← Send emails with files</sup></sub></summary>884885Both `send_gmail_message` and `draft_gmail_message` support attachments via two methods:886887**Option 1: File Path** (local server only)888```python889attachments=[{"path": "/path/to/report.pdf"}]890```891Reads file from disk, auto-detects MIME type. Optional `filename` override.892893**Option 2: Base64 Content** (works everywhere)894```python895attachments=[{896 "filename": "report.pdf",897 "content": "JVBERi0xLjQK...", # base64-encoded898 "mime_type": "application/pdf" # optional899}]900```901902**⚠️ Centrally Hosted Servers**: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use **Option 2** with base64-encoded content. Your MCP client must encode files before sending.903904</details>905906<details>907<summary><b>📥 Downloaded Attachment Storage</b> <sub><sup>← Where downloaded files are saved</sup></sub></summary>908909When downloading Gmail attachments (`get_gmail_attachment_content`) or Drive files (`get_drive_file_download_url`), files are saved to a persistent local directory rather than a temporary folder in the working directory.910911**Default location:** `~/.workspace-mcp/attachments/`912913Files are saved with their original filename plus a short UUID suffix for uniqueness (e.g., `invoice_a1b2c3d4.pdf`). In **stdio mode**, the tool returns the absolute file path for direct filesystem access. In **HTTP mode**, it returns a download URL via the `/attachments/{file_id}` endpoint.914915To customize the storage directory:916```bash917export WORKSPACE_ATTACHMENT_DIR="/path/to/custom/dir"918```919920Saved files expire after 1 hour and are cleaned up automatically.921922</details>923924</td>925<td width="50%" valign="top">926927### 📝 **Google Docs** <sub>[`docs_tools.py`](gdocs/docs_tools.py)</sub>928929| Tool | Tier | Description |930|------|------|-------------|931| `get_doc_content` | **Core** | Extract document text |932| `create_doc` | **Core** | Create new documents |933| `modify_doc_text` | **Core** | Modify document text (formatting + links) |934| `search_docs` | Extended | Find documents by name |935| `find_and_replace_doc` | Extended | Find and replace text |936| `list_docs_in_folder` | Extended | List docs in folder |937| `insert_doc_elements` | Extended | Add tables, lists, page breaks |938| `update_paragraph_style` | Extended | Apply heading styles, lists (bulleted/numbered with nesting), and paragraph formatting |939| `get_doc_as_markdown` | Extended | Export document as formatted Markdown with optional comments |940| `insert_doc_image` | Complete | Insert images from Drive/URLs |941| `update_doc_headers_footers` | Complete | Modify headers and footers |942| `batch_update_doc` | Complete | Execute multiple operations |943| `inspect_doc_structure` | Complete | Analyze document structure |944| `export_doc_to_pdf` | Extended | Export document to PDF |945| `create_table_with_data` | Complete | Create data tables |946| `debug_table_structure` | Complete | Debug table issues |947| `*_document_comments` | Complete | Read, Reply, Create, Resolve |948949</td>950</tr>951952<tr>953<td width="50%" valign="top">954955### 📊 **Google Sheets** <sub>[`sheets_tools.py`](gsheets/sheets_tools.py)</sub>956957| Tool | Tier | Description |958|------|------|-------------|959| `read_sheet_values` | **Core** | Read cell ranges |960| `modify_sheet_values` | **Core** | Write/update/clear cells |961| `create_spreadsheet` | **Core** | Create new spreadsheets |962| `list_spreadsheets` | Extended | List accessible spreadsheets |963| `get_spreadsheet_info` | Extended | Get spreadsheet metadata |964| `format_sheet_range` | Extended | Apply colors, number formats, text wrapping, alignment, bold/italic, font size |965| `create_sheet` | Complete | Add sheets to existing files |966| `*_sheet_comment` | Complete | Read/create/reply/resolve comments |967968</td>969<td width="50%" valign="top">970971### 🖼️ **Google Slides** <sub>[`slides_tools.py`](gslides/slides_tools.py)</sub>972973| Tool | Tier | Description |974|------|------|-------------|975| `create_presentation` | **Core** | Create new presentations |976| `get_presentation` | **Core** | Retrieve presentation details |977| `batch_update_presentation` | Extended | Apply multiple updates |978| `get_page` | Extended | Get specific slide information |979| `get_page_thumbnail` | Extended | Generate slide thumbnails |980| `*_presentation_comment` | Complete | Read/create/reply/resolve comments |981982</td>983</tr>984<tr>985<td width="50%" valign="top">986987### 📝 **Google Forms** <sub>[`forms_tools.py`](gforms/forms_tools.py)</sub>988989| Tool | Tier | Description |990|------|------|-------------|991| `create_form` | **Core** | Create new forms |992| `get_form` | **Core** | Retrieve form details & URLs |993| `set_publish_settings` | Complete | Configure form settings |994| `get_form_response` | Complete | Get individual responses |995| `list_form_responses` | Extended | List all responses with pagination |996| `batch_update_form` | Complete | Apply batch updates (questions, settings) |997998</td>999<td width="50%" valign="top">10001001### ✓ **Google Tasks** <sub>[`tasks_tools.py`](gtasks/tasks_tools.py)</sub>10021003| Tool | Tier | Description |1004|------|------|-------------|1005| `list_tasks` | **Core** | List tasks with filtering |1006| `get_task` | **Core** | Retrieve task details |1007| `create_task` | **Core** | Create tasks with hierarchy |1008| `update_task` | **Core** | Modify task properties |1009| `delete_task` | Extended | Remove tasks |1010| `move_task` | Complete | Reposition tasks |1011| `clear_completed_tasks` | Complete | Hide completed tasks |1012| `*_task_list` | Complete | List/get/create/update/delete task lists |10131014</td>1015</tr>1016<tr>1017<td width="50%" valign="top">10181019### 👤 **Google Contacts** <sub>[`contacts_tools.py`](gcontacts/contacts_tools.py)</sub>10201021| Tool | Tier | Description |1022|------|------|-------------|1023| `search_contacts` | **Core** | Search contacts by name, email, phone |1024| `get_contact` | **Core** | Retrieve detailed contact info |1025| `list_contacts` | **Core** | List contacts with pagination |1026| `create_contact` | **Core** | Create new contacts |1027| `update_contact` | Extended | Update existing contacts |1028| `delete_contact` | Extended | Delete contacts |1029| `list_contact_groups` | Extended | List contact groups/labels |1030| `get_contact_group` | Extended | Get group details with members |1031| `batch_*_contacts` | Complete | Batch create/update/delete contacts |1032| `*_contact_group` | Complete | Create/update/delete contact groups |1033| `modify_contact_group_members` | Complete | Add/remove contacts from groups |10341035</td>1036</tr>1037<tr>1038<td width="50%" valign="top">10391040### 💬 **Google Chat** <sub>[`chat_tools.py`](gchat/chat_tools.py)</sub>10411042| Tool | Tier | Description |1043|------|------|-------------|1044| `list_spaces` | Extended | List chat spaces/rooms |1045| `get_messages` | **Core** | Retrieve space messages |1046| `send_message` | **Core** | Send messages to spaces |1047| `search_messages` | **Core** | Search across chat history |1048| `create_reaction` | **Core** | Add emoji reaction to a message |1049| `download_chat_attachment` | Extended | Download attachment from a chat message |10501051</td>1052<td width="50%" valign="top">10531054### 🔍 **Google Custom Search** <sub>[`search_tools.py`](gsearch/search_tools.py)</sub>10551056| Tool | Tier | Description |1057|------|------|-------------|1058| `search_custom` | **Core** | Perform web searches |1059| `get_search_engine_info` | Complete | Retrieve search engine metadata |1060| `search_custom_siterestrict` | Extended | Search within specific domains |10611062</td>1063</tr>1064<tr>1065<td colspan="2" valign="top">10661067### **Google Apps Script** <sub>[`apps_script_tools.py`](gappsscript/apps_script_tools.py)</sub>10681069| Tool | Tier | Description |1070|------|------|-------------|1071| `list_script_projects` | **Core** | List accessible Apps Script projects |1072| `get_script_project` | **Core** | Get complete project with all files |1073| `get_script_content` | **Core** | Retrieve specific file content |1074| `create_script_project` | **Core** | Create new standalone or bound project |1075| `update_script_content` | **Core** | Update or create script files |1076| `run_script_function` | **Core** | Execute function with parameters |1077| `create_deployment` | Extended | Create new script deployment |1078| `list_deployments` | Extended | List all project deployments |1079| `update_deployment` | Extended | Update deployment configuration |1080| `delete_deployment` | Extended | Remove deployment |1081| `list_script_processes` | Extended | View recent executions and status |10821083</td>1084</tr>1085</table>108610871088**Tool Tier Legend:**1089- <span style="color:#2d5b69">•</span> **Core**: Essential tools for basic functionality • Minimal API usage • Getting started1090- <span style="color:#72898f">•</span> **Extended**: Core tools + additional features • Regular usage • Expanded capabilities1091- <span style="color:#adbcbc">•</span> **Complete**: All available tools including advanced features • Power users • Full API access10921093---10941095### Connect to Claude Desktop10961097The server supports two transport modes:10981099#### Stdio Mode (Legacy - For Clients with Incomplete MCP Support)11001101> **⚠️ Important**: Stdio mode is a **legacy fallback** for clients that don't properly implement the MCP specification with OAuth 2.1 and streamable HTTP support. **Claude Code and other modern MCP clients should use streamable HTTP mode** (`--transport streamable-http`) for proper OAuth flow and multi-user support.11021103In general, you should use the one-click DXT installer package for Claude Desktop.1104If you are unable to for some reason, you can configure it manually via `claude_desktop_config.json`11051106**Manual Claude Configuration (Alternative)**11071108<details>1109<summary>📝 <b>Claude Desktop JSON Config</b> <sub><sup>← Click for manual setup instructions</sup></sub></summary>111011111. Open Claude Desktop Settings → Developer → Edit Config1112 - **macOS**: `~/Library/Application Support/Claude/claude_desktop_config.json`1113 - **Windows**: `%APPDATA%\Claude\claude_desktop_config.json`111411152. Add the server configuration:1116```json1117{1118 "mcpServers": {1119 "google_workspace": {1120 "command": "uvx",1121 "args": ["workspace-mcp"],1122 "env": {1123 "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",1124 "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",1125 "OAUTHLIB_INSECURE_TRANSPORT": "1"1126 }1127 }1128 }1129}1130```1131</details>11321133### Connect to LM Studio11341135Add a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:11361137```json1138{1139 "mcpServers": {1140 "google_workspace": {1141 "command": "uvx",1142 "args": ["workspace-mcp"],1143 "env": {1144 "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",1145 "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",1146 "OAUTHLIB_INSECURE_TRANSPORT": "1",1147 }1148 }1149 }1150}1151```115211531154### 2. Advanced / Cross-Platform Installation11551156If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.11571158#### Instant CLI (uvx)11591160<details open>1161<summary>⚡ <b>Quick Start with uvx</b> <sub><sup>← No installation required!</sup></sub></summary>11621163```bash1164# Requires Python 3.10+ and uvx1165# First, set credentials (see Credential Configuration above)1166uvx workspace-mcp --tool-tier core # or --tools gmail drive calendar1167```11681169> **Note**: Configure [OAuth credentials](#credential-configuration) before running. Supports environment variables, `.env` file, or `client_secret.json`.11701171</details>11721173### Local Development Setup11741175<details open>1176<summary>🛠️ <b>Developer Workflow</b> <sub><sup>← Install deps, lint, and test</sup></sub></summary>11771178```bash1179# Install everything needed for linting, tests, and release tooling1180uv sync --group dev11811182# Run the same linter that git hooks invoke automatically1183uv run ruff check .11841185# Execute the full test suite (async fixtures require pytest-asyncio)1186uv run pytest1187```11881189- `uv sync --group test` installs only the testing stack if you need a slimmer environment.1190- `uv run main.py --transport streamable-http` launches the server with your checked-out code for manual verification.1191- Ruff is part of the `dev` group because pre-push hooks call `ruff check` automatically—run it locally before committing to avoid hook failures.11921193</details>11941195### OAuth 2.1 Support (Multi-User Bearer Token Authentication)11961197The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. **OAuth 2.1 automatically reuses your existing `GOOGLE_OAUTH_CLIENT_ID` and `GOOGLE_OAUTH_CLIENT_SECRET` credentials** - no additional configuration needed!11981199**When to use OAuth 2.1:**1200- Multiple users accessing the same MCP server instance1201- Need for bearer token authentication instead of passing user emails1202- Building web applications or APIs on top of the MCP server1203- Production environments requiring secure session management1204- Browser-based clients requiring CORS support12051206**⚠️ Important: OAuth 2.1 and Single-User Mode are mutually exclusive**12071208OAuth 2.1 mode (`MCP_ENABLE_OAUTH21=true`) cannot be used together with the `--single-user` flag:1209- **Single-user mode**: For legacy clients that pass user emails in tool calls1210- **OAuth 2.1 mode**: For modern multi-user scenarios with bearer token authentication12111212Choose one authentication method - using both will result in a startup error.12131214**Enabling OAuth 2.1:**1215To enable OAuth 2.1, set the `MCP_ENABLE_OAUTH21` environment variable to `true`.12161217```bash1218# OAuth 2.1 requires HTTP transport mode1219export MCP_ENABLE_OAUTH21=true1220uv run main.py --transport streamable-http1221```12221223If `MCP_ENABLE_OAUTH21` is not set to `true`, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.12241225<details>1226<summary>🔐 <b>How the FastMCP GoogleProvider handles OAuth</b> <sub><sup>← Advanced OAuth 2.1 details</sup></sub></summary>12271228FastMCP ships a native `GoogleProvider` that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:122912301. **Dynamic Client Registration**: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID/secret under the hood.123112322. **CORS & Browser Compatibility**: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom `/oauth2/*` routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.12331234The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.12351236</details>12371238### Stateless Mode (Container-Friendly)12391240The server supports a stateless mode designed for containerized environments where file system writes should be avoided:12411242**Enabling Stateless Mode:**1243```bash1244# Stateless mode requires OAuth 2.1 to be enabled1245export MCP_ENABLE_OAUTH21=true1246export WORKSPACE_MCP_STATELESS_MODE=true1247uv run main.py --transport streamable-http1248```12491250**Key Features:**1251- **No file system writes**: Credentials are never written to disk1252- **No debug logs**: File-based logging is completely disabled1253- **Memory-only sessions**: All tokens stored in memory via OAuth 2.1 session store1254- **Container-ready**: Perfect for Docker, Kubernetes, and serverless deployments1255- **Token per request**: Each request must include a valid Bearer token12561257**Requirements:**1258- Must be used with `MCP_ENABLE_OAUTH21=true`1259- Incompatible with single-user mode1260- Clients must handle OAuth flow and send valid tokens with each request12611262This mode is ideal for:1263- Cloud deployments where persistent storage is unavailable1264- Multi-tenant environments requiring strict isolation1265- Containerized applications with read-only filesystems1266- Serverless functions and ephemeral compute environments12671268**MCP Inspector**: No additional configuration needed with desktop OAuth client.12691270**Claude Code**: No additional configuration needed with desktop OAuth client.12711272### OAuth Proxy Storage Backends12731274The server supports pluggable storage backends for OAuth proxy state management via FastMCP 2.13.0+. Choose a backend based on your deployment needs.12751276**Available Backends:**12771278| Backend | Best For | Persistence | Multi-Server |1279|---------|----------|-------------|--------------|1280| Memory | Development, testing | ❌ | ❌ |1281| Disk | Single-server production | ✅ | ❌ |1282| Valkey/Redis | Distributed production | ✅ | ✅ |12831284**Configuration:**12851286```bash1287# Memory storage (fast, no persistence)1288export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=memory12891290# Disk storage (persists across restarts)1291export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=disk1292export WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY=~/.fastmcp/oauth-proxy12931294# Valkey/Redis storage (distributed, multi-server)1295export WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey1296export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=redis.example.com1297export WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=63791298```12991300> Valkey support is optional. Install `workspace-mcp[valkey]` (or `py-key-value-aio[valkey]`) only if you enable the Valkey backend.1301> Windows: building `valkey-glide` from source requires MSVC C++ build tools with C11 support. If you see `aws-lc-sys` C11 errors, set `CFLAGS=/std:c11`.13021303<details>1304<summary>🔐 <b>Valkey/Redis Configuration Options</b></summary>13051306| Variable | Default | Description |1307|----------|---------|-------------|1308| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST` | localhost | Valkey/Redis host |1309| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT` | 6379 | Port (6380 auto-enables TLS) |1310| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_DB` | 0 | Database number |1311| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USE_TLS` | auto | Enable TLS (auto if port 6380) |1312| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USERNAME` | - | Authentication username |1313| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PASSWORD` | - | Authentication password |1314| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_REQUEST_TIMEOUT_MS` | 5000 | Request timeout for remote hosts |1315| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_CONNECTION_TIMEOUT_MS` | 10000 | Connection timeout for remote hosts |13161317**Encryption:** Disk and Valkey storage are encrypted with Fernet. The encryption key is derived from `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY` if set, otherwise from `GOOGLE_OAUTH_CLIENT_SECRET`.13181319</details>13201321### External OAuth 2.1 Provider Mode13221323The server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.13241325**Enabling External OAuth 2.1 Provider Mode:**1326```bash1327# External OAuth provider mode requires OAuth 2.1 to be enabled1328export MCP_ENABLE_OAUTH21=true1329export EXTERNAL_OAUTH21_PROVIDER=true1330uv run main.py --transport streamable-http1331```13321333**How It Works:**1334- **Protocol-level auth disabled**: MCP handshake (`initialize`) and `tools/list` do not require authentication1335- **Tool-level auth required**: All tool calls must include `Authorization: Bearer <token>` header1336- **External OAuth flow**: Your external system handles the OAuth flow and obtains Google access tokens1337- **Token validation**: Server validates bearer tokens via Google's tokeninfo API1338- **Multi-user support**: Each request is authenticated independently based on its bearer token13391340**Key Features:**1341- **No local OAuth flow**: Server does not provide OAuth callback endpoints or manage OAuth state1342- **Bearer token only**: All authentication via Authorization headers1343- **Stateless by design**: Works seamlessly with `WORKSPACE_MCP_STATELESS_MODE=true`1344- **External identity providers**: Integrate with your existing authentication infrastructure1345- **Tool discovery**: Clients can list available tools without authentication13461347**Requirements:**1348- Must be used with `MCP_ENABLE_OAUTH21=true`1349- OAuth credentials still required for token validation (`GOOGLE_OAUTH_CLIENT_ID`, `GOOGLE_OAUTH_CLIENT_SECRET`)1350- External system must obtain valid Google OAuth access tokens (ya29.*)1351- Each tool call request must include valid bearer token13521353**Use Cases:**1354- Integrating with existing authentication systems1355- Custom OAuth flows managed by your application1356- API gateways that handle authentication upstream1357- Multi-tenant SaaS applications with centralized auth1358- Mobile or web apps with their own OAuth implementation135913601361### VS Code MCP Client Support13621363> **✅ Recommended**: VS Code MCP extension properly supports the full MCP specification. **Always use HTTP transport mode** for proper OAuth 2.1 authentication.13641365<details>1366<summary>🆚 <b>VS Code Configuration</b> <sub><sup>← Setup for VS Code MCP extension</sup></sub></summary>13671368```json1369{1370 "servers": {1371 "google-workspace": {1372 "url": "http://localhost:8000/mcp/",1373 "type": "http"1374 }1375 }1376}1377```13781379*Note: Make sure to start the server with `--transport streamable-http` when using VS Code MCP.*1380</details>13811382### Claude Code MCP Client Support13831384> **✅ Recommended**: Claude Code is a modern MCP client that properly supports the full MCP specification. **Always use HTTP transport mode** with Claude Code for proper OAuth 2.1 authentication and multi-user support.13851386<details>1387<summary>🆚 <b>Claude Code Configuration</b> <sub><sup>← Setup for Claude Code MCP support</sup></sub></summary>13881389```bash1390# Start the server in HTTP mode first1391uv run main.py --transport streamable-http13921393# Then add to Claude Code1394claude mcp add --transport http workspace-mcp http://localhost:8000/mcp1395```1396</details>13971398#### Reverse Proxy Setup13991400If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you have two configuration options:14011402**Problem**: When behind a reverse proxy, the server constructs OAuth URLs using internal ports (e.g., `http://localhost:8000`) but external clients need the public URL (e.g., `https://your-domain.com`).14031404**Solution 1**: Set `WORKSPACE_EXTERNAL_URL` for all OAuth endpoints:1405```bash1406# This configures all OAuth endpoints to use your external URL1407export WORKSPACE_EXTERNAL_URL="https://your-domain.com"1408```14091410**Solution 2**: Set `GOOGLE_OAUTH_REDIRECT_URI` for just the callback:1411```bash1412# This only overrides the OAuth callback URL1413export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback"1414```14151416You also have options for:1417| `OAUTH_CUSTOM_REDIRECT_URIS` *(optional)* | Comma-separated list of additional redirect URIs |1418| `OAUTH_ALLOWED_ORIGINS` *(optional)* | Comma-separated list of additional CORS origins |14191420**Important**:1421- Use `WORKSPACE_EXTERNAL_URL` when all OAuth endpoints should use the external URL (recommended for reverse proxy setups)1422- Use `GOOGLE_OAUTH_REDIRECT_URI` when you only need to override the callback URL1423- The redirect URI must exactly match what's configured in your Google Cloud Console1424- Your reverse proxy must forward OAuth-related requests (`/oauth2callback`, `/oauth2/*`, `/.well-known/*`) to the MCP server14251426<details>1427<summary>🚀 <b>Advanced uvx Commands</b> <sub><sup>← More startup options</sup></sub></summary>14281429```bash1430# Configure credentials first (see Credential Configuration section)14311432# Start with specific tools only1433uvx workspace-mcp --tools gmail drive calendar tasks14341435# Start with tool tiers (recommended for most users)1436uvx workspace-mcp --tool-tier core # Essential tools1437uvx workspace-mcp --tool-tier extended # Core + additional features1438uvx workspace-mcp --tool-tier complete # All tools14391440# Start in HTTP mode for debugging1441uvx workspace-mcp --transport streamable-http1442```1443</details>14441445*Requires Python 3.10+ and [uvx](https://github.com/astral-sh/uv). The package is available on [PyPI](https://pypi.org/project/workspace-mcp).*14461447### Development Installation14481449For development or customization:14501451```bash1452git clone https://github.com/taylorwilsdon/google_workspace_mcp.git1453cd google_workspace_mcp1454uv run main.py1455```14561457**Development Installation (For Contributors)**:14581459<details>1460<summary>🔧 <b>Developer Setup JSON</b> <sub><sup>← For contributors & customization</sup></sub></summary>14611462```json1463{1464 "mcpServers": {1465 "google_workspace": {1466 "command": "uv",1467 "args": [1468 "run",1469 "--directory",1470 "/path/to/repo/google_workspace_mcp",1471 "main.py"1472 ],1473 "env": {1474 "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",1475 "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",1476 "OAUTHLIB_INSECURE_TRANSPORT": "1"1477 }1478 }1479 }1480}1481```1482</details>14831484#### HTTP Mode (For debugging or web interfaces)1485If you need to use HTTP mode with Claude Desktop:14861487```json1488{1489 "mcpServers": {1490 "google_workspace": {1491 "command": "npx",1492 "args": ["mcp-remote", "http://localhost:8000/mcp"]1493 }1494 }1495}1496```14971498*Note: Make sure to start the server with `--transport streamable-http` when using HTTP mode.*14991500### First-Time Authentication15011502The server uses **Google Desktop OAuth** for simplified authentication:15031504- **No redirect URIs needed**: Desktop OAuth clients handle authentication without complex callback URLs1505- **Automatic flow**: The server manages the entire OAuth process transparently1506- **Transport-agnostic**: Works seamlessly in both stdio and HTTP modes15071508When calling a tool:15091. Server returns authorization URL15102. Open URL in browser and authorize15113. Google provides an authorization code15124. Paste the code when prompted (or it's handled automatically)15135. Server completes authentication and retries your request15141515---15161517## <span style="color:#adbcbc">◆ Development</span>15181519### <span style="color:#72898f">Project Structure</span>15201521```1522google_workspace_mcp/1523├── auth/ # Authentication system with decorators1524├── core/ # MCP server and utilities1525├── g{service}/ # Service-specific tools1526├── main.py # Server entry point1527├── client_secret.json # OAuth credentials (not committed)1528└── pyproject.toml # Dependencies1529```15301531### Adding New Tools15321533```python1534from auth.service_decorator import require_google_service15351536@require_google_service("drive", "drive_read") # Service + scope group1537async def your_new_tool(service, param1: str, param2: int = 10):1538 """Tool description"""1539 # service is automatically injected and cached1540 result = service.files().list().execute()1541 return result # Return native Python objects1542```15431544### Architecture Highlights15451546- **Service Caching**: 30-minute TTL reduces authentication overhead1547- **Scope Management**: Centralized in `SCOPE_GROUPS` for easy maintenance1548- **Error Handling**: Native exceptions instead of manual error construction1549- **Multi-Service Support**: `@require_multiple_services()` for complex tools15501551### Credential Store System15521553The server includes an abstract credential store API and a default backend for managing Google OAuth1554credentials with support for multiple storage backends:15551556**Features:**1557- **Abstract Interface**: `CredentialStore` base class defines standard operations (get, store, delete, list users)1558- **Local File Storage**: `LocalDirectoryCredentialStore` implementation stores credentials as JSON files1559- **Configurable Storage**: Environment variable `GOOGLE_MCP_CREDENTIALS_DIR` sets storage location1560- **Multi-User Support**: Store and manage credentials for multiple Google accounts1561- **Automatic Directory Creation**: Storage directory is created automatically if it doesn't exist15621563**Configuration:**1564```bash1565# Optional: Set custom credentials directory1566export GOOGLE_MCP_CREDENTIALS_DIR="/path/to/credentials"15671568# Default locations (if GOOGLE_MCP_CREDENTIALS_DIR not set):1569# - ~/.google_workspace_mcp/credentials (if home directory accessible)1570# - ./.credentials (fallback)1571```15721573**Usage Example:**1574```python1575from auth.credential_store import get_credential_store15761577# Get the global credential store instance1578store = get_credential_store()15791580# Store credentials for a user1581store.store_credential("user@example.com", credentials)15821583# Retrieve credentials1584creds = store.get_credential("user@example.com")15851586# List all users with stored credentials1587users = store.list_users()1588```15891590The credential store automatically handles credential serialization, expiry parsing, and provides error handling for storage operations.15911592---15931594## <span style="color:#adbcbc">⊠ Security</span>15951596- **Credentials**: Never commit `.env`, `client_secret.json` or the `.credentials/` directory to source control!1597- **OAuth Callback**: Uses `http://localhost:8000/oauth2callback` for development (requires `OAUTHLIB_INSECURE_TRANSPORT=1`)1598- **Transport-Aware Callbacks**: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes1599- **Production**: Use HTTPS & OAuth 2.1 and configure accordingly1600- **Scope Minimization**: Tools request only necessary permissions1601- **Local File Access Control**: Tools that read local files (e.g., attachments, `file://` uploads) are restricted to the user's home directory by default. Override this with the `ALLOWED_FILE_DIRS` environment variable:1602 ```bash1603 # Colon-separated list of directories (semicolon on Windows) from which local file reads are permitted1604 export ALLOWED_FILE_DIRS="/home/user/documents:/data/shared"1605 ```1606 Regardless of the allowlist, access to sensitive paths (`.env`, `.ssh/`, `.aws/`, `/etc/shadow`, credential files, etc.) is always blocked.16071608---160916101611---16121613## <span style="color:#adbcbc">≡ License</span>16141615MIT License - see `LICENSE` file for details.16161617---16181619Validations:1620[](https://lobehub.com/mcp/taylorwilsdon-google_workspace_mcp)16211622[](https://mseep.ai/app/eebbc4a6-0f8c-41b2-ace8-038e5516dba0)162316241625<div align="center">1626<img width="842" alt="Batch Emails" src="https://github.com/user-attachments/assets/0876c789-7bcc-4414-a144-6c3f0aaffc06" />1627</div>1628
Full transparency — inspect the skill content before installing.