How to Set Up a Custom Google App
Create your own Google Cloud OAuth app for CRHQ instead of using the shared default. Full control over APIs, consent screen, and quotas.
Overview
By default, CRHQ satellites use a shared Google OAuth app to connect your Google account. While the shared app is undergoing Google's verification review, or if you prefer full control over your Google integration, you can set up your own Google Cloud project and use it instead.
This guide walks you through the entire process — from creating the Google Cloud project to entering the credentials in CRHQ.
When to Use a Custom App
- The CRHQ app is pending verification — Google's review can take weeks. Your own app works immediately.
- You want control over which APIs are enabled — choose exactly what services are available
- You want your own OAuth consent screen — show your company name and branding during sign-in
- You need independent API quotas — separate from the shared CRHQ app's usage limits
- Your organization requires it — some IT policies mandate first-party OAuth apps
What You'll Need
- A Google account with access to Google Cloud Console
- Admin access to your CRHQ satellite (the Settings page)
- About 10 minutes
At the end, you'll have two values to enter in CRHQ:
- Client ID — identifies your app
- Client Secret — authenticates OAuth requests
Step 1: Create a Google Cloud Project
Go to Google Cloud Console
Visit console.cloud.google.com. If this is your first time, you'll need to agree to the terms of service.
Create a New Project
- Click the project dropdown at the top of the page (next to "Google Cloud")
- Click New Project
- Enter a name (e.g., "CRHQ Integration" or your company name)
- Click Create
- Make sure the new project is selected in the dropdown
Step 2: Enable the APIs
Enable the Google APIs for each service you want agents to access. Go to APIs & Services > Library (direct link) and search for each API you need:
| Service | API to Enable |
|---|---|
| Gmail | Gmail API |
| Calendar | Google Calendar API |
| Drive | Google Drive API |
| Docs | Google Docs API |
| Sheets | Google Sheets API |
| Slides | Google Slides API |
| Analytics | Google Analytics Data API |
| Search Console | Google Search Console API |
| AdSense | AdSense Management API |
| Google Ads | Google Ads API |
Click into each API and click Enable. You only need to enable the ones you plan to use — you can always come back and enable more later.
Tip: At minimum, most users enable Gmail API, Google Calendar API, and Google Drive API. Start with what you need and add more as you go.
Step 3: Configure the OAuth Consent Screen
Before creating credentials, you need to set up the consent screen — this is what users see when connecting their Google account.
- Go to APIs & Services > OAuth consent screen (direct link)
- Choose External user type (unless you're on Google Workspace and want internal-only access)
- Click Create
- Fill in the required fields:
- App name — whatever you want to appear during sign-in (e.g., your company name)
- User support email — your email address
- Developer contact email — your email address
- Click Save and Continue
Data Access (Scopes)
Go to Data Access (direct link) to configure which scopes your app requests:
- Click Add or Remove Scopes
- Search for and add the scopes matching the APIs you enabled:
Core scopes (recommended for most setups):
https://www.googleapis.com/auth/gmail.modify
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/drive
https://www.googleapis.com/auth/documents
https://www.googleapis.com/auth/spreadsheets
https://www.googleapis.com/auth/presentations
Optional scopes (add if you need these services):
https://www.googleapis.com/auth/analytics.readonly
https://www.googleapis.com/auth/webmasters.readonly
https://www.googleapis.com/auth/adsense.readonly
https://www.googleapis.com/auth/adwords
- Click Update, then Save
Tip: You only need to add scopes for the services you plan to use. You can always come back and add more later — just disconnect and reconnect your Google account in CRHQ afterwards to pick up the new scopes.
Test Users
Go to Audience (direct link) and scroll to the Test Users section:
- Click Add Users
- Add the email addresses of everyone who will connect their Google account through CRHQ
- Click Save
Warning: While your app is in "Testing" status, only listed test users can connect. This is fine for most CRHQ setups. If you need anyone to connect without being pre-listed, you'll need to publish the app (which triggers Google's verification review).
Step 4: Create OAuth Credentials
- Go to APIs & Services > Credentials (direct link)
- Click + Create Credentials at the top
- Select OAuth client ID
- For Application type, choose Web application
- Give it a name (e.g., "CRHQ OAuth")
- Under Authorized redirect URIs, click Add URI and enter:
https://crhq.ai/auth/google/proxy-callback
- Click Create
You'll see a dialog with your Client ID and Client Secret. Copy both values — you'll need them in the next step.
Tip: You can always find these later by clicking the credential name in the Credentials page.
Step 5: Enter Credentials in CRHQ
Open the App Tab
Go to Settings > Connectors > Google Workspace and select the App tab.
Enter Your Credentials
Fill in the two fields:
- Client ID — paste your OAuth Client ID (looks like
123456789-abc123.apps.googleusercontent.com) - Client Secret — paste your Client Secret
Click Save.
Verify
The App tab will show a green status banner: "Using Custom App" with your masked Client ID displayed. All future Google connections will use your app.
Step 6: Connect Your Account
Now that your custom app is configured:
- Switch to the Accounts tab
- Click Connect
- Select the services you want (make sure the corresponding APIs are enabled in your project — see Step 2)
- Google's consent screen will show your app name
- Select your Google account and click Allow
Your account is now connected through your own Google Cloud project.
Adding More APIs Later
If you later need to connect additional Google services:
- Go to your Google Cloud project's API Library and enable the new API
- Add the corresponding scope to your OAuth consent screen configuration
- In CRHQ, disconnect your Google account and reconnect with the new services selected
Switching Back to the Default App
To stop using your custom app:
- Go to Settings > Connectors > Google Workspace > App tab
- Click the Remove button on the green status banner
- Disconnect any connected accounts in the Accounts tab (they were authorized with your custom app)
- Reconnect accounts — they will now use the default CRHQ app (once it's verified)
Troubleshooting
"Access blocked: This app's request is invalid"
Check that your redirect URI is exactly https://crhq.ai/auth/google/proxy-callback — no trailing slash, no extra characters.
"Error 403: access_denied" during consent
Your app is in Testing mode and the Google account isn't listed as a test user. Go to OAuth consent screen > Test Users and add the email address.
OAuth succeeds but some services don't work
Google silently drops scopes for APIs that aren't enabled. The connection succeeds, but agents get 403 errors when calling those services. Fix:
- Go to API Library
- Enable the missing API
- Disconnect and reconnect your Google account in CRHQ
"redirect_uri_mismatch"
The redirect URI in your credential doesn't match. Go to Credentials, click on your OAuth client, and verify the authorized redirect URI is:
https://crhq.ai/auth/google/proxy-callback
Credentials not saving in CRHQ
Make sure both Client ID and Client Secret are filled in. The Client ID typically ends in .apps.googleusercontent.com.
Security Notes
- Your Client ID and Client Secret are stored encrypted (AES-256-GCM) on your CRHQ satellite
- They are never sent to CRHQ's central servers
- OAuth tokens for connected accounts are also stored encrypted on your satellite only
- Google Cloud projects have their own audit logs — you can monitor API usage in your Cloud Console