What G-Suite OAuth Scopes do I need to grant?

Here is a complete list of the OAuth scopes that need to be granted for our G-Suite Application

Note: OAuth scopes look like URLs, but these are not web pages. They are permissions.

 

Background

OAuth is the modern way SaaS companies authorize API access to applications such as G-Suite.  While many vendors tend to request a lot of unnecessary permissions, our application requests the minimal set of permissions needed to meet our product's functionality.  Below we provide a list of scopes as well as why they are needed.

Read/Write OAuth Permissions Needed:

  1. https://www.googleapis.com/auth/gmail.settings.basic - Required to update the email signature setting within Gmail.  This scope does NOT have access to email.
  2. https://www.googleapis.com/auth/gmail.settings.sharing - Required to update the email signature of aliases in Gmail.  

Read Only OAuth Permissions Needed:

  1. https://www.googleapis.com/auth/admin.directory.group.readonly - Allows for departmental signatures
  2. https://www.googleapis.com/auth/admin.directory.orgunit.readonly - Allows for signatures based on Org Unit
  3. https://www.googleapis.com/auth/admin.directory.user.readonly - Allows for populating signatures with Google directory data.