Introduction
When I tried to develop using the Google Apps Script CLI tool clasp, I got stuck on authentication.
The conclusion is that security requirements differ between personal accounts and Google Workspace accounts.
Since I had a successful experience with a personal account, I couldn’t understand why errors appeared.
Even when I asked ChatGPT, most of the answers assumed a personal account, which made troubleshooting difficult.
So here, I’ll organize the steps required for Workspace accounts as both a reminder for myself and a reference for others.
The Mysterious Error on Workspace Accounts
For personal accounts, the first clasp login opens a browser and shows the Google authentication screen.
Once approved, the setup is complete, and from the second time on, authentication works instantly using cache.
Personal account (@gmail.com)
clasp login
# → Authentication completes immediately!
But with a Google Workspace account, it doesn’t work like that.
clasp login
# → "We are sorry, but you do not have access to this service"
Different Authentication Mechanisms for Personal vs Workspace
Personal Account (simple)
- Uses Google’s default credentials
- Few restrictions, no admin approval required
- Just
clasp loginworks
Workspace Account (complex)
- External apps are blocked by security policy
- Explicit administrator approval is required
- Custom OAuth credentials must be created
5 Steps
To resolve the login issue with a Google Workspace account, the following five steps were necessary:
- Allow API access in the Admin Console (organization-level approval)
- Enable the Apps Script API in Google Cloud Console (project-level activation)
- Configure the OAuth consent screen (explicit user approval)
- Create OAuth credentials (application identity)
- Authenticate using custom credentials (organization-specific login)
For personal accounts, steps 1–3 are automatically handled by Google, and step 4 passes with default credentials.
1. Allow Apps Script API in the Admin Console
Explanation
- Grants organization-level permission to use Apps Script
- Without this, organizational policy blocks access
- Analogy: like unlocking the company’s front door
Steps
- Log in to the Admin Console
- Go to Security → API Controls → App Access Control
- Either set clasp to Unrestricted, or set to Restricted and add clasp as a Trusted app
2. Enable Apps Script API in Google Cloud Console
Explanation
- The “Apps Script API” must be enabled, otherwise authentication will not proceed
- By default, it may be turned off
- Analogy: like switching on the building’s access system before issuing employee badges
Steps
- Log in to the Google Cloud Console
- Go to APIs & Services → Library
- Search for Google Apps Script API
- Click Enable
3. Configure the OAuth Consent Screen
Explanation
- This is the confirmation screen that asks: “clasp wants to access your Apps Script projects. Do you allow it?”
- Clearly shows what data will be accessed
- Analogy: like a receptionist asking visitors about their purpose before granting entry
Steps
- In Google Cloud Console, go to OAuth consent screen
- Enter app information (name, support email)
- Set User Type to Internal (only users in your Workspace domain can use it)
- Add your own account as a test user
4. Create OAuth 2.0 Credentials
Explanation
- Allows clasp to identify itself with a Client ID and Client Secret
- Analogy: like issuing an official employee ID badge
Steps
- Log in to the Google Cloud Console
- Go to APIs & Services → Credentials
- Create an OAuth Client ID with type Desktop application
- Obtain the Client ID and Client Secret
Conclusion
In my case, since I had administrator rights for the organization, I was able to resolve the issue relatively smoothly.
However, if I had been a regular user, asking the admin to investigate and resolve the cause would have been much more troublesome.
Complex configuration is unavoidable in order to meet organizational security requirements.
But once you understand the background, the steps make sense.
I hope this article will serve as a helpful reference for anyone facing the same issue.
Top comments (0)