Google Workspace MCP Server <img src="https://github.com/user-attachments/assets/b89524e4-6e6e-49e6-ba77-00d6df0c6e5c" width="80" align="right" />

![License: MIT](https://opensource.org/licenses/MIT) ![Python 3.10+](https://www.python.org/downloads/) ![PyPI](https://pypi.org/project/workspace-mcp/) ![PyPI Downloads](https://pepy.tech/projects/workspace-mcp) ![Website](https://workspacemcp.com)

Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools.

Includes a full featured CLI & Code Mode for use with tools like Claude Code and Codex!

The most feature-complete Google Workspace MCP server, it can do things that Google's own tooling and the built in integrations with Claude and ChatGPT can't even dream of. With Remote OAuth2.1 multi-user support, fine-grained editing tools and the most extensive coverage of any Google Workspace tool in existance, Workspace MCP is in a different class. Offering native OAuth 2.1, stateless mode and external auth server support, it's also the only Workspace MCP you can host for your whole organization centrally & securely!

Support for all free Google accounts & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces. Interested in a private, managed cloud instance? That can be arranged.

</div>

---

<div align="center"> <table> <tr> <td align="center"> ⚡ Start <a href="#quick-start">Quick Start</a> · <a href="#prerequisites">Prerequisites</a> <a href="#configuration">Google Cloud</a> · <a href="#-credential-configuration">Credentials</a> </td> <td align="center"> 🧰 Tools <a href="#-available-tools">All Tools</a> · <a href="#tool-tiers">Tool Tiers</a> <a href="#cli">CLI</a> · <a href="#start-the-server">Start Server</a> </td> <td align="center"> 🔌 Connect <a href="#quick-start--connect-claude-to-google-workspace">Quick Start</a> · <a href="#connect-to-claude-desktop">Claude Desktop</a> <a href="#claude-code-mcp-client-support">Claude Code</a> · <a href="#vs-code-mcp-client-support">VS Code</a> · <a href="#connect-to-lm-studio">LM Studio</a> </td> <td align="center"> 🚀 Deploy <a href="#oauth-21-support-multi-user-bearer-token-authentication">OAuth 2.1</a> · <a href="#stateless-mode-container-friendly">Stateless</a> <a href="#external-oauth-21-provider-mode">External OAuth</a> · <a href="#reverse-proxy-setup">Reverse Proxy</a> </td> <td align="center"> 📐 Develop <a href="#-development">Architecture</a> · <a href="#local-development-setup">Dev Setup</a> <a href="#-security">Security</a> · <a href="#-license">License</a> </td> </tr> </table> </div>

See it in action: <div align="center"> <video width="400" src="https://github.com/user-attachments/assets/a342ebb4-1319-4060-a974-39d202329710"></video> </div>

---

Overview

Workspace MCP is the single most complete MCP server, the only that integrates all major Google Workspace services with AI assistants and all agent platforms. The entire toolset is available for CLI usage supporting both local and remote instances.

Features

12 services &ensp;—&ensp; Gmail · Drive · Calendar · Docs · Sheets · Slides · Forms · Chat · Apps Script · Tasks · Contacts · Search

📧 Gmail — Complete email management, end-to-end coverage 📁 Drive — File operations with sharing, permissions, Office files, PDFs & images 📅 Calendar — Full event management with advanced features 📝 Docs — Deep, fine-grained editing, formatting & comments 📊 Sheets — Flexible cell management, formatting & conditional rules 🖼️ Slides — Presentation creation, updates & content manipulation 📋 Forms — Creation, publish settings & response management 💬 Chat — Space management, messaging & reactions

</td> <td valign="top" width="50%">

⚡ Apps Script — Cross-application workflow automation &ensp;Projects · deployments · versions · execution · debugging

✅ Tasks — Task & list management with hierarchy 👤 Contacts — People API with groups & batch operations 🔍 Custom Search — Programmable Search Engine integration

---

🔐 Authentication & Security OAuth 2.0 & 2.1 · auto token refresh · multi-user bearer tokens · transport-aware callbacks · CORS proxy

</td> </tr> </table>

---

Security & Compliance

For Security Teams

This server sends no data anywhere except Google's APIs, on behalf of the authenticated user, using your own OAuth client credentials. There is no telemetry, no usage reporting, no analytics, no license server, and no SaaS dependency. The entire data path is: your infrastructure → Google APIs.

Fully open source — every line is auditable in this repo
Your OAuth client, your GCP project — credentials never leave your environment
You control the scopes — read-only, granular per-service permissions, or full access
You control the network — deploy behind your reverse proxy, in your VPC, on your own terms
No third-party services — no intermediary servers, no token relays, no hosted backends
Stateless mode — zero disk writes for locked-down container environments
Sensitive path blocking — local file reads default to the managed attachment directory, and validate_file_path() still blocks .env* files plus common home-directory credential stores such as ~/.ssh/ and ~/.aws/ even if ALLOWED_FILE_DIRS is broadened

Full dependency tree in pyproject.toml, pinned in uv.lock.

</td> <td valign="top" width="50%">

For Legal & Procurement

This project is MIT licensed — not "open core," not "source available," not "free with a CLA." There is no dual licensing, no commercial tier gating features, and no contributor license agreement.

Use commercially without restriction — build products, sell services, deploy internally
Fork, embed, redistribute — MIT requires only attribution
No CLA — contributions remain under MIT
No telemetry to disclose — nothing to flag in a privacy review
No network effects — the server never contacts any endpoint you didn't configure
Standard dependency licenses — MIT, Apache 2.0, and BSD throughout the dependency chain; no copyleft, no AGPL

The license is 21 lines and says what it means.

</td> </tr> </table>

---

Quick Start

Set credentials → pick a launch command → connect your client

💡 New to Workspace MCP? Check out the Interactive Quick Start Guide → with step-by-step setup, screenshots, and troubleshooting tips!

</div>

Confidential Client Quick Start

# 1. Credentials
export GOOGLE_OAUTH_CLIENT_ID="..."
export GOOGLE_OAUTH_CLIENT_SECRET="..."

# 2. Launch — pick a tier
uvx workspace-mcp --tool-tier core       # essential tools
uvx workspace-mcp --tool-tier extended   # core + management ops
uvx workspace-mcp --tool-tier complete   # everything

# Or cherry-pick services
uv run main.py --tools gmail drive calendar

</td> <td valign="top" width="50%">

Secretless / Public OAuth 2.1 (PKCE) Quick Start

# 1. Credentials
export MCP_ENABLE_OAUTH21=true
export GOOGLE_OAUTH_CLIENT_ID="..."
export WORKSPACE_MCP_PORT=8000
export GOOGLE_OAUTH_REDIRECT_URI="http://localhost:${WORKSPACE_MCP_PORT}/oauth2callback"
export OAUTHLIB_INSECURE_TRANSPORT=1
# Leave GOOGLE_OAUTH_CLIENT_SECRET unset for public PKCE clients
export FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY="$(openssl rand -hex 32)"

# 2. Launch — OAuth 2.1 requires HTTP transport
uvx workspace-mcp --transport streamable-http --tool-tier core
uvx workspace-mcp --transport streamable-http --tool-tier extended
uvx workspace-mcp --transport streamable-http --tool-tier complete

# Or cherry-pick services
uv run main.py --transport streamable-http --tools gmail drive calendar

</td> </tr> </table>

Credential setup → · All launch options → · Tier details →

<details open> <summary>Environment Variable Reference</summary>

| Variable | | Purpose | |----------|:---:|---------| | 🔐 Authentication | | | | GOOGLE_OAUTH_CLIENT_ID | required | OAuth client ID from Google Cloud | | GOOGLE_OAUTH_CLIENT_SECRET | | OAuth client secret for confidential clients; optional for public OAuth 2.1 PKCE clients | | OAUTHLIB_INSECURE_TRANSPORT | required&ast; | Set to 1 for development — allows http:// redirect | | USER_GOOGLE_EMAIL | | Default email for single-user auth | | GOOGLE_CLIENT_SECRET_PATH | | Custom path to client_secret.json | | GOOGLE_MCP_CREDENTIALS_DIR | | Credential directory — default ~/.google_workspace_mcp/credentials | | 🖥️ Server | | | | WORKSPACE_MCP_BASE_URI | | Base server URI (no port) — default http://localhost | | WORKSPACE_MCP_PORT | | Listening port — default 8000. Also controls the stdio-mode OAuth callback port. The PORT env var takes precedence if set. | | WORKSPACE_MCP_HOST | | Bind host — default 0.0.0.0 for OAuth 2.1 HTTP, 127.0.0.1 for legacy streamable HTTP. | | WORKSPACE_MCP_TRANSPORT | | stdio or streamable-http; used when --transport is not passed | | WORKSPACE_MCP_HTTP_PORT | | Advanced legacy-stdio sidecar /mcp port for local workspace-cli access. Disabled when empty. Binds to 127.0.0.1 only and is accessible to local processes. | | WORKSPACE_EXTERNAL_URL | | External URL for reverse proxy setups | | WORKSPACE_MCP_BRAND_NAME | | OAuth 2.1 consent-page server name — default FastMCP's name | | WORKSPACE_MCP_BRAND_ICON_URL | | OAuth 2.1 consent-page logo (hosted URL or data: URI), shown at 64px wide — default FastMCP's logo | | WORKSPACE_MCP_BRAND_WEBSITE_URL | | OAuth 2.1 consent-page website link | | WORKSPACE_ATTACHMENT_DIR | | Downloaded attachments dir and default trusted local attachment directory — default ~/.workspace-mcp/attachments/ | | WORKSPACE_MCP_URL | | Remote MCP endpoint URL for CLI | | ALLOWED_FILE_DIRS | | Colon-separated allowlist for local file reads | | 🧰 Tool Selection | | | | WORKSPACE_MCP_TOOLS | | Comma-separated services, e.g. gmail,drive,calendar; empty means all services | | WORKSPACE_MCP_TOOL_TIER | | core, extended, or complete; empty means all tools | | WORKSPACE_MCP_READ_ONLY | | true, 1, or yes to request read-only scopes and filter write tools | | WORKSPACE_MCP_PERMISSIONS | | Space-separated service:level entries, e.g. gmail:send drive:readonly; mutually exclusive with tools and read-only | | 🔑 OAuth 2.1 & Multi-User | | | | MCP_ENABLE_OAUTH21 | | true to enable OAuth 2.1 multi-user support. Required for remote or shared HTTP endpoints (--transport streamable-http); optional for local-only legacy HTTP, which binds to 127.0.0.1 by default. | | EXTERNAL_OAUTH21_PROVIDER | | true for external OAuth flow with bearer tokens | | WORKSPACE_MCP_STATELESS_MODE | | true for stateless container-friendly operation | | WORKSPACE_MCP_LOG_DIR | | Directory for mcp_server_debug.log — defaults to ~/.google_workspace_mcp/logs | | GOOGLE_OAUTH_REDIRECT_URI | | Override OAuth callback URL — default auto-constructed | | OAUTH_CUSTOM_REDIRECT_URIS | | Comma-separated additional redirect URIs | | OAUTH_ALLOWED_ORIGINS | | Comma-separated additional CORS origins | | WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND | | memory, disk, or valkey — see storage backends | | FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY | | Custom encryption key for OAuth proxy storage; required for public OAuth 2.1 clients when GOOGLE_OAUTH_CLIENT_SECRET is omitted | | WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS | | Comma-separated allowlist of redirect URIs that dynamically-registered OAuth clients may use. Default is unset (any URI permitted, per DCR). Supports FastMCP's glob patterns (, .example.com) | | 🗄️ Credential Store | | | | WORKSPACE_MCP_CREDENTIAL_STORE_BACKEND | | local_directory (default) or gcs — see credential store system | | WORKSPACE_MCP_CREDENTIALS_DIR | | Directory for the local_directory backend | | GOOGLE_MCP_CREDENTIALS_DIR | | Backward-compatible alias for WORKSPACE_MCP_CREDENTIALS_DIR | | WORKSPACE_MCP_GCS_BUCKET | | Required when backend is gcs — GCS bucket name | | WORKSPACE_MCP_GCS_PREFIX | | Optional object-name prefix for the gcs backend | | WORKSPACE_MCP_GCS_REQUIRE_CMEK | | true to require a bucket default KMS key at startup (fails fast if unset) | | 🔧 Service Account | | | | GOOGLE_SERVICE_ACCOUNT_KEY_FILE | | Path to service account JSON key file (domain-wide delegation) | | GOOGLE_SERVICE_ACCOUNT_KEY_JSON | | Inline service account JSON key (alternative to file) | | DWD_ALLOWED_DOMAINS | | Comma-separated domain allowlist for per-request impersonation (optional) | | 🔍 Custom Search | | | | GOOGLE_PSE_API_KEY | | API key for Programmable Search Engine | | GOOGLE_PSE_ENGINE_ID | | Search Engine ID for PSE |

&ast;Required for development only. Claude Desktop stores credentials securely in the OS keychain — set them once in the extension pane.

</details>

---

Quick Start — Connect Claude to Google Workspace

The recommended setup is to run an instance and connect Claude to it via a Connector. Full instructions at workspacemcp.com/quick-start.

---

Prerequisites

Python 3.10+ · uv/uvx · Google Cloud Project with OAuth 2.0 credentials

If you want the GCS credential store backend, install the optional dependency first:

uv sync --extra gcs
# or
pip install "workspace-mcp[gcs]"

Configuration

<details open> <summary>Google Cloud Setup</summary>

Create Project — Open Console → → Create new project
Create OAuth Credentials — APIs & Services → Credentials → Create Credentials → OAuth Client ID

Choose Desktop Application for a public PKCE client (no redirect URIs needed) or Web Application for a confidential client
Download and note your Client ID and, if issued, Client Secret

Enable APIs — APIs & Services → Library, then enable each service:

Google Chat needs extra setup. Enabling the API is not enough — you must also configure a Chat app and use a Workspace account. See Chat setup under the tool list.

Set Credentials — see Environment Variable Reference above, or:

   export GOOGLE_OAUTH_CLIENT_ID="your-client-id"
   export GOOGLE_OAUTH_CLIENT_SECRET="your-secret"

For public OAuth 2.1 PKCE clients, omit GOOGLE_OAUTH_CLIENT_SECRET and set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY instead.

Full OAuth documentation → · Credential setup details →

</details>

Google Custom Search Setup

<details open> <summary>◆ Custom Search Configuration ← Enable web search capabilities</summary>

1. Create Search Engine ```text programmablesearchengine.google.com /controlpanel/create

→ Configure sites or entire web → Note your Engine ID (cx) ``` Open Control Panel →

</td> <td width="33%" align="center">

2. Get API Key ```text developers.google.com /custom-search/v1/overview

→ Create/select project → Enable Custom Search API → Create credentials (API Key) ``` Get API Key →

</td> <td width="34%" align="center">

3. Set Variables ``bash export GOOGLE_PSE_API_KEY=\ "your-api-key" export GOOGLE_PSE_ENGINE_ID=\ "your-engine-id" `` Configure in environment

</td> </tr> <tr> <td colspan="3">

<details open> <summary>≡ Quick Setup Guide ← Step-by-step instructions</summary>

Complete Setup Process:

Create Search Engine - Visit the Control Panel

Choose "Search the entire web" or specify sites
Copy the Search Engine ID (looks like: 017643444788157684527:6ivsjbpxpqw)

Enable API & Get Key - Visit Google Developers Console

Enable "Custom Search API" in your project
Create credentials → API Key
Restrict key to Custom Search API (recommended)

Configure Environment - Add to your shell or .env:

   export GOOGLE_PSE_API_KEY="AIzaSy..."
   export GOOGLE_PSE_ENGINE_ID="01764344478..."

≡ Full Documentation →

</details>

</td> </tr> </table>

</details>

Start the Server

📌 Transport Mode Guidance: Use streamable HTTP mode (--transport streamable-http) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. For Claude Desktop, run an instance and connect via a Connector. Stdio mode is a legacy fallback. For deployments, prefer OAuth 2.1 with stateless mode (MCP_ENABLE_OAUTH21=true, WORKSPACE_MCP_STATELESS_MODE=true) unless you need local attachment or credential storage.

OAuth state safety: Legacy stdio starts a local-only OAuth callback server. In single-user mode only, it may recover a missing Google state parameter by consuming the most recent pending local OAuth state. This fallback is intentionally disabled outside single-user mode because it can cross session boundaries. Do not enable or emulate this behavior in streamable HTTP, hosted, or multi-user deployments; those modes must require an explicit state match.

<details open> <summary>▶ Launch Commands ← Choose your startup mode</summary>

▶ Legacy Mode ``bash uv run main.py `` ⚠️ Stdio mode (incomplete MCP clients only)

</td> <td width="33%" align="center">

◆ HTTP Mode (Recommended) ``bash export MCP_ENABLE_OAUTH21=true export GOOGLE_OAUTH_CLIENT_ID="..." uv run main.py \ --transport streamable-http `` ✅ Full MCP spec compliance & OAuth 2.1

</td> <td width="34%" align="center">

@ Single User ``bash uv run main.py \ --single-user `` Simplified authentication ⚠️ Cannot be used with OAuth 2.1 mode

</td> </tr> <tr> <td colspan="3">

<details open> <summary>◆ Advanced Options ← Tool selection, tiers & Docker</summary>

▶ Selective Tool Loading ```bash

Load specific services only

uv run main.py --tools gmail drive calendar uv run main.py --tools sheets docs

Combine with other flags

uv run main.py --single-user --tools gmail ```

🔒 Read-Only Mode ```bash

Requests only read-only scopes & disables write tools

uv run main.py --read-only

Combine with specific tools or tiers

uv run main.py --tools gmail drive --read-only uv run main.py --tool-tier core --read-only ``` Read-only mode provides secure, restricted access by:

Requesting only *.readonly OAuth scopes (e.g., gmail.readonly, drive.readonly)
Automatically filtering out tools that require write permissions at startup
Allowing read operations: list, get, search, and export across all services

🔐 Granular Permissions ```bash

Per-service permission levels

uv run main.py --permissions gmail:organize drive:readonly

Combine permissions with tier filtering

uv run main.py --permissions gmail:send drive:full --tool-tier core ``` Granular permissions mode provides service-by-service scope control:

Format: service:level (one entry per service)
Gmail levels: readonly, organize, drafts, send, full (cumulative)
Tasks levels: readonly, manage, full (cumulative; manage allows create/update/move but denies delete and clear_completed)
Other services currently support: readonly, full
--permissions and --read-only are mutually exclusive
--permissions cannot be combined with --tools; enabled services are determined by the --permissions entries (optionally filtered by --tool-tier)
With --tool-tier, only tier-matched tools are enabled and only services that have tools in the selected tier are imported

The WORKSPACE_MCP_TOOLS, WORKSPACE_MCP_TOOL_TIER, WORKSPACE_MCP_READ_ONLY, and WORKSPACE_MCP_PERMISSIONS environment variables provide the same controls for plugin and container installs. Empty strings are ignored. Non-empty malformed values fail closed at startup. Explicit CLI flags take precedence over mutually exclusive env vars.

Advanced legacy stdio sidecar ```bash

Optional bridge only for local legacy stdio sessions

WORKSPACE_MCP_HTTP_PORT=8001 uv run main.py workspace-cli --url http://127.0.0.1:8001/mcp list `` The sidecar is disabled unless WORKSPACE_MCP_HTTP_PORT is set. It only exists to bridge local workspace-cli calls into a legacy stdio server. Do not use it for normal Claude Code, VS Code, hosted, or multi-user deployments; use streamable HTTP with OAuth 2.1 instead. When enabled, it validates ports in the 1..65535 range, binds to 127.0.0.1`, and logs a warning if the port is already in use while keeping stdio running.

★ Tool Tiers ``bash uv run main.py --tool-tier core # ● Essential tools only uv run main.py --tool-tier extended # ◐ Core + additional uv run main.py --tool-tier complete # ○ All available tools ``

◆ Docker Deployment ```bash docker build -t workspace-mcp . docker run -p 8000:8000 -v $(pwd):/app \ -e MCP_ENABLE_OAUTH21=true \ -e GOOGLE_OAUTH_CLIENT_ID="..." \ workspace-mcp --transport streamable-http

With tool selection via environment variables

docker run -e TOOL_TIER=core workspace-mcp docker run -e TOOLS="gmail drive calendar" workspace-mcp ```

Available Services: gmail • drive • calendar • docs • sheets • forms • tasks • contacts • chat • search

</details>

</td> </tr> </table>

</details>

CLI

The workspace-cli command lists tools and calls them against a running server — with encrypted, disk-backed OAuth token caching so you only authenticate once. On first run it opens a browser for Google consent; subsequent runs reuse the cached tokens automatically.

Tokens are stored encrypted at ~/.workspace-mcp/cli-tokens/ using a Fernet key auto-generated at ~/.workspace-mcp/.cli-encryption-key.

To use workspace-cli globally, you'll want to start in this repo and run uv tool install .

Once complete, you'll have workspace-cli available globally via workspace-cli

Note: there is a public (but abandoned) pypi package with the same name - do not use uvx, as it will pull the wrong thing.

<details open> <summary>▶ workspace-cli Commands ← Persistent OAuth, no re-auth on every call</summary>

▶ List Tools ```bash uv run workspace-cli list uv run workspace-cli --url https://custom.server/mcp list

Or, if installed globally:

workspace-cli list workspace-cli --url https://custom.server/mcp list ``` View all available tools

</td> <td width="50%" align="center">

◆ Call a Tool ``bash uv run workspace-cli call search_gmail_messages \ query="is:unread" max_results=5 `` Execute a tool with key=value arguments

</td> </tr> </table>

Set URL for remote endpoints with --url or the WORKSPACE_MCP_URL environment variable.

<details open> <summary>≡ Advanced: FastMCP CLI ← inspect, install, discover</summary>

The upstream FastMCP CLI is also bundled and provides additional commands for schema inspection, client installation, and editor discovery. Note that fastmcp uses in-memory token storage, so each invocation may re-trigger the OAuth flow.

fastmcp inspect fastmcp_server.py                        # print tools, resources, prompts
fastmcp install claude-code fastmcp_server.py             # one-command client setup
fastmcp install cursor fastmcp_server.py
fastmcp discover                                          # find servers configured in editors

See fastmcp --help or the FastMCP CLI docs for the full command reference.

</details>

Tool Tiers

The server organizes tools into three progressive tiers for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.

Available Tiers

● Core (--tool-tier core) Essential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.

● Extended (--tool-tier extended) Core functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.

● Complete (--tool-tier complete) Full API access including comments, headers/footers, publishing settings, and administrative functions. For power users needing maximum functionality.

</td> <td width="35%" valign="top">

Important Notes

▶ Start with core and upgrade as needed ▶ Tiers are cumulative – each includes all previous ▶ Mix and match with --tools for specific services ▶ Configuration in core/tool_tiers.yaml ▶ Authentication included in all tiers

</td> </tr> </table>

Usage Examples

# Basic tier selection
uv run main.py --tool-tier core                            # Start with essential tools only
uv run main.py --tool-tier extended                        # Expand to include management features
uv run main.py --tool-tier complete                        # Enable all available functionality

# Selective service loading with tiers
uv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services
uv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only
uv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets

# Combine tier selection with granular permission levels
uv run main.py --permissions gmail:organize drive:full --tool-tier core

📋 Credential Configuration

<details open> <summary>🔑 OAuth Credentials Setup ← Essential for all installations</summary>

🚀 Environment Variables ``bash export GOOGLE_OAUTH_CLIENT_ID=\ "your-client-id" export GOOGLE_OAUTH_CLIENT_SECRET=\ "your-secret" `` Best for production

</td> <td width="33%" align="center">

📁 File-based ```bash

Download & place in project root

client_secret.json

Or specify custom path

export GOOGLE_CLIENT_SECRET_PATH=\ /path/to/secret.json ``` Traditional method

</td> <td width="34%" align="center">

⚡ .env File ```bash cp .env.oauth21 .env

Edit .env with credentials

<sub>Best for development</sub>

</td>
</tr>
<tr>
<td colspan="3">

<details open>
<summary>📖 <b>Credential Loading Details</b> <sub><sup>← Understanding priority & best practices</sup></sub></summary>

**Loading Priority**
1. Environment variables (`export VAR=value`)
2. `.env` file in project root (warning - if you run via `uvx` rather than `uv run` from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)
3. `client_secret.json` via `GOOGLE_CLIENT_SECRET_PATH`
4. Default `client_secret.json` in project root

**Why Environment Variables?**
- ✅ **Docker/K8s ready** - Native container support
- ✅ **Cloud platforms** - Heroku, Railway, Vercel
- ✅ **CI/CD pipelines** - GitHub Actions, Jenkins
- ✅ **No secrets in git** - Keep credentials secure
- ✅ **Easy rotation** - Update without code changes

</details>

</td>
</tr>
</table>

</details>

---

## 🧰 Available Tools

> **Note**: All tools support automatic authentication via `@require_google_service()` decorators with 30-minute service caching.

<div align="center">

> 📖 **Looking for detailed parameters?** Visit the **[Complete Documentation →](https://workspacemcp.com/docs)** for comprehensive tool reference, examples, and API guides!

</div>

#### 📅 Google Calendar <sub>[`calendar_tools.py`](gcalendar/calendar_tools.py)</sub>

| <sub>Tool</sub> | <sub>Tier</sub> | <sub>Description</sub> |
|------|------|-------------|
| <sub>`list_calendars`</sub> | <sub>Core</sub> | <sub>List accessible calendars</sub> |
| <sub>`get_events`</sub> | <sub>Core</sub> | <sub>Retrieve events with time range filtering</sub> |
| <sub>`manage_event`</sub> | <sub>Core</sub> | <sub>Create, update, or delete calendar events</sub> |
| <sub>`create_calendar`</sub> | <sub>Extended</sub> | <sub>Create a new secondary Google Calendar</sub> |
| <sub>`query_freebusy`</sub> | <sub>Extended</sub> | <sub>Query free/busy information for calendars</sub> |
| <sub>`manage_out_of_office`</sub> | <sub>Extended</sub> | <sub>Create, list, update, or delete Out of Office events</sub> |
| <sub>`manage_focus_time`</sub> | <sub>Extended</sub> | <sub>Create, list, update, or delete Focus Time events</sub> |

#### 📁 Google Drive <sub>[`drive_tools.py`](gdrive/drive_tools.py)</sub>

| <sub>Tool</sub> | <sub>Tier</sub> | <sub>Description</sub> |
|------|------|-------------|
| <sub>`search_drive_files`</sub> | <sub>Core</sub> | <sub>Search files with query syntax</sub> |
| <sub>`get_drive_file_content`</sub> | <sub>Core</sub> | <sub>Read file content (Office, PDF, image)</sub> |
| <sub>`get_drive_file_download_url`</sub> | <sub>Core</sub> | <sub>Download Drive files to local disk</sub> |
| <sub>`create_drive_file`</sub> | <sub>Core</sub> | <sub>Create files or fetch from URLs</sub> |
| <sub>`create_drive_folder`</sub> | <sub>Core</sub> | <sub>Create empty folders in Drive or shared drives</sub> |
| <sub>`import_to_google_doc`</sub> | <sub>Core</sub> | <sub>Import files (MD, DOCX, HTML, etc.) as Google Docs</sub> |
| <sub>`import_to_google_slides`</sub> | <sub>Core</sub> | <sub>Import presentation files (PPTX, PPT, ODP) as Google Slides</sub> |
| <sub>`import_to_google_sheets`</sub> | <sub>Core</sub> | <sub>Import spreadsheet files (XLSX, CSV, TSV, etc.) as Google Sheets</sub> |
| <sub>`get_drive_shareable_link`</sub> | <sub>Core</sub> | <sub>Get shareable links for a file</sub> |
| <sub>`list_drive_items`</sub> | <sub>Extended</sub> | <sub>List folder contents or shared drives</sub> |
| <sub>`copy_drive_file`</sub> | <sub>Extended</sub> | <sub>Copy existing files (templates) with optional renaming</sub> |
| <sub>`update_drive_file`</sub> | <sub>Extended</sub> | <sub>Update metadata, move files, or replace Google Apps content</sub> |
| <sub>`manage_drive_access`</sub> | <sub>Extended</sub> | <sub>Grant, update, revoke permissions, and transfer ownership</sub> |
| <sub>`set_drive_file_permissions`</sub> | <sub>Extended</sub> | <sub>Set link sharing and file-level sharing settings</sub> |
| <sub>`get_drive_file_permissions`</sub> | <sub>Complete</sub> | <sub>Get file metadata, parents, and permissions</sub> |
| <sub>`check_drive_file_public_access`</sub> | <sub>Complete</sub> | <sub>Check public sharing status</sub> |

#### 📧 Gmail <sub>[`gmail_tools.py`](gmail/gmail_tools.py)</sub>

| <sub>Tool</sub> | <sub>Tier</sub> | <sub>Description</sub> |
|------|------|-------------|
| <sub>`search_gmail_messages`</sub> | <sub>Core</sub> | <sub>Search with Gmail operators</sub> |
| <sub>`get_gmail_message_content`</sub> | <sub>Core</sub> | <sub>Retrieve message content</sub> |
| <sub>`get_gmail_messages_content_batch`</sub> | <sub>Core</sub> | <sub>Batch retrieve message content</sub> |
| <sub>`send_gmail_message`</sub> | <sub>Core</sub> | <sub>Send emails</sub> |
| <sub>`get_gmail_thread_content`</sub> | <sub>Extended</sub> | <sub>Get full thread content</sub> |
| <sub>`modify_gmail_message_labels`</sub> | <sub>Extended</sub> | <sub>Modify message labels</sub> |
| <sub>`list_gmail_labels`</sub> | <sub>Extended</sub> | <sub>List available labels</sub> |
| <sub>`list_gmail_filters`</sub> | <sub>Extended</sub> | <sub>List Gmail filters</sub> |
| <sub>`manage_gmail_label`</sub> | <sub>Extended</sub> | <sub>Create/update/delete labels</sub> |
| <sub>`manage_gmail_filter`</sub> | <sub>Extended</sub> | <sub>Create or delete Gmail filters</sub> |
| <sub>`draft_gmail_message`</sub> | <sub>Extended</sub> | <sub>Create drafts</sub> |
| <sub>`get_gmail_threads_content_batch`</sub> | <sub>Complete</sub> | <sub>Batch retrieve thread content</sub> |
| <sub>`batch_modify_gmail_message_labels`</sub> | <sub>Complete</sub> | <sub>Batch modify labels</sub> |
| <sub>`start_google_auth`</sub> | <sub>Complete</sub> | <sub>Legacy OAuth 2.0 auth (disabled when OAuth 2.1 is enabled)</sub> |

<details open>
<summary><b>📎 Email Attachments</b> <sub><sup>← Send emails with files</sup></sub></summary>

Both `send_gmail_message` and `draft_gmail_message` support attachments via two methods:

**Option 1: File Path** (local server only)

attachments=[{"path": "/path/to/report.pdf"}] `` Reads file from disk, auto-detects MIME type. Optional filename` override.

Option 2: Base64 Content (works everywhere) ``python attachments=[{ "filename": "report.pdf", "content": "JVBERi0xLjQK...", # base64-encoded "mime_type": "application/pdf" # optional }] ``

⚠️ Centrally Hosted Servers: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use Option 2 with base64-encoded content. Your MCP client must encode files before sending.

</details>

<details open> <summary>📥 Downloaded Attachment Storage ← Where downloaded files are saved</summary>

When downloading Gmail attachments (get_gmail_attachment_content) or Drive files (get_drive_file_download_url), files are saved to a persistent local directory rather than a temporary folder in the working directory.

Default location: ~/.workspace-mcp/attachments/

Files are saved with their original filename plus a short UUID suffix for uniqueness (e.g., invoice_a1b2c3d4.pdf). In stdio mode, the tool returns the absolute file path for direct filesystem access. In HTTP mode, it returns a download URL via the /attachments/{file_id} endpoint.

To customize the storage directory: ``bash export WORKSPACE_ATTACHMENT_DIR="/path/to/custom/dir" ``

Saved files expire after 1 hour and are cleaned up automatically.

</details>

📝 Google Docs `docs_tools.py`

| Tool | Tier | Description | |------|------|-------------| | get_doc_content | Core | Extract document text | | create_doc | Core | Create new documents | | modify_doc_text | Core | Insert, replace, and richly format text with tab/segment targeting, append-to-segment support, advanced typography, and link management | | search_docs | Extended | Find documents by name | | find_and_replace_doc | Extended | Find and replace text | | list_docs_in_folder | Extended | List docs in folder | | insert_doc_elements | Extended | Add tables, lists, page breaks | | update_paragraph_style | Extended | Apply advanced paragraph styling including headings, spacing, direction, pagination controls, shading, and bulleted/numbered/checkbox lists with nesting | | get_doc_as_markdown | Extended | Export document as formatted Markdown with optional comments | | insert_doc_image | Complete | Insert images from Drive/URLs | | update_doc_headers_footers | Complete | Create or update headers and footers with correct segment-aware writes | | batch_update_doc | Complete | Execute atomic multi-step Docs API operations including named ranges, section breaks, document/section layout, header/footer creation, segment-aware inserts, images, tables, and rich formatting | | inspect_doc_structure | Complete | Analyze document structure, including safe insertion points, tables, section breaks, headers/footers, and named ranges | | export_doc_to_pdf | Extended | Export document to PDF | | create_table_with_data | Complete | Create data tables | | debug_table_structure | Complete | Debug table issues | | list_document_comments | Complete | List all document comments | | manage_document_comment | Complete | Create, reply to, or resolve comments | | manage_doc_tab | Complete | Create, rename, delete, or populate tabs from markdown |

📊 Google Sheets `sheets_tools.py`

| Tool | Tier | Description | |------|------|-------------| | read_sheet_values | Core | Read cell ranges | | modify_sheet_values | Core | Write/update/clear cells | | create_spreadsheet | Core | Create new spreadsheets | | list_spreadsheets | Extended | List accessible spreadsheets | | get_spreadsheet_info | Extended | Get spreadsheet metadata | | format_sheet_range | Extended | Apply colors, number formats, text wrapping, alignment, bold/italic, font size | | list_sheet_tables | Extended | List structured tables with IDs, names, ranges, and columns | | create_sheet | Complete | Add sheets to existing files | | move_sheet_rows | Complete | Move rows between sheets within a spreadsheet | | append_table_rows | Complete | Append rows to a structured table, auto-extending the table range | | list_spreadsheet_comments | Complete | List all spreadsheet comments | | manage_spreadsheet_comment | Complete | Create, reply to, or resolve comments | | manage_conditional_formatting | Complete | Add, update, or delete conditional formatting rules |

🖼️ Google Slides `slides_tools.py`

| Tool | Tier | Description | |------|------|-------------| | create_presentation | Core | Create new presentations | | get_presentation | Core | Retrieve presentation details | | batch_update_presentation | Extended | Apply multiple updates | | get_page | Extended | Get specific slide information | | get_page_thumbnail | Extended | Generate slide thumbnails | | list_presentation_comments | Complete | List all presentation comments | | manage_presentation_comment | Complete | Create, reply to, or resolve comments |

📋 Google Forms `forms_tools.py`

| Tool | Tier | Description | |------|------|-------------| | create_form | Core | Create new forms | | get_form | Core | Retrieve form details & URLs | | set_publish_settings | Complete | Configure form settings | | get_form_response | Complete | Get individual responses | | list_form_responses | Extended | List all responses with pagination | | batch_update_form | Complete | Apply batch updates (questions, settings) |

✓ Google Tasks `tasks_tools.py`

| Tool | Tier | Description | |------|------|-------------| | list_tasks | Core | List tasks with filtering | | get_task | Core | Retrieve task details | | manage_task | Core | Create, update, delete, or move tasks | | list_task_lists | Complete | List task lists | | get_task_list | Complete | Get task list details | | manage_task_list | Complete | Create, update, delete task lists, or clear completed tasks |

👤 Google Contacts `contacts_tools.py`

| Tool | Tier | Description | |------|------|-------------| | search_contacts | Core | Search contacts by name, email, phone | | get_contact | Core | Retrieve detailed contact info | | list_contacts | Core | List contacts with pagination | | manage_contact | Core | Create, update, or delete contacts | | list_contact_groups | Extended | List contact groups/labels | | get_contact_group | Extended | Get group details with members | | manage_contacts_batch | Complete | Batch create, update, or delete contacts | | manage_contact_group | Complete | Create, update, delete groups, or modify membership |

💬 Google Chat `chat_tools.py`

| Tool | Tier | Description | |------|------|-------------| | list_spaces | Extended | List chat spaces/rooms | | get_messages | Core | Retrieve space messages | | send_message | Core | Send messages to spaces | | search_messages | Core | Search across chat history | | create_reaction | Core | Add emoji reaction to a message | | download_chat_attachment | Extended | Download attachment from a chat message |

<details> <summary>💬 Chat setup — required before any Chat tool works</summary>

Unlike other Workspace services, enabling the Chat API is not enough — the Chat API refuses every request until you configure a Chat app, and it only works with Google Workspace accounts. Two extra steps are required:

1. Configure the Chat app

Enabling chat.googleapis.com alone causes every Chat tool to fail. You must also complete the Configuration tab so the API has an app identity to attach requests to:

Open Chat API → Configuration (APIs & Services → Enabled APIs → Google Chat API → Configuration)
Fill in the three required fields under Application info:
App name — e.g. Workspace MCP (up to 25 characters)
Avatar URL — any HTTPS URL to a square PNG/JPEG (e.g. https://developers.google.com/chat/images/quickstart-app-avatar.png)
Description — e.g. Workspace MCP (up to 40 characters)
Click Save

This server authenticates as the signed-in user (user OAuth), not as a bot. You do not need to enable interactive features, create a service account, or publish the app — the Configuration form above is the only Chat-specific setup required.

2. Use a Google Workspace account

The Chat API is not available to personal @gmail.com accounts. Configuring it with one returns:

Google Chat API is only available to Google Workspace users.

The required scopes (chat.spaces.readonly, chat.messages.readonly, chat.messages, chat.spaces) are requested automatically during the OAuth flow — no manual scope configuration is needed.

Configure the Chat API → · User authentication →

</details>

🔍 Google Custom Search `search_tools.py`

| Tool | Tier | Description | |------|------|-------------| | search_custom | Core | Perform web searches (supports site restrictions via sites parameter) | | get_search_engine_info | Complete | Retrieve search engine metadata |

⚡ Google Apps Script `apps_script_tools.py`

| Tool | Tier | Description | |------|------|-------------| | list_script_projects | Core | List accessible Apps Script projects | | get_script_project | Core | Get complete project with all files | | get_script_content | Core | Retrieve specific file content | | create_script_project | Core | Create new standalone or bound project | | update_script_content | Core | Update or create script files | | run_script_function | Core | Execute function with parameters | | list_deployments | Extended | List all project deployments | | manage_deployment | Extended | Create, update, or delete script deployments | | list_script_processes | Extended | View recent executions and status |

Tool Tier Legend: ● Core — Essential tools for basic functionality · Minimal API usage · Getting started ● Extended — Core + additional features · Regular usage · Expanded capabilities ● Complete — All available tools including advanced features · Power users · Full API access

---

Connect to Claude Desktop

The recommended way to use Google Workspace MCP with Claude Desktop is to run a server instance and connect Claude to it via a Connector. This provides proper OAuth flow, multi-user support, and the best experience.

See the Quick Start Guide for setup instructions.

<details> <summary>📝 Legacy: Manual stdio configuration ← For clients without Connector support</summary>

⚠️ Note: Stdio mode is a legacy fallback for clients that don't support Connectors. Prefer the Connector-based approach above. OAuth callback caveat: The legacy stdio callback path includes a local recovery fallback for rare Google redirects that omit the state parameter, but only when --single-user is active. That recovery can only be safe in a single-user local process; in HTTP or hosted multi-user scenarios it could consume another user's pending OAuth state. There is no environment variable to enable this globally.

Open Claude Desktop Settings → Developer → Edit Config

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json
Windows: %APPDATA%\Claude\claude_desktop_config.json

Add the server configuration:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1"
      }
    }
  }
}

</details>

Connect to LM Studio

Add a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:

{
  "mcpServers": {
    "google_workspace": {
      "command": "uvx",
      "args": ["workspace-mcp"],
      "env": {
        "GOOGLE_OAUTH_CLIENT_ID": "your-client-id",
        "GOOGLE_OAUTH_CLIENT_SECRET": "your-secret",
        "OAUTHLIB_INSECURE_TRANSPORT": "1",
      }
    }
  }
}

2. Advanced / Cross-Platform Installation

If you’re developing, deploying to servers, or using another MCP-capable client, keep reading.

Instant CLI (uvx)

<details open> <summary>⚡ Quick Start with uvx ← No installation required!</summary>

# Requires Python 3.10+ and uvx
# First, set credentials (see Credential Configuration above)
uvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar

Note: Configure OAuth credentials before running. Supports environment variables, .env file, or client_secret.json.

</details>

Local Development Setup

<details open> <summary>🛠️ Developer Workflow ← Install deps, lint, and test</summary>

# Install everything needed for linting, tests, and release tooling
uv sync --group dev

# Run the same linter that git hooks invoke automatically
uv run ruff check .

# Execute the full test suite (async fixtures require pytest-asyncio)
uv run pytest

uv sync --group test installs only the testing stack if you need a slimmer environment.
MCP_ENABLE_OAUTH21=true GOOGLE_OAUTH_CLIENT_ID=... uv run main.py --transport streamable-http launches the HTTP server with your checked-out code for manual verification.
Ruff is part of the dev group because pre-push hooks call ruff check automatically—run it locally before committing to avoid hook failures.

</details>

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and, for confidential clients, GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional Google-side configuration needed. Public PKCE clients are also supported: if you omit GOOGLE_OAUTH_CLIENT_SECRET, set FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY explicitly.

When to use OAuth 2.1:

Multiple users accessing the same MCP server instance
Need for bearer token authentication instead of passing user emails
Building web applications or APIs on top of the MCP server
Production environments requiring secure session management
Browser-based clients requiring CORS support

⚠️ Important: Mutually exclusive authentication modes

OAuth 2.1 mode (MCP_ENABLE_OAUTH21=true) cannot be used together with --single-user or service account mode:

Single-user mode: For legacy clients that pass user emails in tool calls
OAuth 2.1 mode: For modern multi-user scenarios with bearer token authentication
Service account mode: For headless/server-to-server use via domain-wide delegation

Choose one authentication method - combining incompatible modes will result in a startup error.

Enabling OAuth 2.1: To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.

# OAuth 2.1 requires HTTP transport mode
export MCP_ENABLE_OAUTH21=true
uv run main.py --transport streamable-http

If MCP_ENABLE_OAUTH21 is not set to true, the server uses legacy authentication. In streamable-http mode, legacy authentication binds to 127.0.0.1 by default to keep cached Google credentials local. Set WORKSPACE_MCP_HOST explicitly only for trusted networks; use OAuth 2.1 for remote or shared HTTP deployments.

Streamable HTTP requests with an Origin header are checked against loopback origins, WORKSPACE_EXTERNAL_URL, and OAUTH_ALLOWED_ORIGINS to reduce DNS-rebinding risk. Non-browser MCP clients that omit Origin are unaffected.

vscode-webview origins: Origins with the vscode-webview:// scheme are scoped per-extension using the authority component (e.g. vscode-webview://publisher.extension). Adding a vscode-webview URI to OAUTH_ALLOWED_ORIGINS permits only the specific extension identified by that authority; other extensions are rejected.

<details open> <summary>🔐 How the FastMCP GoogleProvider handles OAuth ← Advanced OAuth 2.1 details</summary>

FastMCP ships a native GoogleProvider that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:

Dynamic Client Registration: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID and, when configured, client secret under the hood.

CORS & Browser Compatibility: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom /oauth2/* routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.

The result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.

Restricting DCR client redirect URIs:

By default, any client going through Dynamic Client Registration can declare any redirect_uri. For publicly-exposed deployments, this is a phishing vector — an attacker can register a client with a redirect_uri they control and harvest authorization codes from tricked users. Set WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS to a comma-separated allowlist of permitted URIs:

# Public deployment — restrict to Claude's hosted OAuth callbacks
export WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS="https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback"

# Add Claude Code CLI (loopback redirects on ephemeral ports)
export WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS="https://claude.ai/api/mcp/auth_callback,https://claude.com/api/mcp/auth_callback,http://localhost:*/callback,http://127.0.0.1:*/callback"

Patterns use FastMCP's matcher: wildcards any port or path component; .example.com matches subdomains. Leaving the variable unset preserves the default DCR behaviour (any URI accepted), which is appropriate for local development but unsafe for public deployments.

</details>

Stateless Mode (Container-Friendly)

The server supports a stateless mode designed for containerized environments where file system writes should be avoided:

Enabling Stateless Mode: ```bash

Stateless mode requires OAuth 2.1 to be enabled

export MCP_ENABLE_OAUTH21=true export GOOGLE_OAUTH_CLIENT_ID="..." export WORKSPACE_MCP_STATELESS_MODE=true uv run main.py --transport streamable-http ```

Key Features:

No file system writes: Credentials are never written to disk
No debug logs: File-based logging is completely disabled
Memory-only sessions: All tokens stored in memory via OAuth 2.1 session store
Container-ready: Perfect for Docker, Kubernetes, and serverless deployments
Token per request: Each request must include a valid Bearer token

Requirements:

Must be used with MCP_ENABLE_OAUTH21=true
Incompatible with single-user mode
Clients must handle OAuth flow and send valid tokens with each request

This mode is ideal for:

Cloud deployments where persistent storage is unavailable
Multi-tenant environments requiring strict isolation
Containerized applications with read-only filesystems
Serverless functions and ephemeral compute environments

MCP Inspector: No additional configurat

google_workspace_mcp

<span style="color:#cad8d9">Google Workspace MCP Server</span> <img src="https://github.com/user-attachments/assets/b89524e4-6e6e-49e6-ba77-00d6df0c6e5c" width="80" align="right" />

Support for all free Google accounts & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces. <br/><br /> Interested in a private, managed cloud instance? That can be arranged.

<span style="color:#adbcbc">Overview</span>

<span style="color:#adbcbc">Features</span>

<span style="color:#adbcbc">Security & Compliance</span>

Quick Start

Quick Start — Connect Claude to Google Workspace

Prerequisites

Configuration

Google Custom Search Setup

Start the Server

Load specific services only

Combine with other flags

Requests only read-only scopes & disables write tools

Combine with specific tools or tiers

Per-service permission levels

Combine permissions with tier filtering

Optional bridge only for local legacy stdio sessions

With tool selection via environment variables

CLI

Or, if installed globally:

Tool Tiers

<span style="color:#72898f">Available Tiers</span>

<span style="color:#72898f">Important Notes</span>

<span style="color:#72898f">Usage Examples</span>

📋 Credential Configuration

Download & place in project root

Or specify custom path

Edit .env with credentials

📝 Google Docs <sub>docs_tools.py</sub>

📊 Google Sheets <sub>sheets_tools.py</sub>

🖼️ Google Slides <sub>slides_tools.py</sub>

📋 Google Forms <sub>forms_tools.py</sub>

✓ Google Tasks <sub>tasks_tools.py</sub>

👤 Google Contacts <sub>contacts_tools.py</sub>

💬 Google Chat <sub>chat_tools.py</sub>

🔍 Google Custom Search <sub>search_tools.py</sub>

⚡ Google Apps Script <sub>apps_script_tools.py</sub>

Connect to Claude Desktop

Connect to LM Studio

2. Advanced / Cross-Platform Installation

Instant CLI (uvx)

Local Development Setup

OAuth 2.1 Support (Multi-User Bearer Token Authentication)

Stateless Mode (Container-Friendly)

Stateless mode requires OAuth 2.1 to be enabled

Related MCP servers

MCP servers by category

📝 Google Docs <sub>`docs_tools.py`</sub>

📊 Google Sheets <sub>`sheets_tools.py`</sub>

🖼️ Google Slides <sub>`slides_tools.py`</sub>

📋 Google Forms <sub>`forms_tools.py`</sub>

✓ Google Tasks <sub>`tasks_tools.py`</sub>

👤 Google Contacts <sub>`contacts_tools.py`</sub>

💬 Google Chat <sub>`chat_tools.py`</sub>

🔍 Google Custom Search <sub>`search_tools.py`</sub>

⚡ Google Apps Script <sub>`apps_script_tools.py`</sub>