The most feature-complete Google Workspace MCP server, now with Remote OAuth2.1 multi-user support and 1-click Claude installation.
Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, and Chat through all MCP clients, AI assistants and developer tools.
See it in action:
google_workspace_mcp.mp4
But why?
This README was written with AI assistance, and here's why that matters
As a solo dev building open source tools that many never see outside use, comprehensive documentation often wouldn't happen without AI help. Using agentic dev tools like Roo & Claude Code that understand the entire codebase, AI doesn't just regurgitate generic content - it extracts real implementation details and creates accurate, specific documentation.
In this case, Sonnet 4 took a pass & a human (me) verified them 7/10/25.
A production-ready MCP server that integrates all major Google Workspace services with AI assistants. It supports both single-user operation and multi-user authentication via OAuth 2.1, making it a powerful backend for custom applications. Built with FastMCP for optimal performance, featuring advanced authentication handling, service caching, and streamlined development patterns.
- π Advanced OAuth 2.0 & OAuth 2.1: Secure authentication with automatic token refresh, transport-aware callback handling, session management, centralized scope management, and OAuth 2.1 bearer token support for multi-user environments with innovative CORS proxy architecture
- π Google Calendar: Full calendar management with event CRUD operations
- π Google Drive: File operations with native Microsoft Office format support (.docx, .xlsx)
- π§ Gmail: Complete email management with search, send, and draft capabilities
- π Google Docs: Document operations including content extraction, creation, and comment management
- π Google Sheets: Comprehensive spreadsheet management with flexible cell operations and comment management
- πΌοΈ Google Slides: Presentation management with slide creation, updates, content manipulation, and comment management
- π Google Forms: Form creation, retrieval, publish settings, and response management
- β Google Tasks: Complete task and task list management with hierarchy, due dates, and status tracking
- π¬ Google Chat: Space management and messaging capabilities
- π Google Custom Search: Programmable Search Engine (PSE) integration for custom web searches
- π All Transports: Stdio, Streamable HTTP & SSE, OpenAPI compatibility via
mcpo - β‘ High Performance: Service caching, thread-safe sessions, FastMCP integration
- 𧩠Developer Friendly: Minimal boilerplate, automatic service injection, centralized configuration
- Download: Grab the latest
google_workspace_mcp.dxtfrom the βReleasesβ page - Install: Double-click the file β Claude Desktop opens and prompts you to Install
- Configure: In Claude Desktop β Settings β Extensions β Google Workspace MCP, paste your Google OAuth credentials
- Use it: Start a new Claude chat and call any Google Workspace tool
Why DXT?
Desktop Extensions (
.dxt) bundle the server, dependencies, and manifest so users go from download β working MCP in one click β no terminal, no JSON editing, no version conflicts.
Environment - you will configure these in Claude itself, see screenshot:
| Variable | Purpose |
|---|---|
GOOGLE_OAUTH_CLIENT_ID | OAuth client ID from Google Cloud (used by both legacy auth and OAuth 2.1) |
GOOGLE_OAUTH_CLIENT_SECRET | OAuth client secret (used by both legacy auth and OAuth 2.1) |
USER_GOOGLE_EMAIL (optional) | Default email for single-user auth |
GOOGLE_PSE_API_KEY (optional) | API key for Google Custom Search - see Custom Search Setup |
GOOGLE_PSE_ENGINE_ID (optional) | Programmable Search Engine ID for Custom Search |
MCP_ENABLE_OAUTH21 (optional) | Set to true to enable OAuth 2.1 support (requires streamable-http transport) |
OAUTHLIB_INSECURE_TRANSPORT=1 | Development only (allows http:// redirect) |
Claude Desktop stores these securely in the OS keychain; set them once in the extension pane.
install_dxt_workspace.mp4
- Python 3.10+
- uvx (for instant installation) or uv (for development)
- Google Cloud Project with OAuth 2.0 credentials
- Google Cloud Setup:
-
Create OAuth 2.0 credentials (web application) in Google Cloud Console
-
Create a new project (or use an existing one) for your MCP server.
-
Navigate to APIs & Services β Credentials.
-
Click Create Credentials β OAuth Client ID.
-
Choose Web Application as the application type.
-
Add redirect URI:
http://localhost:8000/oauth2callback -
Enable APIs:
-
In the Google Cloud Console, go to APIs & Services β Library.
-
Search for & enable Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Chat
-
Expand the section below marked "API Enablement Links" for direct links to each!
-
API Enablement Links
You can enable each one by clicking the links below (make sure you're logged into the Google Cloud Console and have the correct project selected):1.1. Credentials:
-
Configure credentials using one of these methods:
Option A: Environment Variables (Recommended for Production)
export GOOGLE_OAUTH_CLIENT_ID="your-client-id.apps.googleusercontent.com" export GOOGLE_OAUTH_CLIENT_SECRET="your-client-secret" export GOOGLE_OAUTH_REDIRECT_URI="http://localhost:8000/oauth2callback" # Optional - see Reverse Proxy Setup below
Option B: File-based (Traditional)
- Download credentials as
client_secret.jsonin project root - To use a different location, set
GOOGLE_CLIENT_SECRET_PATH(or legacyGOOGLE_CLIENT_SECRETS) environment variable with the file path
Option C: .env File (Recommended for Development)
- Copy the provided
.env.oauth21example file to.envin the project root:
cp .env.oauth21 .env
- Edit the
.envfile to add yourGOOGLE_OAUTH_CLIENT_IDandGOOGLE_OAUTH_CLIENT_SECRET. - The server automatically loads variables from this file on startup, simplifying local development.
- Download credentials as
Credential Loading Priority: The server loads credentials in the following order of precedence:
- Manually set environment variables (e.g.,
export VAR=value). - Variables defined in a
.envfile in the project root. client_secret.jsonfile specified byGOOGLE_CLIENT_SECRET_PATH.- Default
client_secret.jsonfile in the project root.
Why Environment Variables?
- β Containerized deployments (Docker, Kubernetes)
- β Cloud platforms (Heroku, Railway, etc.)
- β CI/CD pipelines
- β No secrets in version control
- β Easy credential rotation
-
Environment:
export OAUTHLIB_INSECURE_TRANSPORT=1 # Development only export USER_GOOGLE_EMAIL=your.email@gmail.com # Optional: Default email for auth - use this for single user setups and you won't need to set your email in system prompt for magic auth export GOOGLE_PSE_API_KEY=your-custom-search-api-key # Optional: Only needed for Google Custom Search tools export GOOGLE_PSE_ENGINE_ID=your-search-engine-id # Optional: Only needed for Google Custom Search tools
-
Server Configuration: The server's base URL and port can be customized using environment variables:
WORKSPACE_MCP_BASE_URI: Sets the base URI for the server (default: http://localhost). Note: do not include a port inWORKSPACE_MCP_BASE_URI- set that with the variable below.WORKSPACE_MCP_PORT: Sets the port the server listens on (default: 8000).GOOGLE_OAUTH_REDIRECT_URI: Override the OAuth redirect URI (useful for reverse proxy setups - see below).USER_GOOGLE_EMAIL: Optional default email for authentication flows. If set, the LLM won't need to specify your email when callingstart_google_auth.
To use the Google Custom Search tools, you need to:
-
Create a Programmable Search Engine:
- Go to Programmable Search Engine Control Panel
- Configure sites to search (or search the entire web)
- Note your Search Engine ID (cx parameter)
-
Get an API Key:
- Visit Google Developers Console
- Create or select a project
- Enable the Custom Search API
- Create credentials (API Key)
- Set the
GOOGLE_PSE_API_KEYenvironment variable with your API key
-
Configure Environment Variables:
- Set
GOOGLE_PSE_API_KEYto your Custom Search API key - Set
GOOGLE_PSE_ENGINE_IDto your Search Engine ID (the cx parameter from step 1)
- Set
For detailed setup instructions, see the Custom Search JSON API documentation.
# Default (stdio mode for MCP clients) uv run main.py # HTTP mode (for web interfaces and debugging) uv run main.py --transport streamable-http # Single-user mode (simplified authentication) uv run main.py --single-user # Selective tool registration (only register specific tools) uv run main.py --tools gmail drive calendar tasks uv run main.py --tools sheets docs uv run main.py --single-user --tools gmail # Can combine with other flags # Docker docker build -t workspace-mcp . docker run -p 8000:8000 -v $(pwd):/app workspace-mcp --transport streamable-httpAvailable Tools for --tools flag: gmail, drive, calendar, docs, sheets, forms, tasks, chat, search
The server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. OAuth 2.1 automatically reuses your existing GOOGLE_OAUTH_CLIENT_ID and GOOGLE_OAUTH_CLIENT_SECRET credentials - no additional configuration needed!
When to use OAuth 2.1:
- Multiple users accessing the same MCP server instance
- Need for bearer token authentication instead of passing user emails
- Building web applications or APIs on top of the MCP server
- Production environments requiring secure session management
- Browser-based clients requiring CORS support
Enabling OAuth 2.1: To enable OAuth 2.1, set the MCP_ENABLE_OAUTH21 environment variable to true.
# OAuth 2.1 requires HTTP transport mode export MCP_ENABLE_OAUTH21=true uv run main.py --transport streamable-httpIf MCP_ENABLE_OAUTH21 is not set to true, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.
Innovative CORS Proxy Architecture
This implementation solves two critical challenges when using Google OAuth in browser environments:
-
Dynamic Client Registration: Google doesn't support OAuth 2.1 dynamic client registration. Our server provides a clever proxy that accepts any client registration request and returns the pre-configured Google OAuth credentials, allowing standards-compliant clients to work seamlessly.
-
CORS Issues: Google's OAuth endpoints don't include CORS headers, blocking browser-based clients. We implement intelligent proxy endpoints that:
- Proxy authorization server discovery requests through
/auth/discovery/authorization-server/{server} - Proxy token exchange requests through
/oauth2/token - Add proper CORS headers to all responses
- Maintain security by only proxying to known Google OAuth endpoints
This architecture enables any OAuth 2.1 compliant client to authenticate users through Google, even from browser environments, without requiring changes to the client implementation.
The server supports two transport modes:
Guided Setup (Recommended if not using DXT)
python install_claude.pyThis script automatically:
- Prompts you for your Google OAuth credentials (Client ID and Secret)
- Creates the Claude Desktop config file in the correct location
- Sets up all necessary environment variables
- No manual file editing required!
After running the script, just restart Claude Desktop and you're ready to go.
Manual Claude Configuration (Alternative)
- Open Claude Desktop Settings β Developer β Edit Config
- macOS:
~/Library/Application Support/Claude/claude_desktop_config.json - Windows:
%APPDATA%\Claude\claude_desktop_config.json
- macOS:
- Add the server configuration:
{ "mcpServers": { "google_workspace": { "command": "uvx", "args": ["workspace-mcp"], "env": { "GOOGLE_OAUTH_CLIENT_ID": "your-client-id.apps.googleusercontent.com", "GOOGLE_OAUTH_CLIENT_SECRET": "your-client-secret", "OAUTHLIB_INSECURE_TRANSPORT": "1" } } } }
If youβre developing, deploying to servers, or using another MCP-capable client, keep reading.
# Requires Python 3.10+ and uvx export GOOGLE_OAUTH_CLIENT_ID="xxx" export GOOGLE_OAUTH_CLIENT_SECRET="yyy" uvx workspace-mcp --tools gmail drive calendarRun instantly without manual installation - you must configure OAuth credentials when using uvx. You can use either environment variables (recommended for production) or set the
GOOGLE_CLIENT_SECRET_PATH(or legacyGOOGLE_CLIENT_SECRETS) environment variable to point to yourclient_secret.jsonfile.
If you're running the MCP server behind a reverse proxy (nginx, Apache, Cloudflare, etc.), you'll need to configure GOOGLE_OAUTH_REDIRECT_URI to match your external URL:
Problem: When behind a reverse proxy, the server constructs redirect URIs using internal ports (e.g., http://localhost:8000/oauth2callback) but Google expects the external URL (e.g., https://your-domain.com/oauth2callback).
Solution: Set GOOGLE_OAUTH_REDIRECT_URI to your external URL:
# External URL without port (nginx/Apache handling HTTPS) export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com/oauth2callback" # Or with custom port if needed export GOOGLE_OAUTH_REDIRECT_URI="https://your-domain.com:8443/oauth2callback"Important:
- The redirect URI must exactly match what's configured in your Google Cloud Console
- The server will use this value for all OAuth flows instead of constructing it from
WORKSPACE_MCP_BASE_URIandWORKSPACE_MCP_PORT - Your reverse proxy must forward
/oauth2callbackrequests to the MCP server
# Set OAuth credentials via environment variables (recommended) export GOOGLE_OAUTH_CLIENT_ID="your-client-id.apps.googleusercontent.com" export GOOGLE_OAUTH_CLIENT_SECRET="your-client-secret" # Start the server with all Google Workspace tools uvx workspace-mcp # Start with specific tools only uvx workspace-mcp --tools gmail drive calendar tasks # Start in HTTP mode for debugging uvx workspace-mcp --transport streamable-httpRequires Python 3.10+ and uvx. The package is available on PyPI.
For development or customization:
git clone https://github.com/taylorwilsdon/google_workspace_mcp.git cd google_workspace_mcp uv run main.pyDevelopment Installation (For Contributors):
{ "mcpServers": { "google_workspace": { "command": "uv", "args": [ "run", "--directory", "/path/to/repo/google_workspace_mcp", "main.py" ], "env": { "GOOGLE_OAUTH_CLIENT_ID": "your-client-id.apps.googleusercontent.com", "GOOGLE_OAUTH_CLIENT_SECRET": "your-client-secret", "OAUTHLIB_INSECURE_TRANSPORT": "1" } } } }If you need to use HTTP mode with Claude Desktop:
{ "mcpServers": { "google_workspace": { "command": "npx", "args": ["mcp-remote", "http://localhost:8000/mcp"] } } }Note: Make sure to start the server with --transport streamable-http when using HTTP mode.
The server features transport-aware OAuth callback handling:
- Stdio Mode: Automatically starts a minimal HTTP server on port 8000 for OAuth callbacks
- HTTP Mode: Uses the existing FastAPI server for OAuth callbacks
- Same OAuth Flow: Both modes use
http://localhost:8000/oauth2callbackfor consistency
When calling a tool:
- Server returns authorization URL
- Open URL in browser and authorize
- Server handles OAuth callback automatically (on port 8000 in both modes)
- Retry the original request
Note: All tools support automatic authentication via
@require_google_service()decorators with 30-minute service caching.
π
Google Calendar (calendar_tools.py)
| Tool | Description |
|---|---|
list_calendars | List accessible calendars |
get_events | Retrieve events with time range filtering |
get_event | Fetch detailed information of a single event by ID |
create_event | Create events (all-day or timed) with optional Drive file attachments and custom reminders |
modify_event | Update existing events with intelligent reminder handling |
delete_event | Remove events |
π Google Drive (drive_tools.py)
| Tool | Description |
|---|---|
search_drive_files | Search files with query syntax |
get_drive_file_content | Read file content (supports Office formats) |
list_drive_items | List folder contents |
create_drive_file | Create new files or fetch content from public URLs |
π§ Gmail (gmail_tools.py)
| Tool | Description |
|---|---|
search_gmail_messages | Search with Gmail operators |
get_gmail_message_content | Retrieve message content |
send_gmail_message | Send emails |
draft_gmail_message | Create drafts |
π Google Docs (docs_tools.py)
| Tool | Description |
|---|---|
search_docs | Find documents by name |
get_doc_content | Extract document text |
list_docs_in_folder | List docs in folder |
create_doc | Create new documents |
read_doc_comments | Read all comments and replies |
create_doc_comment | Create new comments |
reply_to_comment | Reply to existing comments |
resolve_comment | Resolve comments |
π Google Sheets (sheets_tools.py)
| Tool | Description |
|---|---|
list_spreadsheets | List accessible spreadsheets |
get_spreadsheet_info | Get spreadsheet metadata |
read_sheet_values | Read cell ranges |
modify_sheet_values | Write/update/clear cells |
create_spreadsheet | Create new spreadsheets |
create_sheet | Add sheets to existing files |
read_sheet_comments | Read all comments and replies |
create_sheet_comment | Create new comments |
reply_to_sheet_comment | Reply to existing comments |
resolve_sheet_comment | Resolve comments |
πΌοΈ Google Slides (slides_tools.py)
| Tool | Description |
|---|---|
create_presentation | Create new presentations |
get_presentation | Retrieve presentation details |
batch_update_presentation | Apply multiple updates at once |
get_page | Get specific slide information |
get_page_thumbnail | Generate slide thumbnails |
read_presentation_comments | Read all comments and replies |
create_presentation_comment | Create new comments |
reply_to_presentation_comment | Reply to existing comments |
resolve_presentation_comment | Resolve comments |
π Google Forms (forms_tools.py)
| Tool | Description |
|---|---|
create_form | Create new forms with title and description |
get_form | Retrieve form details, questions, and URLs |
set_publish_settings | Configure form template and authentication settings |
get_form_response | Get individual form response details |
list_form_responses | List all responses to a form with pagination |
β Google Tasks (tasks_tools.py)
| Tool | Description |
|---|---|
list_task_lists | List all task lists with pagination support |
get_task_list | Retrieve details of a specific task list |
create_task_list | Create new task lists with custom titles |
update_task_list | Modify existing task list titles |
delete_task_list | Remove task lists and all contained tasks |
list_tasks | List tasks in a specific list with filtering options |
get_task | Retrieve detailed information about a specific task |
create_task | Create new tasks with title, notes, due dates, and hierarchy |
update_task | Modify task properties including title, notes, status, and due dates |
delete_task | Remove tasks from task lists |
move_task | Reposition tasks within lists or move between lists |
clear_completed_tasks | Hide all completed tasks from a list |
π¬ Google Chat (chat_tools.py)
| Tool | Description |
|---|---|
list_spaces | List chat spaces/rooms |
get_messages | Retrieve space messages |
send_message | Send messages to spaces |
search_messages | Search across chat history |
π Google Custom Search (search_tools.py)
| Tool | Description |
|---|---|
search_custom | Perform web searches using Programmable Search Engine |
get_search_engine_info | Retrieve search engine metadata and configuration |
search_custom_siterestrict | Search within specific sites/domains |
google_workspace_mcp/ βββ auth/ # Authentication system with decorators βββ core/ # MCP server and utilities βββ g{service}/ # Service-specific tools βββ main.py # Server entry point βββ client_secret.json # OAuth credentials (not committed) βββ pyproject.toml # Dependencies from auth.service_decorator import require_google_service @require_google_service("drive", "drive_read") # Service + scope group async def your_new_tool(service, param1: str, param2: int = 10): """Tool description""" # service is automatically injected and cached result = service.files().list().execute() return result # Return native Python objects- Service Caching: 30-minute TTL reduces authentication overhead
- Scope Management: Centralized in
SCOPE_GROUPSfor easy maintenance - Error Handling: Native exceptions instead of manual error construction
- Multi-Service Support:
@require_multiple_services()for complex tools
- Credentials: Never commit
client_secret.jsonor.credentials/directory - OAuth Callback: Uses
http://localhost:8000/oauth2callbackfor development (requiresOAUTHLIB_INSECURE_TRANSPORT=1) - Transport-Aware Callbacks: Stdio mode starts a minimal HTTP server only for OAuth, ensuring callbacks work in all modes
- Production: Use HTTPS for callback URIs and configure accordingly
- Network Exposure: Consider authentication when using
mcpoover networks - Scope Minimization: Tools request only necessary permissions
To use this server as a tool provider within Open WebUI:
Just copy and paste the below, set your values and you're off!
GOOGLE_OAUTH_CLIENT_ID="your_client_id" GOOGLE_OAUTH_CLIENT_SECRET="your_client_secret" uvx mcpo --port 8000 --api-key "top-secret" -- uvx workspace-mcpOtherwise:
Create a file named config.json with the following structure to have mcpo make the streamable HTTP endpoint available as an OpenAPI spec tool:
{ "mcpServers": { "google_workspace": { "type": "streamablehttp", "url": "http://localhost:8000/mcp" } } }mcpo --port 8001 --config config.json --api-key "your-optional-secret-key"This command starts the mcpo proxy, serving your active (assuming port 8000) Google Workspace MCP on port 8001.
- Navigate to your Open WebUI settings
- Go to "Connections" β "Tools"
- Click "Add Tool"
- Enter the Server URL:
http://localhost:8001/google_workspace(matching the mcpo base URL and server name from config.json) - If you used an
--api-keywith mcpo, enter it as the API Key - Save the configuration
The Google Workspace tools should now be available when interacting with models in Open WebUI.
MIT License - see LICENSE file for details.
