Set up Google Workspace via Service Account
Recommended setup. Authorise Extension Auditor's service account in your Google Admin Console using domain-wide delegation. One-time configuration, no token expiry.
This guide walks through connecting Google Workspace to Extension Auditor using a Google Cloud service account with domain-wide delegation. This is the recommended method for production deployments — once delegation is configured, the integration runs unattended and is not tied to any individual admin's account.
Before you begin
Make sure you have:
The Super Admin role in your Google Workspace tenant (delegation can only be configured by a Super Admin, even though the integration runs day-to-day under a delegated admin).
The email address of a Workspace admin that Extension Auditor should impersonate when calling Google APIs. This is typically a service-only admin account (e.g.
[email protected]) with the Chrome management privileges listed in the Google Workspace overview.Your primary Workspace domain (e.g.
yourcompany.com).An Extension Auditor team workspace. The setup flow lives at:
/home/<your-team-slug>/integrations/google-workspace
In the dashboard: Sidebar → Settings → Integrations → Google Workspace → Service Account (Recommended).
How it works
Extension Auditor maintains a single Google Cloud service account whose OAuth client ID is published in the setup wizard. By authorising that client ID inside your Google Admin Console — and granting it the nine Chrome Management scopes — you're telling Google: "this external service may impersonate users in our domain, but only for these specific scopes." The service account then asks Google for a short-lived access token impersonating the admin email you specify, and uses it to call the Chrome and Directory APIs.
This is a standard pattern called domain-wide delegation of authority. It doesn't grant Extension Auditor blanket access to your tenant — it grants access only for the scopes you authorise, only when impersonating the admin email you configure.
Step-by-step
Step 1 — Open the setup wizard
In the Extension Auditor dashboard, navigate to Settings → Integrations, then click Google Workspace. On the Service Account (Recommended) tab you'll see a six-step guided flow with the values you need to copy. Keep that tab open in your browser — you'll come back to it in Step 4.
Step 2 — Copy our Service Account Client ID
The wizard shows a numeric Client ID (currently 102249932937757513383). This is the unique identity of Extension Auditor's service account in Google's directory. Copy it — Google's Admin Console asks for it in the next step.
The Client ID is fixed for the platform and is also displayed inside the in-app setup wizard, which is the source of truth. If the value here ever differs, trust the value shown in the wizard.
Step 3 — Open the Domain-Wide Delegation page in Google Admin
Click Open Domain-Wide Delegation Settings in the wizard, or go directly to:
https://admin.google.com/ac/owl/domainwidedelegation
This is Security → Access and data control → API controls → Domain-wide delegation in the Google Admin Console.
You must be signed in to Google as a Super Admin to see this page.
Step 4 — Add Extension Auditor as a delegated client
Click Add new.
In Client ID, paste the value from Step 2.
In OAuth scopes (comma-delimited), paste this exact list:
https://www.googleapis.com/auth/admin.directory.device.chromebrowsers.readonly,https://www.googleapis.com/auth/chrome.management.reports.readonly,https://www.googleapis.com/auth/chrome.management.appdetails.readonly,https://www.googleapis.com/auth/chrome.management.policy.readonly,https://www.googleapis.com/auth/admin.directory.orgunit.readonly,https://www.googleapis.com/auth/admin.reports.audit.readonly,https://www.googleapis.com/auth/admin.directory.device.chromebrowsers,https://www.googleapis.com/auth/chrome.management.policy,https://www.googleapis.com/auth/admin.directory.orgunit
The setup wizard has a Copy button next to this list — use that rather than re-typing.
Click Authorize.
Google will store the delegation. The change usually applies within a minute or two, but Google occasionally takes longer — if the connection test in Step 6 fails immediately, wait a few minutes and try again.
Heads up on scopes: paste the entire list as one comma-separated string. If even one scope is missing or misspelled, the connection test will report a "scope mismatch" error and the integration will refuse to save. Do not add extra scopes.
Step 5 — Enter your admin email and domain
Back in the Extension Auditor wizard:
- Workspace Admin Email — the address Extension Auditor should impersonate when calling Google APIs. This must be a real Workspace user with the privileges listed in the prerequisites. Most customers create a dedicated
extension-auditor-svc@<your-domain>account so that audit logs clearly attribute Extension Auditor's API calls. - Workspace Domain — your primary Workspace domain (e.g.
yourcompany.com). Don't includehttps://or any subdomain.
Step 6 — Test the connection
Click Test Connection. Extension Auditor will:
- Mint a delegated access token impersonating the admin email above.
- Call the Chrome Browser Cloud Management API with that token.
- Report success or surface the exact Google error.
A green Connection Verified banner means delegation is wired up correctly. If you get an error, see Troubleshooting.
Step 7 — Save and connect
The Save & Connect button stays disabled until the connection test passes. Once it does, click Save & Connect. Extension Auditor will:
- Persist the integration record (admin email + domain + auth method) for your team.
- Resolve your real Google customer ID by calling
customers.getwithmy_customer. - Kick off an immediate first sync — you'll see browser, extension, and user counts populate over the next few minutes.
After this, a daily sync runs automatically every 24 hours, and you can trigger a manual run any time with Sync Now.
Rotating or revoking the integration
- To rotate the impersonated admin (e.g. if
extension-auditor-svc@…is being decommissioned): disconnect the integration in Extension Auditor, then re-run the setup wizard with the new admin email. The Client ID and Admin Console delegation entry don't need to change. - To revoke entirely: open
https://admin.google.com/ac/owl/domainwidedelegation, find the row for Extension Auditor's Client ID, and delete it. Then disconnect the integration in Extension Auditor. Either step alone is sufficient — but doing both ensures no stale tokens and no stale records.
What's next
- Configure extension monitors so you're alerted when a discovered extension changes
- Browse the Extensions API to query your discovered inventory programmatically
- Troubleshooting setup errors
- Official Google references:
