Provisioning Google Apps with Schemus for Email
search cancel

Provisioning Google Apps with Schemus for Email


Article ID: 270786


Updated On:




You are trying to sync email addresses with Email service from your Google Apps tenant via Schemus synchronization tool.




Provisioning the Google Apps Service Account

Schemus authenticates to Google Apps with the OAuth2 protocol, using the Service Account email address and associated private key as credentials.

Note that although a Service Account is used for authentication, a separate Google Apps user account is required to access the group and user data.


Before Schemus can retrieve data from Google Apps, you must sign up for a Google Apps account and create an administrator. Once created, the account is managed from the Admin console at

Creating a service account and key

A service account's credentials include a unique generated email address, a public/private key pair and a Client ID.

Create the service account and key as follows:

Create a service account

  1. Open the service accounts page at
  2. If prompted, select a project or create a new one.
  4. Under Service account details, type a name, ID, and description for the service account, then click CREATE AND CONTINUE.
  5. Skip the optional steps to grant account and user access.
  6. Click Done.

Create a service account key

  1. Click the email address for the service account.
  2. Click KEYS.
  3. In the ADD KEY drop-down list, select Create new key.
  4. Select JSON.
  5. Click CREATE and save the key to a suitable location.

Take note of the service account's OAuth2 Client ID and store the service account's key file in a location accessible to Schemus.

Note: The downloaded key serves as the only copy of the private key and should not be disclosed.
You can return to the API Console at view the email address and Client ID or to generate additional keys.


Delegating domain-wide authority to the service account

To delegate domain-wide authority to a service account, a super administrator of the Google Workspace domain must complete the following steps:

  1. From the Admin console at, go to Main menu > Security > Access and data control > API Controls.
  2. In the Domain wide delegation pane, select MANAGE DOMAIN WIDE DELEGATION.
  3. Click Add new.
  4. In the Client ID field, enter the service account's Client ID from the Service accounts page
  5. In the OAuth scopes (comma-delimited) field, enter the list of scopes required by Schemus:,,,
  6. Click Authorize.

Note: The scopes above provide read-only access to the data required by Schemus. Scopes allowing write access should not be included.

Your application now has the authority to make API calls as users in your domain (to "impersonate" users).

Note: The key file and the email address of the user to impersonate are required on the Google Apps settings page when configuring Schemus.
The service account email address is not required as it will be loaded from the JSON key file.

Note: It may be necessary to activate the API before using it for the first time with a project. To enable the API visit