Learn · Setup guides

How to Connect Google Drive API and Shared Drives to AI Agents with Outloop

Last updated:

In short

Google Drive uses OAuth, not an API key — and Outloop keeps the whole OAuth credential away from the agent.

You enable the Google Drive API, add a Drive scope, create one Google Cloud OAuth client, and exchange it for a refresh token in the OAuth Playground. Outloop stores the credential in macOS Keychain, pins each workspace to an optional Drive folder or Shared Drive, and agents use approved Drive access through the API Bridge without ever seeing the client secret, refresh token, or access token.

Summarize this setup guide with AI ChatGPTClaudePerplexity

What this setup gives you

You will enable the Google Drive API in Google Cloud, add a Drive scope, create an OAuth client for the OAuth Playground, generate a refresh token, and store the credential in Outloop — with an optional Drive folder and Shared Drive pin per workspace. After that, AI agents get full approved Google Drive and Shared Drive access through Outloop: the OAuth credential stays in macOS Keychain, is used on the wire host-side, and never appears to the agent, in chat, logs, repos, or project files.

Security rule. Never record, screenshot, paste, or publish a real client_secret, refresh_token, access_token, authorization code, or Authorization header. Their only destination is the Outloop Mac app — never Outloop Cloud, the website, chat, docs, or .env files. Every screenshot in this guide has the credential fields redacted.

What you need before starting

1. Enable the Google Drive API

In Google Cloud Console, open APIs & Services → Library, search Google Drive API, and click Enable. The product page confirms with a green API Enabled badge (service name drive.googleapis.com).

Google Cloud product details page for the Google Drive API showing the green API Enabled badge.

2. Add the Drive scope

In Google Auth Platform → Data access, click Add or remove scopes.

Google Auth Platform Data access page with the Add or remove scopes button highlighted.

In the panel, scroll to Manually add scopes, paste the full Drive scope, and click Add to table, then Update:

https://www.googleapis.com/auth/drive
Manually add scopes panel in Google Auth Platform with the full Google Drive scope pasted and the Add to table button highlighted.
Scope note. The full auth/drive scope lets agents work with existing files and Shared Drive content, and Google classes it as a restricted scope. If your agents only need files they create or open themselves, the narrower auth/drive.file scope is Google's recommended tier — Outloop's default mode. Whichever you authorize here must match the scope tier you pick in Outloop in step 5.

3. Create the OAuth client

In Google Auth Platform → Clients, create a new OAuth client. Choose Application type: Web application, give it a recognisable name, and under Authorised redirect URIs add the OAuth Playground URL:

https://developers.google.com/oauthplayground
Create OAuth client ID form in Google Cloud with Web application type selected and the OAuth Playground redirect URI added.

Click Create. The confirmation dialog shows the Client ID and Client secret — copy both now.

OAuth client created dialog in Google Cloud with the client ID and client secret values redacted.
Important. You will not be able to view the client secret again after closing this dialog — copy it now and store it securely. Do not screenshot or publish the secret.

4. Get a refresh token (OAuth Playground)

Open developers.google.com/oauthplayground, click the gear icon, and set: Access type Offline, Force prompt Consent Screen, and check Use your own OAuth credentials. Paste the Client ID and Client secret from step 3 (do not screenshot the pasted values).

Google OAuth Playground configuration panel with Offline access, Consent Screen prompt, Use your own OAuth credentials checked, and the client ID and secret fields redacted.

In Step 1, paste the Drive scope you added (https://www.googleapis.com/auth/drive) into Input your own scopes and click Authorize APIs. Sign in with the Google account that has access to the Drive content and approve the consent screen.

The Playground returns to Step 2 with an authorization code. Click Exchange authorization code for tokens and copy the refresh_token (do not screenshot or publish it — the access token you can ignore; Outloop mints its own).

OAuth Playground Step 2 with the Exchange authorization code for tokens button highlighted and the authorization code, refresh token, and access token values redacted.
Why "Use your own OAuth credentials" matters. With the Playground's default credentials, refresh tokens are revoked after 24 hours. With your own client (and a consent screen published to production), the refresh token keeps working until it is revoked.

5. Add Google Drive in Outloop

In Outloop, open API Keys & Access → Add an API key and choose Google Drive from the Google Workspace Pack. Pick the workspace scope — Workspace-dedicated for one client, or shared if several workspaces will use the same Google account (shared is recommended for Google Drive).

Outloop dashboard Add an API key screen with Google Drive selected, a workspace chosen, and the OAuth explanation that agents never see any part of the credential.

Under Manual OAuth setup, paste the values you collected, then click Set up Google Drive OAuth:

Outloop Google Drive manual OAuth setup form with client ID, client secret, and refresh token fields redacted, optional Drive folder ID and Shared Drive ID fields, and the stored confirmation showing secret_exposed false.
Stored. Outloop confirms the credential is stored once in macOS Keychain — never shown again, agents never see it, secret_exposed: false. Turn on Runtime access on the key row to let agents use it.

6. Shared Drives: pin the boundary

Outloop supports Google Shared Drives when the connected Google user has access to the Shared Drive — Shared Drive membership is enforced by Google itself, so a credential from a user who is not a member cannot reach it.

Why pin. The pin is the client boundary. One Google credential can serve several client workspaces, each pinned to its own Shared Drive or folder — an agent working in one workspace cannot list or write outside its pin, which is what keeps wrong-client access blocked by policy. Broad scopes (full Drive / read-only Drive) require a pin.

7. macOS Keychain: click Always Allow

The first time Outloop reads a stored credential from macOS Keychain, macOS shows a permission dialog naming the key being read. Click Always Allow. If you click Allow instead, macOS asks again on every read — and if the prompt is dismissed, runtime access can fail even though the credential is stored correctly.

macOS Keychain permission dialog asking to allow access to a stored key, with the Always Allow button highlighted.
Local only. This is macOS asking, not Outloop Cloud — the credential is read host-side from your Mac's Keychain at request time and is never uploaded.

8. Real proof: copy into a Shared Drive

This setup was verified with a real write through Outloop: an agent asked Outloop to copy a test image into a team Shared Drive. The request went through the API Bridge, the credential was used on the wire host-side, and the copy succeeded:

POST /drive/v3/files/{fileId}/copy?supportsAllDrives=true
HTTP 200
secret_exposed: false

The copied file appeared inside the pinned team Shared Drive, and the audit entry shows the allow decision with secret_exposed: false — the agent used the credential's capability without ever seeing the credential.

Note on proofs. If you want to start gentler, a read-only first check works too — for example GET /drive/v3/about?fields=user confirms access without changing any data. A proof only counts when it goes through Outloop and returns secret_exposed: false — a result from an MCP, an SDK, or the Drive UI proves nothing about Outloop access.

What the Drive API can do through Outloop

Under the authorized scope, the Drive API v3 covers the full file lifecycle. Shared Drive operations use the same endpoints with supportsAllDrives=true (and driveId + includeItemsFromAllDrives=true when listing).

Reads

Writes

Blocked by Outloop runtime policy

Verified vs not claimed yet

Google Drive API through Outloop vs the Drive MCP

Google offers a remote Google Drive MCP server (currently part of the Google Workspace Developer Preview Program) with eight tools for searching, reading, creating, copying, and downloading files. MCP can be a useful path; the comparison below is specific to Google Drive and to what is actually live in this workspace.

For this workspace, the Google Drive API through Outloop is the only Drive path that is live and verified right now.
Area Drive API through OutloopGoogle Drive MCP
Live in this workspace Live now The API path is the only Google Drive path connected here. Not connected here Google offers a remote Drive MCP server (Google Workspace Developer Preview), but it is not connected in this workspace.
Verified in this guide Verified in this guide Proven with a real Shared Drive copy through Outloop (HTTP 200, secret_exposed: false). Not verified here
Auth model OAuth client + refresh token stored in macOS Keychain; Outloop mints short-lived access tokens host-side. OAuth 2.0 session between the AI application and Google; token handling depends on the client.
Raw secret exposure to the agent Secret-safe The credential is used on the wire; the agent never sees the client secret, refresh token, or access token. Depends on the connector/OAuth session model.
Audit trail Audited Every API Bridge request is auditable through Outloop. Not through Outloop.
Workspace / client routing Workspace-scoped Folder and Shared Drive pins bound each workspace; wrong-client access is blocked by policy. Not through Outloop.
Read actions Full Drive API v3 reads under the authorized scope: files.list, files.get, downloads and exports, Shared Drive listing. search_files, list_recent_files, read_file_content, download_file_content, get_file_metadata, get_file_permissions.
Write actions Drive API v3 writes under the authorized scope and runtime policy: upload, update, copy, move, sharing to people/groups. Public links, ownership transfer, and hard deletes stay blocked. create_file and copy_file are documented; the toolset is narrower than the raw API.
Honesty note. This comparison is intentionally conservative. The official Google Drive MCP server exposes a documented toolset, but it is not connected in this workspace, so this guide does not mark MCP capabilities as verified. By contrast, the Outloop API Bridge path is live and verified here.

Troubleshooting

The refresh token stops working after 7 days

If the OAuth consent screen's publishing status is Testing with an External user type, Google revokes refresh tokens after 7 days. In Google Auth Platform → Audience, publish the app to In production (or use an Internal user type in a Google Workspace organisation), then generate a new refresh token in the Playground and update it in Outloop.

I do not see a refresh token in the Playground

Confirm Use your own OAuth credentials is checked, Access type is Offline, Force prompt is Consent Screen, and the redirect URI in Google Cloud is exactly https://developers.google.com/oauthplayground. Then authorize again.

Requests fail with 403 or "File not found" on a Shared Drive

Usually the connected Google user is not a member of that Shared Drive, or the request is missing supportsAllDrives=true. Confirm the user's Shared Drive membership and that the shared_drive_id pinned in Outloop is the right one.

The agent can create files but cannot read existing ones

The credential was authorized with the drive.file scope, which only covers files the agent created or opened through this credential. For existing files and Shared Drive content, authorize the full auth/drive scope (step 2), generate a new refresh token, and match the scope tier in Outloop.

Runtime access fails even though the key is stored

Check the macOS Keychain prompt was answered with Always Allow (step 7) and that Runtime access is turned on for the Google Drive key row in Outloop.

Outloop is available with guided onboarding for agency teams. Outloop is an independent tool and is not affiliated with or endorsed by Google. See the security model, the Google Analytics GA4 setup guide, or the Google Search Console setup guide.

Summarize this setup guide with AI ChatGPTClaudePerplexity

Once the proof succeeds, your agents can use Google Drive and Shared Drives through Outloop — without seeing the OAuth credential.

Outloop is available with guided onboarding for AI agencies, operators, and dev shops.

Frequently Asked Questions

Google Drive API + Outloop — FAQ