Does Google Search Console use an API key or OAuth?

OAuth, not an API key. You create a Google Cloud OAuth client, authorize the Search Console scope in the OAuth Playground, and exchange it for a refresh token. Outloop stores the OAuth credential locally and mints short-lived access tokens host-side; the agent never sees any of it.

What Search Console property format should I use in Outloop?

It depends on the property type. For a Domain property, use sc-domain:yourdomain.com (for example sc-domain:outloop.co). For a URL-prefix property, use the exact URL including https:// and the trailing slash, for example https://outloop.co/.

What is the difference between a Domain property and a URL-prefix property?

A Domain property covers every URL on a domain and all subdomains/protocols (verified via DNS); enter it as sc-domain:domain.com. A URL-prefix property covers only the exact URL prefix shown; enter that exact URL, e.g. https://domain.com/. Always check the label in the Search Console property dropdown — do not assume every property is a Domain property.

Where do I get the refresh token?

From the Google OAuth Playground. Check "Use your own OAuth credentials", set Access type to Offline and Force prompt to Consent Screen, authorize the webmasters.readonly scope, then click "Exchange authorization code for tokens" to get the refresh token. Paste it only into the Outloop Mac app.

Can my agent see the Google refresh token?

No. Outloop stores the OAuth credential in macOS Keychain and uses it host-side through the API Bridge — minting a short-lived access token and injecting the headers itself. The agent never sees the refresh token or access token, and every request is audited.

Can I use one Google Cloud project for multiple Google marketing APIs?

Yes. The same Google Cloud project and OAuth client can serve Google Ads, Merchant Center, GA4, and Search Console, as long as you enable each API and the Google user has access. Each connection still pins its own credential and property in Outloop.

Can I add more Search Console properties later?

Yes. Reuse the same Google Cloud project and OAuth client if the same Google user has access, then add another Google Search Console entry in Outloop (or assign the shared connector to the right workspace) and pin the correct property — sc-domain:domain.com for a Domain property, or the exact URL for a URL-prefix property.

Learn · Setup guides

Connect Google Search Console to Outloop

Last updated: June 28, 2026

In short

Google Search Console uses OAuth, not an API key.

You create one Google Cloud OAuth client, authorize the Search Console scope, and exchange it for a refresh token. Outloop stores the OAuth credential locally in macOS Keychain, pins it to the exact Search Console property, and lets agents use it only through the API Bridge — minting short-lived access tokens host-side, so the agent never sees the Google token.

Summarize this setup guide with AI ChatGPT Claude Perplexity

What this setup gives you

You will create one Google Cloud OAuth client, generate a Search Console refresh token, pin the exact Search Console property into Outloop, and run a first proof through your agent. Outloop stores the OAuth credential locally and uses it through the API Bridge — the agent never sees the refresh token or access token.

Security rule. Never record, screenshot, paste, or publish a real client_secret, refresh_token, access_token, Authorization header, or Bearer token. Their only destination is the Outloop Mac app — never Outloop Cloud, the website, chat, docs, or .env files.

What you need before starting

✓Access to a Google Cloud project.
✓Access to the relevant Google Search Console property.
✓Outloop installed and activated, with a workspace selected.

1. Enable the Search Console API

In Google Cloud Console, open your project, then go to APIs & Services → Library and search Google Search Console API.

Google Cloud API Library search result for the Google Search Console API.

Open the result and click Enable.

Google Search Console API product page in Google Cloud with the Enable button highlighted.

2. Create an OAuth client

Go to APIs & Services → Credentials, then Create credentials → OAuth client ID.

Create credentials menu in Google Cloud with OAuth client ID highlighted.

Choose Application type: Web application, name it Outloop Search Console OAuth, leave Authorized JavaScript origins empty, and under Authorized redirect URIs add the OAuth Playground URL:

https://developers.google.com/oauthplayground

Create OAuth client ID form named Outloop Search Console OAuth with the OAuth Playground redirect URI added.

Click Create, then copy the Client ID and Client secret from the dialog.

OAuth client created dialog in Google Cloud with the client ID and client secret redacted.

Important. You will not be able to view the client secret again after closing this dialog — copy it now and store it securely. Do not screenshot or publish the secret.

3. Get a refresh token (OAuth Playground)

Open developers.google.com/oauthplayground, click the gear icon, and set: OAuth flow Server-side, Access type Offline, Force prompt Consent Screen, and check Use your own OAuth credentials. Paste the Client ID and Client secret (do not screenshot the pasted secret).

Google OAuth Playground configuration with Server-side flow, Offline access, and Consent Screen prompt.

Google OAuth Playground with Use your own OAuth credentials enabled and empty client ID and secret fields.

In Step 1, paste the Search Console scope and click Authorize APIs:

https://www.googleapis.com/auth/webmasters.readonly

OAuth Playground authorizing the Google Search Console webmasters.readonly scope.

Scope note. Use webmasters.readonly for read-only Search Console access (recommended for first setup). If you intentionally need broader approved actions later, authorize the broader webmasters scope.

After approving the Google consent screen, OAuth Playground returns to Step 2. Click Exchange authorization code for tokens and copy the refresh_token (do not screenshot or publish it).

OAuth Playground Exchange authorization code for tokens step with the token values redacted.

4. Find your exact Search Console property

This is the step people get wrong. Open Google Search Console, click the property dropdown, and check whether the property is a Domain property or a URL-prefix property. The label is shown right under the property name.

Google Search Console property dropdown showing a Domain property.

Enter it in Outloop in the matching format:

Domain property      →  sc-domain:yourdomain.com   (e.g. sc-domain:outloop.co)
URL-prefix property  →  https://yourdomain.com/    (exact URL, with trailing slash)

Do not assume every Search Console property is a Domain property. Always check the label in the property dropdown, and copy a URL-prefix property exactly as shown, including https:// and any trailing slash.

5. Add Google Search Console in Outloop

In Outloop, open API Access → Add an API key and choose Google Search Console. Use Agency-global / shared when the same Google user can access multiple properties and you want to grant workspaces over time — tick the workspaces that should use it. Outloop still pins the credential to the specific Search Console property you enter.

Outloop Add an API key screen with Google Search Console selected, Agency-global shared scope, and the workspace list redacted.

6. Fill the OAuth fields and set up

Paste the values you collected, then click Set up Google Search Console OAuth:

→Client ID and Client Secret from Google Cloud.
→Refresh Token from the OAuth Playground.
→Search Console property — sc-domain:yourdomain.com or https://yourdomain.com/.
→OAuth scope — keep Read-only — Search Analytics + URL Inspection (recommended). If you need broader approved actions, authorize the broader scope intentionally; for first setup, read-only is recommended.

Outloop Google Search Console OAuth setup form with the client ID redacted and the client secret and refresh token masked.

macOS Keychain. macOS may ask permission to let Outloop read the stored credential from Keychain — click Always Allow. This is local Keychain access; the credential is not uploaded to Outloop Cloud.

7. Enable the bridge and set the safe read path

After setup, click View in stored keys. The row confirms the credential is stored in macOS Keychain with secret_exposed: false.

Outloop confirmation that the Google Search Console credential was stored locally, with View in stored keys highlighted.

On the key row, the bridge is bound to https://www.googleapis.com. If Outloop asks for a safe read path, set it to a read-only Search Console endpoint, then click Copy workspace run prompt:

/webmasters/v3/sites

Outloop Google Search Console key row with the safe read path field and Copy workspace run prompt button.

The safe read path gives the agent a first safe GET request. It is a path only — never a secret, and no key re-paste.

8. Run the first proof

Paste the workspace run prompt into your agent. The first proof verifies Search Console access through Outloop:

GET /webmasters/v3/sites

A successful, verified Outloop proof looks like this:

decision / code: allow / OK
HTTP status: 200
service: google_search_console
secret_exposed: false
GSC identity: siteEntry[].siteUrl = sc-domain:yourdomain.com
runtime-verified: yes

Outloop Google Search Console runtime proof showing allow, OK, HTTP 200, service google_search_console, and secret_exposed false.

The setup is complete when the proof shows runtime-verified: yes and secret_exposed: false. Your agent can now use Google Search Console through Outloop; the Google OAuth credential stays in macOS Keychain, and the agent never sees the refresh token or access token.

Verified vs not claimed yet

Verified Search Console read access through Outloop: GET /webmasters/v3/sites returned HTTP 200 with decision allow, an audit entry, the property identity (siteEntry[].siteUrl), and secret_exposed: false.
Supported, not verified yet Broader write/inspection actions under the wider webmasters scope: permitted through bridge policy when authorized, but not runtime-verified in this guide.

Troubleshooting

I do not see a refresh token

In the OAuth Playground, confirm Use your own OAuth credentials is checked, Access type is Offline, Force prompt is Consent Screen, and the redirect URI in Google Cloud is exactly https://developers.google.com/oauthplayground. Then authorize again.

Outloop says the property is wrong

Check the Search Console dropdown. If it says Domain property, use sc-domain:yourdomain.com (e.g. sc-domain:outloop.co). If it says URL-prefix property, use the exact URL shown, e.g. https://outloop.co/.

The proof returns 403

Usually the Google user who created the refresh token does not have access to that Search Console property, or the wrong OAuth scope was authorized. Confirm the user's Search Console access and that you authorized webmasters.readonly.

The proof shows a config issue

Check that the Search Console API is enabled, the client ID and secret are correct, the refresh token is pasted, the property is exact, and the safe read path is set to /webmasters/v3/sites if Outloop asks for it.

Adding another Search Console property

Reuse the same Google Cloud project and OAuth client if the same Google user has access. In Outloop, add another Google Search Console entry or assign the shared connector to the right workspace, and always pin the correct property — sc-domain:domain.com for a Domain property, or the exact URL for a URL-prefix property.

Outloop is available with guided onboarding for agency teams. Outloop is an independent tool and is not affiliated with or endorsed by Google. See the security model, the Google Ads API setup guide, or connect any custom API.