--- title: Our Google OAuth app is live and CASA Tier 2 certified slug: our-google-oauth-app-is-live-and-casa-tier-2-certified date: 2025-12-24 author: Nachi Raman categories: [Product Updates] excerpt: Truto’s Google OAuth app is officially live and CASA Tier 2 certified. Securely connect Google Workspace apps like Gmail and Drive without your own verification. tldr: "Truto’s Google OAuth app is now CASA Tier 2 certified, allowing customers to securely connect Google Workspace services like Gmail and Drive without undergoing their own verification." canonical: https://truto.one/blog/our-google-oauth-app-is-live-and-casa-tier-2-certified/ --- # Our Google OAuth app is live and CASA Tier 2 certified Truto’s Google OAuth application has successfully cleared Google’s Cloud Application Security Assessment (CASA) Tier 2 and is officially live on production. This means teams can connect Google Workspace to Truto using a fully verified OAuth app, without limitations on the number of connections, unverified warnings, or additional approval steps from Google. ## What this means for our customers With our verified Google OAuth app, customers can securely connect: - Google Drive - Google Docs - Gmail - Google Calendar - Google Forms - Google Contacts - Google Meet, and - Google Admin Directory Connections can be made using admin-level authorization, enabling visibility into users, groups, roles, organizational units, and directory-level metadata where applicable. > Most importantly, customers do not need to undergo any Google verification themselves. The entire security and compliance burden is handled by Truto. ## What CASA Tier 2 actually means Google CASA Tier 2 is a deep security assessment covering: - Architecture and data flow reviews - Secure storage, OAuth implementation, and token handling - Infrastructure and operational security controls - Access control and least-privilege design - Incident response and vulnerability management We worked closely with TAC Security and Google through a long, detailed, and expensive assessment process to ensure Truto meets Google’s highest standards for third-party OAuth applications. ## The outcome for customers is multi-fold: - No need to spend months navigating additional verification or approval processes with Google - No internal budgeting or certification approval cycles - No need to spend weeks building and maintaining a Google Workspace integration from scratch ## What data can Truto access Below is a breakdown of the scopes we request and why they exist. **Identity and authentication** Used only to identify the connected user and establish a secure OAuth session. - User email address - Basic profile information - OpenID authentication context **Google Drive and Docs** Used for file discovery, metadata access, and document workflows. - Drive read-only access - Drive labels read-only - Google Docs access, explicitly scoped to document content **Gmail** Used for reading messages and enabling mailbox workflows like applying labels and updating message state (for example read or unread), where email integrations are enabled. - Gmail read-only - Gmail modify (non-destructive actions) **Calendar and Meetings** Used for calendar visibility, scheduling, and availability checks. - Calendar lists and calendars - Calendar events - Public calendar events (read-only) - Google Meet space (read-only) **Contacts** Used to enrich user and contact profiles. - Contacts (read-only) - Other contacts (read-only) **Forms** Used to understand form structure and ingest responses for downstream workflows. - Forms structure (read-only) - Forms responses (read-only) **Admin Directory** Used only when admin-level visibility is required, such as access reviews, audits, or user directory syncs. - Users directory - Organizational units - Groups and group membership - Role management (read-only) - User security metadata If your business requires a Google scope that is not listed above, let us know. We support adding new scopes on request and will work with Google through the required approval process before making them available. ## Our approach to permissions A few principles guide how we request scopes: - Read-only wherever possible - No broad “full access” scopes. Narrowest scope possible that supports the feature. - Every permission is tied to a concrete Unified API feature - Admin scopes are only used when explicitly required If a customer does not need a specific capability, that scope is simply not used. ## What’s next The Google OAuth integration is now live and available to all Truto customers. If you are already using Truto, you can connect to Google Workspace immediately. If you want help enabling the integration or need a scope walkthrough for your security team, reach out to us anytime. If you are evaluating Truto, this removes a major OAuth and security blocker from day one. You can schedule a quick consultation on how Truto can help you integrate 500+ applications. Here are some potential use cases teams can now explore with our support for Google Workspace integrations with a read-to-use OAuth app: **User and access visibility across Google Workspace** Sync users, groups, roles, and security signals from Google Admin Directory into internal systems for audits, access reviews, and identity management workflows. - **Document and file discovery for internal tools and AI workflows** Securely index Google Drive files and Google Docs metadata to power search, knowledge discovery, and AI assistants without exposing write access. - **Email and calendar insights for operational workflows** Read Gmail and Calendar data to automate reporting, activity timelines, or operational analytics while respecting scoped, read-only permissions. - **Form response ingestion and downstream automation** Pull Google Forms structures and responses into data pipelines, CRMs, or internal tools for lead intake, surveys, and operational workflows. - **Cross-tool context enrichment for support and CRM systems** Enrich tickets, CRM records, or internal dashboards with relevant Google Workspace context such as documents, meetings, and directory metadata. - **Mailbox state management for workflow automation** Apply labels and update message state in Gmail to support operational workflows like ticket triage, inbox categorization, and AI-assisted routing, using narrowly scoped, non-destructive permissions.