Google Calendar

1. In your zone’s Keycard Console, go to Resources -> Explore Resources.

2. Search for Google Calendar and click into the catalog entry.

3. The install dialog shows a Redirect URI. Copy it - you’ll paste it into Google Calendar in Step 2. Leave this Keycard tab open.

1. Go to the Google Cloud Console
2. Click Select a project → New Project
3. Enter a name and click Create

1. Go to APIs & Services → OAuth consent screen
2. Select External user type (or Internal if using Google Workspace)
3. Fill in the app name, user support email, and developer contact
4. Add the Calendar scopes: calendar.readonly, calendar.events
5. Add test users if the app is in “Testing” status

1. Go to APIs & Services → Credentials
2. Click Create Credentials → OAuth client ID
3. Select Web application
4. Under Authorized JavaScript origins, add http://localhost:3000
5. Add the Keycard-provided redirect URI under Authorized redirect URIs
6. Click Create and note the Client ID and Client Secret

1. Navigate to APIs & Services → Library
2. Search for “Google Calendar API”
3. Click Enable

1. Switch back to the Keycard install dialog you left open in Step 1.

2. Paste the Client ID and Client Secret from Step 2.

3. Click Add Google Calendar. The resource is provisioned and your app can start exchanging tokens for it.

After installing Google Calendar, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.

from keycardai.oauth import Client, BasicAuth, TokenType
import requests

# Exchange the user's Keycard token for a Google Calendar token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://www.googleapis.com/calendar/v3",
    )

# Call Google Calendar directly with the exchanged token.
r = requests.get(
    "https://www.googleapis.com/calendar/v3/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)

import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";

const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});

const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://www.googleapis.com/calendar/v3",
});

// Call Google Calendar directly with the exchanged token.
const res = await fetch("https://www.googleapis.com/calendar/v3/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});

See the OAuth SDK → Token Exchange reference for the full client API.

Now do this

• Call Google Calendar from your code - see the Use Google Calendar from your code section above for Python and TypeScript samples.

Recommended

• Decide who can use it - write access policies scoped to the Google Calendar resource so only the right users and apps reach the API.
• Watch the calls - every token exchange and downstream call lands in your audit log with user identity, resource, and policy decision.