Google Calendar

Productivity

Access and manage calendar events

Google developer console OAuth setup guide API docs

Adding Google Calendar provisions a resource (the upstream Google API at https://www.googleapis.com/calendar/v3, with default scopes pre-set) and a provider for Google’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Google resource.

Your application calls Keycard’s token-exchange endpoint with the user’s identity, gets back a token scoped to this resource, and uses it to call Google directly. Identity, policy, and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.

Scopes

SCOPES

OAuth permissions Keycard requests on install. Override or add scopes in Console.

https://www.googleapis.com/auth/calendar.readonly: default
https://www.googleapis.com/auth/calendar.events: default
https://www.googleapis.com/auth/calendar
https://www.googleapis.com/auth/calendar.freebusy
https://www.googleapis.com/auth/calendar.events.readonly
https://www.googleapis.com/auth/calendar.events.owned
https://www.googleapis.com/auth/calendar.events.owned.readonly
https://www.googleapis.com/auth/calendar.events.freebusy
https://www.googleapis.com/auth/calendar.events.public.readonly
https://www.googleapis.com/auth/calendar.settings.readonly
https://www.googleapis.com/auth/calendar.calendars
https://www.googleapis.com/auth/calendar.calendars.readonly
https://www.googleapis.com/auth/calendar.calendarlist
https://www.googleapis.com/auth/calendar.calendarlist.readonly
https://www.googleapis.com/auth/calendar.acls
https://www.googleapis.com/auth/calendar.acls.readonly
https://www.googleapis.com/auth/calendar.app.created
https://www.googleapis.com/auth/calendar.addons.execute
https://www.googleapis.com/auth/calendar.addons.current.event.read
https://www.googleapis.com/auth/calendar.addons.current.event.write

Use Google Calendar from your code

USE FROM CODE

Call Google Calendar from your application with a Keycard-issued token scoped to this resource.

After installing Google Calendar, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.

Python
TypeScript

from keycardai.oauth import Client, BasicAuth, TokenType
import requests

# Exchange the user's Keycard token for a Google Calendar token.
with Client(
    "https://<zone-id>.keycard.cloud",
    auth=BasicAuth("<your-client-id>", "<your-client-secret>"),
) as client:
    response = client.exchange_token(
        subject_token=user_access_token,
        subject_token_type=TokenType.ACCESS_TOKEN,
        resource="https://www.googleapis.com/calendar/v3",
    )

# Call Google Calendar directly with the exchanged token.
r = requests.get(
    "https://www.googleapis.com/calendar/v3/<endpoint>",
    headers={"Authorization": f"Bearer {response.access_token}"},
)

import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";

const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", {
  clientId: "<your-client-id>",
  clientSecret: "<your-client-secret>",
});

const response = await client.exchangeToken({
  subjectToken: userAccessToken,
  resource: "https://www.googleapis.com/calendar/v3",
});

// Call Google Calendar directly with the exchanged token.
const res = await fetch("https://www.googleapis.com/calendar/v3/<endpoint>", {
  headers: { Authorization: `Bearer ${response.accessToken}` },
});

See the OAuth SDK → Token Exchange reference for the full client API.

Setup

SETUP

Create a Google Cloud project

Go to the Google Cloud Console
Click Select a project → New Project
Enter a name and click Create

Go to APIs & Services → OAuth consent screen
Select External user type (or Internal if using Google Workspace)
Fill in the app name, user support email, and developer contact
Add the Calendar scopes: calendar.readonly, calendar.events
Add test users if the app is in “Testing” status

Create OAuth credentials

Go to APIs & Services → Credentials
Click Create Credentials → OAuth client ID
Select Web application
Under Authorized JavaScript origins, add http://localhost:3000
Add the Keycard-provided redirect URI under Authorized redirect URIs
Click Create and note the Client ID and Client Secret

Enable the Google Calendar API

Navigate to APIs & Services → Library
Search for “Google Calendar API”
Click Enable

Register in Keycard

Open Keycard Console → your zone → Resources
Click Explore Resources
Find and click Google Calendar in the catalog
In the configuration dialog:
- If this is your first Google resource, copy the Redirect URL and verify it’s added as an authorized redirect URI in your Google Cloud Console. Enter the Client ID and Client Secret from your OAuth credentials.
- Review the User scopes - the defaults (calendar.readonly, calendar.events) are pre-populated
Click Add Google Calendar API

Troubleshooting

TROUBLESHOOTING

Common errors when wiring Google Calendar into your zone.

Error 403: Access Not Configured

The Google Calendar API hasn’t been enabled in your Google Cloud project. Go to APIs & Services → Library and enable “Google Calendar API”.

Error 403: Insufficient Permission

The granted scopes don’t include the ones needed for the verification endpoint. Re-check:

The scopes configured in your Keycard resource
The scopes listed on the OAuth consent screen
Whether the user granted all requested scopes during consent

Error: redirect_uri_mismatch

The redirect URI in Google Cloud Console doesn’t match what Keycard sends. Copy the exact redirect URI from Keycard Console and paste it into Google’s authorized redirect URIs.

Catalog overview - browse other API and MCP servers
Access policies - control who can use Google Calendar
Identity providers - control who can sign in