Adding Google Drive provisions a resource (the upstream Google API at https://www.googleapis.com/drive/v3, with default scopes pre-set) and a provider for Google’s OAuth issuer - auto-provisioned on first install, or reused if you already connected another Google resource.
Your application calls Keycard’s token-exchange endpoint with the user’s identity, gets back a token scoped to this resource, and uses it to call Google directly. Identity, policy, and audit log apply to every exchange - the OAuth client secret stays inside Keycard. Each exchange is recorded in the audit log with the user identity, the resource accessed, and the policy decision.
Scopes
Section titled “Scopes”OAuth permissions Keycard requests on install. Override or add scopes in Console.
- https://www.googleapis.com/auth/drive.readonly
- default
- https://www.googleapis.com/auth/drive.file
- default
- https://www.googleapis.com/auth/drive
- https://www.googleapis.com/auth/drive.appdata
- https://www.googleapis.com/auth/drive.install
- https://www.googleapis.com/auth/drive.apps.readonly
- https://www.googleapis.com/auth/drive.metadata
- https://www.googleapis.com/auth/drive.metadata.readonly
- https://www.googleapis.com/auth/drive.activity
- https://www.googleapis.com/auth/drive.activity.readonly
- https://www.googleapis.com/auth/drive.meet.readonly
- https://www.googleapis.com/auth/drive.scripts
Use Google Drive from your code
Section titled “Use Google Drive from your code”Call Google Drive from your application with a Keycard-issued token scoped to this resource.
After installing Google Drive, your application exchanges a Keycard-issued access token for a token scoped to this resource. Pass the user’s access token as the subject_token.
from keycardai.oauth import Client, BasicAuth, TokenTypeimport requests
# Exchange the user's Keycard token for a Google Drive token.with Client( "https://<zone-id>.keycard.cloud", auth=BasicAuth("<your-client-id>", "<your-client-secret>"),) as client: response = client.exchange_token( subject_token=user_access_token, subject_token_type=TokenType.ACCESS_TOKEN, resource="https://www.googleapis.com/drive/v3", )
# Call Google Drive directly with the exchanged token.r = requests.get( "https://www.googleapis.com/drive/v3/<endpoint>", headers={"Authorization": f"Bearer {response.access_token}"},)import { TokenExchangeClient } from "@keycardai/oauth/tokenExchange";
const client = new TokenExchangeClient("https://<zone-id>.keycard.cloud", { clientId: "<your-client-id>", clientSecret: "<your-client-secret>",});
const response = await client.exchangeToken({ subjectToken: userAccessToken, resource: "https://www.googleapis.com/drive/v3",});
// Call Google Drive directly with the exchanged token.const res = await fetch("https://www.googleapis.com/drive/v3/<endpoint>", { headers: { Authorization: `Bearer ${response.accessToken}` },});See the OAuth SDK → Token Exchange reference for the full client API.
Register your OAuth credentials with Keycard so the resource can issue tokens.
Create a Google Cloud project
Section titled “Create a Google Cloud project”- Go to the Google Cloud Console
- Click Select a project → New Project
- Enter a name and click Create
Configure the OAuth consent screen
Section titled “Configure the OAuth consent screen”- Go to APIs & Services → OAuth consent screen
- Select External user type (or Internal if using Google Workspace)
- Fill in the app name, user support email, and developer contact
- Add the Drive scopes:
drive.readonly,drive.file - Add test users if the app is in “Testing” status
Create OAuth credentials
Section titled “Create OAuth credentials”- Go to APIs & Services → Credentials
- Click Create Credentials → OAuth client ID
- Select Web application
- Under Authorized JavaScript origins, add
http://localhost:3000 - Add the Keycard-provided redirect URI under Authorized redirect URIs
- Click Create and note the Client ID and Client Secret
Enable the Google Drive API
Section titled “Enable the Google Drive API”- Navigate to APIs & Services → Library
- Search for “Google Drive API”
- Click Enable
Register in Keycard
Section titled “Register in Keycard”- Open Keycard Console → your zone → Resources
- Click Explore Resources
- Find and click Google Drive in the catalog
- In the configuration dialog:
- If this is your first Google resource, copy the Redirect URL and verify it’s added as an authorized redirect URI in your Google Cloud Console. Enter the Client ID and Client Secret from your OAuth credentials.
- Review the User scopes - the defaults (
drive.readonly,drive.file) are pre-populated
- Click Add Google Drive API
Troubleshooting
Section titled “Troubleshooting”Common errors when wiring Google Drive into your zone.
Error 403: Access Not Configured
The Google Drive API hasn’t been enabled in your Google Cloud project. Go to APIs & Services → Library and enable “Google Drive API”.
Error 403: Insufficient Permission
The granted scopes don’t include the ones needed for the verification endpoint. Re-check:
- The scopes configured in your Keycard resource
- The scopes listed on the OAuth consent screen
- Whether the user granted all requested scopes during consent
Error: redirect_uri_mismatch
The redirect URI in Google Cloud Console doesn’t match what Keycard sends. Copy the exact redirect URI from Keycard Console and paste it into Google’s authorized redirect URIs.
Related
Section titled “Related”- Catalog overview - browse other API and MCP servers
- Access policies - control who can use Google Drive
- Identity providers - control who can sign in