The Drive Integration Was the Easy Part — the Verification Gate Is Where Launches Stall
Cloud backup tools, document automation platforms, file pickers, DMS integrations, and AI apps that read user files all reach the same moment: the app works perfectly in testing, and then Google’s OAuth verification flags the Drive scopes as restricted. Suddenly the launch depends on restricted scope verification — and, for most server-based apps, a CASA Tier 2 security assessment performed by a Google-approved third-party assessor. Teams that budgeted days for “app verification” discover it is a multi-week security process with an annual renewal clock attached.
What Triggers Restricted Scope Verification for Drive Apps
Google classifies Drive API scopes into three levels: non-sensitive, sensitive, and restricted. The broad scopes — including full Drive access (auth/drive) and read-only access to all of a user’s files (auth/drive.readonly) — sit in the restricted category, because they expose the entire contents of a user’s Drive. Requesting any restricted Drive scope puts your app into restricted scope OAuth verification. And if your app accesses, stores, or transmits that Drive data from or through a server — which describes almost every production SaaS — a CASA Tier 2 security assessment is required on top of the standard verification review.
Not Every Drive Scope Triggers the Assessment
Recommended / Non-Sensitive Path
The per-file scope (auth/drive.file) grants access only to files the user explicitly opens or creates with your app. It is Google’s recommended scope, it avoids restricted scope verification entirely, and Google actively encourages Drive apps to migrate to it. If your product can work file-by-file — for example through the Google Picker — this scope can remove the entire assessment burden.
Restricted Path — Verification + CASA Tier 2
Broad scopes that see all of a user’s Drive content (full access, read-only-all-files, metadata, activity and related scopes) are restricted. Google also limits which kinds of apps are even eligible to use them — categories such as backup and sync tools, productivity and education apps, and reporting or security apps. An app outside the permitted use cases can be refused restricted scope access regardless of its security posture.
What the Restricted Scope Process Involves for a Drive App
Where Drive Apps Get Stuck
- Requesting full Drive access when per-file access would do — the single most expensive scope decision; it converts a no-assessment launch into a multi-week, annually recurring security engagement
- A use case outside the permitted categories — restricted Drive scopes are limited to specific app types; a weak or mismatched use-case description gets refused before security is even evaluated
- Privacy policy that doesn’t describe Drive data handling — access, use, storage, and deletion of user file data must be explicitly covered
- Production environment not ready for the assessor’s scan — the assessment runs against the live app; unfinished deployments stall the engagement
- No plan for the annual renewal — teams pass once, forget the 12-month re-assessment, and lose verified status at the worst possible moment
The Decision That Should Happen Before Any Code Ships
The highest-leverage moment in a Drive integration is the scope decision. A scope review at design time — what data the product truly needs, whether the per-file model works, and whether the use case fits Google’s permitted categories — decides whether verification takes days or months. That is exactly the kind of call that benefits from someone who has been through the process before.
For the full Google OAuth verification process — consent screen, demo video, privacy policy, and submission — see the Google OAuth Verification Guide. If users are currently seeing a warning screen, Google OAuth “This App Isn’t Verified” explained covers what it means during testing. Google Workspace apps with admin-level or domain-wide delegation needs have their own path — see the Google Workspace API Verification Guide.
Building a Google Drive Integration? Get the Scope and Verification Strategy Right First.
Scope selection review, eligibility check, privacy policy audit, consent screen setup, CASA Tier 2 preparation, and submission support — so your Drive app’s launch isn’t derailed by a verification requirement discovered too late.