Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Google OAuth Compliance
Most teams preparing for Google OAuth verification focus entirely on scope justification — the CASA assessment, the security questionnaire, the demo video. Then the app still gets held up, and the reason has nothing to do with scopes: it's the app name, the logo, or the homepage on the consent screen itself. Brand verification is a separate check, and Google will not let branding changes go live until it's approved again.

What Brand Verification Actually Checks

Any app configured for External users that shows a logo or display name on its OAuth consent screen must go through brand verification before that branding is trusted. It is separate from sensitive and restricted scope verification — an app can pass the scope review and still be blocked here if the identity information doesn't hold up.

The Four Things Google Checks

App name
Must distinctively represent the business — not a name confusable with Google's own brands or another company's, and not a generic word combined with "app" or "mobile." It must match exactly what was entered on the verification submission.
Logo
Square image, ideally 120×120px, in JPG, PNG, or BMP. The logo shown on the live consent screen must match the file submitted for verification — swap it later without resubmitting and the app falls out of compliance.
Homepage
Must be publicly accessible (not gated behind a login), must clearly describe what the app does, and must link to the privacy policy. A Google Play Store listing or a Facebook Page is not accepted as a homepage.
Authorized domains
Every top-level domain referenced by the homepage, privacy policy, terms of service, and OAuth redirect URIs must be verified in Google Search Console under an account with owner or editor access on the Cloud project.

Where This Gets Complicated

1
The privacy policy has to be hosted on the same domain as the homepage and has to actually disclose how the app accesses, stores, and shares Google user data — a generic template privacy policy is a common rejection trigger here.
2
Domain ownership is verified at the top private domain level, not the exact subdomain. An app whose homepage is on app.example.com still needs example.com verified in Search Console — and the Google account used for that verification has to match the Cloud Console project's owner/editor list.
3
Any future change to the app name, logo, homepage URL, privacy policy URL, or authorized domains requires a full re-submission of the branding configuration — and none of the updated details go live on the consent screen until that resubmission is approved.
4
Certain setups are exempt entirely: personal-use apps with a handful of known users, projects still in Testing publishing status, service-account-only integrations that never touch user data, and Internal-only apps scoped to a single Workspace or Cloud Identity organization.

Typical Turnaround

Submission
Branding page completed in Cloud Console — name, logo, support email, homepage, privacy policy, authorized domains
2–3 business days
Typical review window once submitted, per Google's own documentation
Rejection path
If any of the four checks fail, Google requests a correction and resubmission — the clock resets

Timelines vary and are not guaranteed by Google — shown here as the documented typical range, not a promise for any specific app.

Common Rejection Reasons

App name uses "Google" or another recognizable brand name, or pairs a generic word with "app"/"mobile"
Logo on the live consent screen doesn't match the file submitted for review
Homepage requires login before any content is visible
Homepage is only a Play Store listing or a Facebook/social profile link
Privacy policy is missing from the homepage or hosted on a different domain
Authorized domains in Search Console don't cover every domain used across homepage, privacy policy, ToS, and redirect URIs
Branding was changed after approval without resubmitting for re-verification

Frequently Asked Questions

Is brand verification the same as sensitive scope verification?
No. Brand verification checks app name, logo, homepage, and authorized domains for any External app displaying a logo or name. Sensitive/restricted scope verification is a separate review of the specific data permissions requested — many apps need both.
Do I need brand verification if my app is Internal-only?
No. Apps configured as Internal user type inside a Google Workspace or Cloud Identity organization are exempt, though they may still need an organization administrator's approval.
Can I change my logo after verification is approved?
You can, but the new logo has to be resubmitted for verification and approved before it's allowed to display on the live consent screen — the old approval doesn't carry over.
Why does my homepage need to be on the same domain as my privacy policy?
Google verifies domain ownership at the top private domain level and expects the homepage, privacy policy, and authorized domains to be traceable to the same verified owner — splitting them across unrelated domains is a common cause of stalled reviews.

If your app is stuck on brand verification, needs its OAuth consent screen and scope verification handled together, or is showing the "This app isn't verified" warning in the meantime, our Google OAuth verification guidance service covers the branding submission alongside the scope review. Google makes all brand verification and OAuth review decisions independently; this guide is based on Google's official developer documentation and is not affiliated with or endorsed by Google LLC.