Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp
Guaranteed 100% Facebook, Instagram and WhatsApp Approvals & App Review
Quick Transfer Ready to use app available for Facebook, Instagram and WhatsApp

If your app signs in users with Google or calls a Google API, you have probably seen the “Google hasn’t verified this app” warning screen. That warning appears because your app is requesting sensitive or restricted Google user data scopes and has not yet completed Google’s OAuth app verification. This guide explains how the verification process works in 2026, what reviewers actually check, and how to prepare a submission that moves through review smoothly.

This is a preparation and submission-support guide. The final approval decision always rests with Google. The goal here is to help you submit a clean, policy-aligned application the first time.

What Google OAuth verification is

When you build an app on Google Cloud and configure an OAuth consent screen, you declare the scopes your app needs — the specific types of Google user data it will access. Google groups these scopes into three tiers:

  • Non-sensitive scopes — basic profile and email. Usually no verification needed.
  • Sensitive scopes — broader access such as Google Calendar, Gmail metadata, or YouTube account data. These require OAuth app verification.
  • Restricted scopes — the most sensitive access, such as full Gmail or Drive content. These require verification and an annual security assessment.

Any app that requests sensitive or restricted scopes must complete verification before Google grants production access to those scopes for all users.

Sensitive scope verification

For sensitive scopes, Google reviews your OAuth consent screen, your scope justifications, and a demonstration of your app. The core requirements are:

1. An accurate, branded consent screen

Your app name, logo, and support email on the consent screen must match the real, public-facing app. Reviewers compare what users see at sign-in against what you submitted. Mismatched branding is one of the most common rejection triggers, and our Google OAuth brand verification guide shows exactly how Google checks your app name, logo, and homepage.

2. Verified domain ownership

You must verify ownership of your app’s authorized domains through Google Search Console. The homepage and privacy policy links on the consent screen must live on a domain you control.

3. A privacy policy that discloses data use

Your privacy policy must be visible to users, hosted on the same domain as your app’s home page, and linked from the OAuth consent screen. It must clearly disclose how your application accesses, uses, stores, and shares Google user data.

4. Narrow scopes with detailed justification

Google asks you to request only the narrowest scopes your app actually needs. For each scope, you provide a justification that explains why a narrower scope would not work and exactly what feature depends on it.

5. A demo video

You submit a video that shows the end-to-end flow of your app, including the full OAuth consent screen and the same app name and branding you submitted. The video should clearly show the user granting access and the data being used. Narration or on-screen text that points out where each requirement is met helps the reviewer.

Google notes that sensitive scope verification can take up to around 10 days once a complete submission is received, though timelines vary with back-and-forth.

Restricted scope verification and the security assessment

Restricted scopes — like full Gmail or Drive access — add a major requirement on top of everything above: a security assessment.

If your app stores or transmits restricted-scope data on servers, or can access that data from or through a third-party server, it must pass an assessment performed by a Google-empanelled security assessor (commonly referred to as a CASA assessment). This evaluates how your app handles, secures, and limits access to Google user data. Full Gmail access is a restricted scope, so your app must clear the CASA Tier 2 security assessment covered step by step in our Gmail API restricted scope verification guide.

Two important points to plan around:

  • The security assessment is generally required once a year. Apps using restricted scopes must complete annual re-verification.
  • If your app keeps using the same set of restricted scopes it was assessed for, it does not start over from scratch — but it still needs the annual reassessment to stay in good standing.

Because the assessment can involve cost and lead time, it is worth confirming early whether your use case truly needs a restricted scope, or whether a sensitive (or non-sensitive) scope can deliver the same feature. Full Drive access carries the same restricted-scope burden as Gmail, and our Google Drive restricted scope verification guide breaks down exactly what the assessment checks.

Common reasons OAuth verification gets delayed or rejected

  • Mismatched branding — the app name or logo in the submission does not match the live consent screen.
  • Privacy policy issues — the policy is missing, hosted on a different domain, or does not actually describe Google user data handling.
  • Over-broad scopes — requesting a restricted scope when a narrower one would work, or asking for scopes the demo never uses.
  • Weak scope justifications — explanations that do not tie each scope to a concrete feature.
  • Incomplete demo video — the video skips the consent screen, shows a different app, or does not show the data actually being used.
  • Unverified domain — authorized domains not confirmed in Search Console.

Most rejections come down to a mismatch between what you declared and what the reviewer can independently see. Getting those aligned before you submit is the single biggest time-saver.

A practical preparation checklist

  1. List every Google API and scope your app calls, and remove any you do not strictly need.
  2. Confirm whether each remaining scope is non-sensitive, sensitive, or restricted.
  3. Verify your authorized domains in Google Search Console.
  4. Publish a privacy policy on your app’s domain that discloses Google user data handling, and link it on the consent screen.
  5. Finalize consistent app name, logo, and support email across the live app and the submission.
  6. Write a clear justification for each sensitive or restricted scope.
  7. Record a demo video showing the full OAuth flow, consent screen, and data use.
  8. If any scope is restricted, plan for the annual security assessment before you submit.

Frequently asked questions

Do I always need verification to use Google sign-in?

No. Apps that only request basic, non-sensitive profile and email scopes generally do not need verification. Verification applies once you request sensitive or restricted scopes, unless a specific exception applies.

What does the “unverified app” screen mean?

It means your app is requesting sensitive or restricted scopes but has not completed verification. Unverified apps face user caps and the warning screen, which hurts trust and sign-up rates until verification is complete.

How long does Google OAuth verification take?

Google indicates sensitive scope verification can take up to roughly 10 days after a complete submission, but real timelines depend on how clean the submission is and how many review rounds are needed. Restricted scopes take longer because of the security assessment.

What is the security assessment for restricted scopes?

It is an annual review by a Google-empanelled assessor that checks how your app secures and handles restricted Google user data. It is required for apps that store or transmit restricted-scope data on servers.

Can you guarantee my app will be approved?

No one can guarantee a platform decision — approval always rests with Google. What I provide is thorough review preparation and submission support: scope review, consent screen and privacy policy alignment, justification drafting, and demo video guidance to give your submission the best chance.

Need help passing Google OAuth verification?

I help developers and SaaS teams prepare and submit Google API and OAuth verification the right way — including YouTube Data API approval, OAuth consent screen setup, and quota support. You can see the full range of API approval services I offer, or get in touch to discuss your project.