Google OAuth Application Verification Process: kartaca-pensio Project Experience
For those who have gone through the Google OAuth verification process, you know it can sometimes be long and complex. Especially if you are requesting sensitive and restricted scopes, the verification process becomes more detailed. In this blog post, I would like to share our experience with the Google OAuth application verification process for our Kartaca-Pensio project. I hope this will guide other developers who will go through this process.
Why is the OAuth Application Verification Process Necessary?
The Google OAuth verification process is essential to ensure user data security and the integration of high-quality applications into the Google ecosystem. This process requires you to transparently explain how your application uses, stores, and shares user data and to comply with specific security standards. This way, users can confidently access and share their data with your application.
Starting the Verification Process
Before starting the verification process, I recommend going to the OAuth App Verification Help Center and thoroughly reading the subheadings there. This will help you better prepare your application for the verification process and prevent delays in the approval process.
When we applied for OAuth verification, we didn’t have a clear idea of how long the process would take or what we would encounter. Initially, we received an automated email from Google. In this email, we were asked to confirm whether our application fell into specific categories. These categories included Google Fit API scopes, personal use, internal use, development/testing/staging use, and Gmail SMTP plugins for WordPress site admins.
After confirming that we did not fall into these categories, we received a second feedback email from Google.
Second Feedback Email
Google noted that the homepage URL we submitted, https://cloud.kartaca.com, was a login/sign-in page and thus restricted public access to the application’s information and intent.
To proceed with the verification process, we were required to provide a homepage that accurately represents the application’s identity to Google users. The homepage needed to be a verified domain under our ownership, accurate, inclusive, and easily accessible to all users. It should link to an externally and publicly accessible domain that describes the necessary content, context, or connection to the submitted application. Additionally, it should transparently explain why the application requests user data and contain a privacy policy that thoroughly discloses how the application accesses, uses, stores, or shares Google users’ data.
After updating our homepage to meet these requirements, we sent an email to confirm the updates.
Third Feedback Email
In this email, we were asked to verify that our application does not share user data with third-party service providers or AI platforms and to clearly disclose this in our privacy policy. Additionally, we were required to provide a demonstration of how our application acquires explicit user consent to share data with third-party tools and platforms.
We updated our privacy policy to clarify that our application does not share any user data with third-party service providers or AI platforms. The revised policy clearly stated:
“We do not share, sell, or distribute any user information to third-party service providers, AI platforms, or any other external entities. Our application is designed to ensure that all user data remains confidential and is not transmitted outside of our system. We are committed to maintaining the privacy and security of our users’ data. Therefore, we do not engage with third-party services that require access to user information. All data processing is conducted within the boundaries of our application, ensuring that user information is not shared externally under any circumstances.”
After making these updates, we created a demo video and sent it along with our feedback.
After completing all these steps and confirming the removal of the unnecessary scopes, we received an email within two days confirming that our application was verified. This process took almost one months from start to finish and was quite detailed. However, it’s important to understand that Google aims to work with high-quality products. In the end, this effort was worthwhile as we gained the trust of our users.
Conclusion
The Google OAuth verification process is meticulously conducted to ensure user data security and application quality. My advice to other developers going through this process is to carefully follow all feedback and make necessary adjustments diligently. I believe the next verification process will be much smoother after this initial experience.
I hope this post helps other developers who are in the Google OAuth verification process. Good luck!
Author: Furkan Erdoğan
Published on: Jul 22, 2024