SERVICE ACCOUNT (DWD)
PRODUCTIVITY
Connect to Google Workspace APIs (Gmail, Drive, Docs, Sheets, Slides, Forms) using a GCP service account with Domain-Wide Delegation for server-to-server...
token = client.agent.get_token(user_id="user_id", connector="googledwd")const token = await client.agent.getToken({ userId: "user_id", connector: "googledwd" });const token = await client.agent.getToken({ userId: "user_id", connector: "googledwd" });token = client.agent.get_token(user_id="user_id", connector="googledwd")Does the agent access Google Workspace (DWD) as the user or as a shared key?
As the user. Each workspace member authorizes once and Scalekit resolves their credential at request time. Audit logs attribute every action to that user, not a shared service account.
Where is the Google Workspace (DWD) service account key stored?
In Scalekit's managed AES-256 token vault, namespaced per tenant. Refresh is automatic. Revocation is a single dashboard action. Tokens never appear in prompts, logs, or LLM context.
Can I limit what the agent is allowed to do in Google Workspace (DWD)?
Yes. Pass a tool name filter to listScopedTools so the productivity agent only sees the subset you authorize. Pre-API-call scope checks block out-of-policy actions before the request reaches Google Workspace (DWD).
What happens when a user revokes Google Workspace (DWD) access?
The connection is invalidated on the next tool call. Subsequent requests for that user fail closed with a clear error. Other users in the tenant remain unaffected. The event is logged for audit.
How does Domain-Wide Delegation stay safe with agents?
The service account key stays in Scalekit's vault and every call impersonates a specific workspace user under your configured scopes. Pre-call scope checks and the audit chain record which user context each Gmail, Drive, or Sheets call ran in.