Domain-Wide Authority Delegation to the Service Account

Last published : Jun 07, 2026

The created service account needs to be granted access to the G Suite domain's user data that should be accessed.

The following must be performed by an administrator of the G Suite domain:

Go to your G Suite domain's Admin console https://admin.google.com/, click Security > API controls.
Scroll down to Domain wide delegation section and click Manage Domain Wide Delegation.
Click Add New.
Open the key file that you saved in the above section, copy the value of client_id, then paste it in the Client ID field. Enter the following scopes that your application should be granted access toin OAuth scopes fields and click Authorize:
- https://www.googleapis.com/auth/admin.directory.user.readonly
- https://www.googleapis.com/auth/drive.readonly

Your service account now has domain-wide access to the Google Admin SDK Directory API for all the users of your domain. Now you can use Admin SDK Directory service object on behalf of your G Suite domain's users.

Note: Only users with access to the Admin APIs can access the Admin SDK Directory API, therefore your service account needs to impersonate one of those users to access the Admin SDK Directory API. Additionally, the user must have logged in at least once and accepted the G Suite Terms of Service.

Related information

Google Drive

PDF Export Options

Share this page

Was this page helpful?