I would like to create an application where I can access ONLY my own Google Drive files for programmatic operations that I perform on my own managed spreadsheets. However, on 2020 January 1st, restricted scopes are going to require verification from Google in order to use the Google Drive API fully.
How can I use restricted scopes for accessing ONLY my personal Gmail account after January 1st?
According to the OAuth API:
When can I skip submitting my app for a review?
You do not need to submit your app for review if it's going to be used in any of the following scenarios:
• The app is not shared with anyone else.
• The app is used to send emails through WordPress, or similar single account SMTP plug-ins.
• The owner and users of your apps belong to the same G Suite domain or customer. Learn more about public and internal applications. If you aren't an Apps Script developer, learn how to mark your app as internal in the FAQ How can I mark my app as internal-only?
• The app is domain installed or whitelisted by a G Suite domain administrator. If your app is intended for G Suite users, access might depend on domain administrator permission. Obtaining a verification will likely make it easier for administrators to grant access.
• The app is in development mode and not ready to be public. Note that the app will be subject to the OAuth user quota.
• The app is trying to access data from users' Google Cloud Platform project. For instructions on using a service account, see Using OAuth 2.0 for Server to Server Applications.
How can I mark my app as not being sharable with anyone else?
Google updated their FAQ, and it much more clearly delineates what is required in order to keep using Google Drive with restricted scopes:
You do not need to submit your app for review if it's going to be used in any of the following scenarios:
Personal Use: The app is not shared with anyone else or will be used by fewer than 100 users. Hence, you can continue using the app by bypassing the unverified app warning during sign-in.
SMTP/IMAP/WP: The app is used to send emails through WordPress, or similar single account SMTP plug-ins.
Internal Use: An app is internal when the people in your domains only use it internally. Learn more about public and internal applications. Learn how to mark your app as internal in the FAQ How can I mark my app as internal-only?
Domain-Wide Install: If your app is intended for only G Suite enterprise users, access will depend on permission being granted by the domain administrator. G Suite domain administrators are the only ones that can whitelist the app for use within their domains. To learn how to make your app Domain-Wide Install, see My application has users with enterprise accounts from another G Suite Domain. How does this apply to my G Suite or Cloud Identity enterprise accounts?
Development/Testing/Staging: If your app is in development/testing/staging mode and not ready to be publicly accessible, then you do not need to submit your app for verification. Note that your app will be subject to the unverified app screen and the 100-user cap will be in effect when an app is in development/testing/staging.
Service Accounts: When your app is trying to access data from users' Google Cloud Platform project and can run API requests on its behalf. To understand what service accounts are, see Service accounts.
For instructions on using a service account, see Using OAuth 2.0 for Server to Server Applications.