Search code examples

How can I get past the "Insufficient authentication scopes" error in Google Apps Script?

I am designing a Google Apps Script for domain-wide delegation, so that it can read details from Gmail in our Google Workspace domain's user accounts. The script fails even when it accesses my own Gmail.

"message": "Request had insufficient authentication scopes."
"errors ... ""message": "Insufficient Permission"

Being a super admin for our domain, I performed all the steps that follow.

  • My script is associated with a Google Cloud Platform (GCP) standard project.
  • I created a service account with access to the project. My roles: Project IAM Admin , Service account admin, Service account user, Service Account Token Creator.
  • The script includes the OAuth2 library.
  • I reset the authorization whenever I made a change, to force Google to ask again for authorization.

OAuth 2.0 Scopes:

  • ""
  • "" (Gmail API)
  • "" (Admin SDK API)

(Admin SDK API is for another function which I will test next; it is not used currently.)

The above scopes are set as follows:

  • Project manifest (appsscript.json)
  • OAuth consent screen for the project
  • Domain-wide delegation: Admin console > Security > API Controls > Domain-wide Delegation
  • Enable APIs for the standard Google Cloud project: Gmail, Admin SDK
  • The service account has "Trusted" access ( Admin console > Security > Access and data control > API controls > Manage Third-Party App Access > App Access Control ) to Gmail and external request, but not to Admin SDK (not currently used).
  • Set scopes in setScope refers to the first two scopes (Admin SDK is not currently used).


// Email address of the user to impersonate.
var USER_EMAIL = ''; // use my address for testing the simplest case

function listLabels() {
   * References: 
   * Similar script:
  try {
    const userID = '1x0gk371hhfknr'; // use my userID for now;
    var service = getService_('listLabels');    
    if (service.hasAccess()) {
      var url = '' + userID + '/labels';
// Script fails here:
      var response = UrlFetchApp.fetch(
        url, {
          headers: { Authorization: 'Bearer ' + service.getAccessToken() },
          muteHttpExceptions: true
      Logger.log('response: '+ response);
      var result = JSON.parse(response.getContentText());
      Logger.log("result['labels']: " + JSON.stringify(result['labels'], null, 2)); 
      for (let i = 0; i < result['labels'].length; i++) {
        const label = result['labels'][i];
    } else {
      Logger.log( 'Service lacks access' );
  } catch (err) {
    Logger.log('listLabels failed with: ' + err);

function getService_( serviceName ) {
 * From
 * Implements domain-wide delegation 

  return OAuth2.createService(serviceName)
    .setSubject(USER_EMAIL) // name of the user to impersonate

    // Set the property store where authorized tokens should be persisted.


// Private key and client email of the service account. (I present fake values here.)
    "-----BEGIN PRIVATE KEY-----\nMIIEv ... YNmQGU19FAcc=\n-----END PRIVATE KEY-----\n";
const CLIENT_EMAIL = "fifth-try@ ...";


  • Replace




    Put the scopes in a single string, separated by spaces. The from the GitHub repo of the Google Apps Script OAuth library states that.