Search code examples

getting Service accounts cannot invite attendees without Domain-Wide Delegation of Authority eventhough already granted Domain-Wide Delegation

I'm using a service account to create calendar entries and adding new attendees for creating new appointments there is no problem

When adding new attendees, I get the error:

"Service accounts cannot invite attendees without Domain-Wide Delegation of Authority".

for adding new invitees I use:

All the information in the body of the call (including the list of attendees) ({Owner} is the real owner the calendar, it's not the service account)

I'm the Google Workspace admin, so I already granted scopes in the Domain-wide Delegation screen to this service account:

the owner of the calendar granted "Make Changes Event" permission to the service account

the JWT for request the access token looks like:

  "iss": "",
  "scope": "",
  "aud": "",
  "exp": "{exp}",
  "iat": "{iat}"

I've tried calling the apis using Oracle PLSQL / Apexx using

  p_url => t_url, 
  p_http_method => 'POST', 
  p_body => t_json_in, 
  p_parm_name => apex_util.string_to_table(
  p_parm_value => apex_util.string_to_table('1:True:12:False:False')
  t_url : variable cointaining the target endpoint : xxxx / calendar / v3 / calendars / {Owner} / events / {meeting_id} which returns a CLOB containing a JSON t_json_in : variable with a JSON with all the event data

this function returns a CLOB with a JSON

  "error": {
    "errors": [
        "domain": "calendar",
        "reason": "forbiddenForServiceAccounts",
        "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."
    "code": 403,
    "message": "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority."


  • For delegation the JWT for the access token request needs to include the Sub claim. see: service-account

    sub The email address of the user for which the application is requesting delegated access.

    This is the email address of the owner of the account for which delegation has been configured. The service account it self may have read access but to have write access it needs to be deligated.

      "iss": "",
      "sub": ""
      "scope": "",
      "aud": "xxxx",
      "exp": "{exp}",
      "iat": "{iat}"