Integrations

Connecting Google to Chipp

How to connect Google integrations (Drive, Gmail, Calendar, and more) -- including the Workspace super-admin allowlist for "This app is blocked".

| View as Markdown
Hunter Hodnett
Hunter Hodnett CPTO at Chipp
| 1 min read
# integrations # google # google-workspace # oauth

Chipp has seven Google integrations — Drive, Gmail, Calendar, Tasks, Sheets, Meet, and YouTube — and they all share a single OAuth Client ID. This guide covers how to connect them and, if your end-users are on Google Workspace and see “This app is blocked”, how their super admin can fix it in about two minutes.

Personal Google accounts — just click Connect

If you (or your end-users) sign in with a personal @gmail.com account, there is no setup. Open the Integrations tab in the builder, click Connect on any Google integration, sign in to Google, and authorize the requested scopes. The integration becomes active immediately.

Google Workspace accounts — “This app is blocked”

When an end-user on Google Workspace clicks Connect, Google checks whether their Workspace administrator has approved the third-party OAuth app. If the admin policy restricts third-party apps and Chipp’s Client ID is not on the trusted list, Google rejects the consent screen with:

This app is blocked

This app tried to access sensitive info in your Google Account. To keep your account safe, Google blocked this access.

This is not a Chipp issue and there is no setting in your Chipp app that fixes it. The fix is on the customer’s side — their Workspace super admin needs to add Chipp’s OAuth Client ID to their trusted-apps list.

ℹ️

This is a Google Workspace policy, not an “extra step” — many Workspace tenants explicitly restrict third-party OAuth apps by default to prevent shadow IT. Chipp is no different from Notion, Zapier, or any other SaaS that integrates with Google: each one needs to be allowlisted once by the Workspace admin.

How to find Chipp’s OAuth Client ID

When you click Connect on a Google integration in the builder, Chipp surfaces a “Heads up” notice with the exact Client ID and a Copy button. The Client ID looks like:

plaintext
123456789012-abcdefghijklmnopqrstuvwxyz123456.apps.googleusercontent.com

Forward this Client ID (and the steps below) to your customer’s Google Workspace administrator.

Steps for the Workspace super admin

The administrator does this once per Workspace tenant. The same allowlist entry covers all seven Chipp Google integrations — they share one Client ID.

1

Sign in to the Google Admin Console

Open admin.google.com with super-admin permissions. A regular Workspace user account cannot make this change.

2

Navigate to API controls

From the left sidebar, go to Security → Access and data control → API controls.

3

Open the third-party app access manager

On the API controls page, click Manage Third-Party App Access. This is where Workspace admins approve specific OAuth apps for users to connect to.

4

Add Chipp by Client ID

Click Add app → OAuth App Name Or Client ID. Paste the Client ID from Chipp’s connect screen into the search box and click search.

Select the Chipp entry from the search results.

5

Choose the organizational unit

Pick the organizational unit (OU) where access should apply. For most tenants the right answer is the whole organization — this lets every Workspace user connect Chipp to any of the seven Google integrations.

If your tenant uses sub-OUs to scope third-party app access (e.g. only the Marketing team is allowed to connect external SaaS), choose the OU containing the users who will use Chipp.

6

Set access to Trusted

Set the access level to Trusted: Can access all Google services. This is the recommended level for Chipp because the seven integrations share one Client ID — a single “Trusted” grant unblocks Drive, Gmail, Calendar, Tasks, Sheets, Meet, and YouTube together without needing separate config for each one.

ℹ️

The “Limited” access level only grants specific scopes (e.g. “Drive scopes only”). For Chipp this is more work because the admin would need to revisit the allowlist any time a builder adds a new Google integration. “Trusted” is set-and-forget.

7

Confirm

Click Continue / Finish. Changes can take a few minutes to propagate through Google’s edge before users see the effect. After that, the user retries Connect in Chipp and the OAuth consent screen completes normally.

Why only one allowlist entry is needed

Chipp’s seven Google integrations (Drive, Gmail, Calendar, Tasks, Sheets, Meet, YouTube) all authenticate against the same OAuth Client ID. The Workspace admin allowlist is keyed on Client ID, so one “Trusted” grant covers every Chipp Google integration the builder is using now — and any new ones you add later.

Troubleshooting

The user still sees “This app is blocked” after the admin approved it.

  • Wait 5-10 minutes — changes propagate through Google’s edge before they take effect.
  • Confirm the admin pasted the exact Client ID Chipp showed (the ID is long and copying just the start of it is a common mistake; use the Copy button).
  • If your tenant uses organizational units, double-check the user is in an OU where the allowlist applies.

The user sees a “scopes insufficient” error instead of “This app is blocked”.

The user previously connected a different Google integration and Google’s OAuth flow didn’t re-prompt for the new integration’s scopes. Disconnect the integration in Chipp (Integrations tab → your provider → Disconnect), then click Connect again. Google will show the consent screen and request the full scope set.

The admin can’t find “Manage Third-Party App Access” under API controls.

You need a Workspace edition that includes API access controls (Business Standard, Business Plus, Enterprise, Education Plus, etc.). Workspace Individual and Workspace Essentials Starter do not expose this admin panel.

Using your own Google Workspace OAuth app

If your end-users are all in a single Workspace tenant and you want to skip the allowlist conversation entirely, you can set up your own OAuth credentials in your own Google Cloud project and paste them into Chipp. In the integration detail modal, expand Advanced and paste your Client ID and Client Secret.

When custom credentials are configured, Chipp uses your OAuth app instead of the shared one. The Workspace admin sees your app on the consent screen, and because it’s your tenant’s own app, no allowlist is needed.

This route is more work (you maintain the Google Cloud project, the OAuth consent screen, the redirect URI, and scope verification with Google for any sensitive scopes) but gives you full control. The per-integration docs (Gmail, Google Drive, Google Calendar, Google Sheets) have additional notes on the per-integration scopes the OAuth consent screen needs to declare.