Unverified Apps? Here are 4 Easy Steps to Preparing your App for Google Authentication
Are you looking to get your app verified by Google? Well, getting prepared for verification is a great first step to make it a reliable entity that the public can gain access to.
But how do you go about it?
For starters, is your app even in the running to get verified?
Here's how to know whether you qualify and streamline your app for a smooth and stress-free verification process.
What to Know Before Preparing for Verification
- Understand whether the app needs verification: You only require app verification if you are planning to launch your app to the public, especially to enterprise users and consumers.
- Does the app ask for restricted or sensitive scopes? This is because apps that utilize non-sensitive scopes are still under development. They may also be built for your G Suite users and so may not require verification.
Once you initiate app verification, you cannot make updates to your app’s Google API configuration seamlessly. If changes are required, you will need to start from the very beginning again.
So make certain the app is ready. Accordingly, initiate the verification so that there are no unexpected delays.
What to know about the verification process
Get a thorough idea of how the process works as you can then build your app optimally. This also helps you streamline and obtain a smoother Google authentication process.
Don’t know where to begin? Fear not, here’s is the process and what you need to know about preparing your app for OAuth verification.
Step 1: Verify domain ownership
First off, using Search Console, confirm your domain ownership of every authorized domain. Do this with the help of an account that is either a Project Editor or a Project Owner on your OAuth Project.
Keep in mind,
It’s important to offer a thorough justification for Google to validate a third-party service provider (if you are using one). Also, see that your domain is owned by the same service provider.
Remember,
- Your application homepage needs to link to an externally accessible domain that explains the required context, content, or connection to the app that you are seeking to authenticate.
- Looking to place sign-in restrictions on the homepage? Be aware that it is only permitted for internal apps that are not included in the verification process.
- Links to Facebook or the Google Play Store do not qualify as valid application homepages.
Step 2: Create a privacy policy page
When creating a privacy policy page, see that you stand true to new security protections by following these necessities. The privacy policy needs to:
- Be hosted within your website’s domain and linked to the OAuth consent screen on the Google API Console
- Be visible to users
- Reveal how your application uses, accesses, stores, or shares Google user data
NOTE: Your use of Google user data needs to be limited to the practices that adhere to your published Privacy Policy.
Step 3: Explain why you are requesting each scope
Every scope that you are requesting must come with an explanation of the need or use for the project.
You also need to specify a reason why a narrow scope would not be the best choice owing to insufficiency.
Pay attention to the OAuth branding information on the OAuth consent screen and see that it shows the identity of the app accurately. This includes details such as the support email, project name shown to users, privacy policy URL, homepage URL, among others.
Step 4: Show the OAuth Grant process via a demo video
Add in a Youtube link to a demo video showing users the OAuth grant process. You can explicitly explain why it is vital to use sensitive and restricted scopes within the functionality of the app for every OAuth client that is part of the project. In this case, OAuth is the process we make use of to help the provider connect to Google calendar.
- Make sure the video properly offers the app’s information. This includes the OAuth client ID, app name, and so on.
- When dealing with multiple client IDs, the demo video needs to show the usage of restricted and sensitive scopes on individual clients.
- Inserting the video with the verification process will ensure the approval process moves forward more rapidly.
- You won’t gain approval if scope usage on every OAuth client ID is not systematically explained in an in-depth manner.
- If any of your OAuth clients in the project that requests verification is not prepared for testing, your app won’t undergo a review which means your request is going to be rejected.
- It’s also important to separate your production and test projects. In this way, before requesting verification, you can accordingly, move OAuth clients that are in development into a test project.
Once you do this, your apps will be reviewed closely by Google teams.
Listen up! Be sure to follow these notes for a smoother Google authentication
Make sure you focus on these aspects in particular
- The connect button needs to maintain the Google login standard.
- The warning message needs to show details that are well-explained such as how data is going to be used before connecting. It’s best to place it above the connect button.
- It’s best to match the home page and privacy policy page with the main site design and color.
- When creating the video, show the client ID properly. It’s a must to do so.
- When uploading your video onto YouTube, keep the video unlisted.
- If you get any suggestions, it’s best to reply to the email directly.
And that’s how you streamline the verification process to get your Google App reviewed in a faster and smooth way.
So what are you waiting for? Reduce risk from unverified apps and begin the Google authentication process already!