playbooks

home / skills / jezweb / claude-skills / gws-setup

gws-setup skill

/plugins/integrations/skills/gws-setup

npx playbooks add skill jezweb/claude-skills --skill gws-setup

Review the files below or copy the command above to add this skill to your agents.

Files (1)
SKILL.md
9.0 KB
---
name: gws-setup
description: >
  Set up the Google Workspace CLI (gws) from scratch. Guides through GCP project creation,
  OAuth credentials, authentication, and installing 90+ agent skills for Claude Code.
  Use when setting up gws for the first time, configuring Google Workspace API access,
  or troubleshooting gws auth issues. Triggers: "set up gws", "google workspace cli",
  "gws setup", "install gws".
compatibility: claude-code-only
---

# Google Workspace CLI — First-Time Setup

Set up the `gws` CLI (@googleworkspace/cli) with OAuth credentials and 90+ agent skills for Claude Code. Produces a fully authenticated CLI with skills for Gmail, Drive, Calendar, Sheets, Docs, Chat, Tasks, and more.

## Prerequisites

- Node.js 18+
- A Google account (personal or Workspace)
- Access to Google Cloud Console (console.cloud.google.com)

## Workflow

### Step 1: Pre-flight Checks

Check what's already done and skip completed steps:

```bash
# Check if gws is installed
which gws && gws --version

# Check if client_secret.json exists
ls ~/.config/gws/client_secret.json

# Check if already authenticated
gws auth status
```

If `gws auth status` shows `"status": "success"` with scopes, skip to Step 6 (Install Skills).

### Step 2: Install the CLI

```bash
npm install -g @googleworkspace/cli
gws --version
```

### Step 3: Create a GCP Project and OAuth Credentials

The user needs to create OAuth Desktop App credentials in Google Cloud Console. Walk them through each step.

**3a. Create or select a GCP project:**

Direct the user to: `https://console.cloud.google.com/projectcreate`

Or use an existing project. Ask the user which they prefer.

**3b. Enable Google Workspace APIs:**

Direct the user to the API Library for their project: `https://console.cloud.google.com/apis/library?project=PROJECT_ID`

Enable these APIs (search for each):
- Gmail API
- Google Drive API
- Google Calendar API
- Google Sheets API
- Google Docs API
- Google Chat API (requires extra Chat App config — see below)
- Tasks API
- People API
- Google Slides API
- Google Forms API
- Admin SDK API (optional — for Workspace admin features)

**3c. Configure Google Chat App (required for Chat API):**

Enabling the Chat API alone isn't enough — Google requires a Chat App configuration even for user-context OAuth access. Without this, all Chat API calls return errors.

Direct the user to: `https://console.cloud.google.com/apis/api/chat.googleapis.com/hangouts-chat?project=PROJECT_ID`

1. Click the **Configuration** tab
2. Fill in app details (name, avatar, description — values don't matter for CLI use)
3. Under "Functionality", check **Spaces and group conversations**
4. Under "Connection settings", select **Apps Script** or **HTTP endpoint** (pick any — we just need the config to exist)
5. Save

This creates the app identity that the Chat API requires. Messages sent via `gws` still appear as coming from the authenticated user (OAuth user context), not from a bot.

**3e. Configure OAuth consent screen:**

Direct the user to: `https://console.cloud.google.com/apis/credentials/consent?project=PROJECT_ID`

Settings:
- User Type: **External** (works for any Google account)
- App name: `gws CLI` (or any name)
- User support email: their email
- Developer contact: their email
- Leave scopes blank (gws requests scopes at login time)
- Add their Google account as a test user (required while app is in "Testing" status)
- Save and continue through all screens

**3f. Create OAuth client ID:**

Direct the user to: `https://console.cloud.google.com/apis/credentials?project=PROJECT_ID`

1. Click **Create Credentials** → **OAuth client ID**
2. Application type: **Desktop app**
3. Name: `gws CLI`
4. Click **Create**
5. Copy the JSON or download the `client_secret_*.json` file

**3g. Save the credentials:**

Ask the user to provide the client_secret.json content (paste the JSON or provide the downloaded file path).

```bash
mkdir -p ~/.config/gws
```

Write the JSON to `~/.config/gws/client_secret.json`. The expected format:

```json
{
  "installed": {
    "client_id": "...",
    "project_id": "...",
    "auth_uri": "https://accounts.google.com/o/oauth2/auth",
    "token_uri": "https://oauth2.googleapis.com/token",
    "client_secret": "...",
    "redirect_uris": ["http://localhost"]
  }
}
```

### Step 4: Choose Scopes

Ask the user what level of access they want:

| Option | Command | What it grants |
|--------|---------|----------------|
| **Full access** (recommended) | `gws auth login --full` | All Workspace scopes including admin, pubsub, cloud-platform |
| **Core services** | `gws auth login -s gmail,drive,calendar,sheets,docs,chat,tasks` | Most-used services only |
| **Minimal** | `gws auth login -s gmail,calendar` | Just email and calendar |

Recommend **full access** for power users. The OAuth consent screen shows all requested scopes so the user can review before granting.

> **Note**: If the GCP app is in "Testing" status, scope selection is limited to ~25 scopes. Use `-s service1,service2` to request targeted scopes, or publish the app (Publish → In Production) for broader scope access.

### Step 5: Authenticate

**IMPORTANT**: This step prints a very long OAuth URL (30+ scopes) that the user must open in their browser. The URL is too long to copy from terminal output — it wraps across lines and breaks. Always extract it to a file and open it programmatically.

1. Run the login command and capture the output:

```bash
gws auth login --full 2>&1 | tee /tmp/gws-auth-output.txt
# Or with specific services:
# gws auth login -s gmail,drive,calendar,sheets,docs,chat,tasks 2>&1 | tee /tmp/gws-auth-output.txt
```

Running as a background task is fine — it will complete once the user approves in browser.

2. Extract and open the URL (run separately after output appears):

```bash
grep -o 'https://accounts.google.com[^ ]*' /tmp/gws-auth-output.txt > /tmp/gws-auth-url.txt
cat /tmp/gws-auth-url.txt | xargs open
```

If `open` doesn't work, tell the user: "The auth URL is saved at `/tmp/gws-auth-url.txt` — open that file and copy the URL."

3. Wait for the user to approve in their browser.

After browser approval, gws stores encrypted credentials at `~/.config/gws/credentials.enc`.

Verify:

```bash
gws auth status
```

Should show `"status": "success"` with the authenticated account and granted scopes.

### Step 6: Install Agent Skills

Install the 90+ gws agent skills globally for Claude Code:

```bash
npx skills add googleworkspace/cli -g --agent claude-code --all
```

Verify skills are installed:

```bash
ls ~/.claude/skills/gws-* | wc -l
```

Should show 30+ gws skill directories.

### Step 7: Save Credentials for Other Machines

If the user has other machines to set up, suggest exporting the client credentials:

```bash
gws auth export
```

This prints decrypted credentials (including refresh token) to stdout. The `client_secret.json` file is the portable part — the same OAuth client can be used on any machine, with `gws auth login` generating fresh user tokens per machine.

Tell the user to save the `client_secret.json` content somewhere secure (password manager, encrypted note) for use with the `gws-install` skill on other machines.

### Step 8: Verify Everything Works

Run a few commands to confirm:

```bash
# Check auth
gws auth status

# Check calendar
gws calendar +agenda --today

# Check email
gws gmail +triage
```

If any command fails with auth errors, re-run `gws auth login` with the needed scopes.

---

## Critical Patterns

### Testing vs Production OAuth Apps

GCP OAuth apps start in "Testing" status with a 7-day token expiry and ~25 scope limit. For long-term use:
- Push the app to **Production** in the OAuth consent screen settings
- Production apps have no token expiry limit
- For personal/internal use, Google does not require verification

### Scope Reference

| Service flag | What it enables |
|-------------|-----------------|
| `gmail` | Send, read, manage email, labels, filters |
| `drive` | Files, folders, shared drives |
| `calendar` | Events, calendars, free/busy |
| `sheets` | Read and write spreadsheets |
| `docs` | Read and write documents |
| `chat` | Spaces, messages |
| `tasks` | Task lists and tasks |
| `slides` | Presentations |
| `forms` | Forms and responses |
| `people` | Contacts and profiles |
| `admin` | Workspace admin (directory, devices, groups) |

### Environment Variable Alternative

Instead of `client_secret.json`, credentials can be provided via environment variables:

```bash
export GOOGLE_WORKSPACE_CLI_CLIENT_ID="your-client-id"
export GOOGLE_WORKSPACE_CLI_CLIENT_SECRET="your-client-secret"
gws auth login
```

### Config Directory

All gws config lives in `~/.config/gws/`:

| File | Purpose |
|------|---------|
| `client_secret.json` | OAuth client credentials (portable) |
| `credentials.enc` | Encrypted user tokens (per-machine) |
| `token_cache.json` | Token refresh cache |
| `cache/` | API discovery schema cache |

## See Also

- [gws-install](../gws-install/SKILL.md) — Quick setup on additional machines with existing credentials
- [gws-shared](~/.claude/skills/gws-shared/SKILL.md) — Auth patterns and global flags for gws commands