home / skills / openclaw / skills / google-workspace-byok
This skill enables reading calendars and emails across multiple Google accounts using your own GCP credentials for BYoK authentication.
npx playbooks add skill openclaw/skills --skill google-workspace-byokReview the files below or copy the command above to add this skill to your agents.
---
name: google-workspace-byok
description: |
Google Calendar and Gmail integration using your own GCP project credentials (BYoK — Bring Your Own Key).
Direct OAuth2 auth against your own Google Cloud project. Read calendars, events, and emails across multiple Google accounts.
Use this skill when users want to check their calendar, read emails, or manage schedules.
Supports: listing/reading emails, Gmail search queries, downloading attachments, extracting text from PDF attachments,
listing calendars, listing/getting events, checking free/busy status, and managing multiple Google accounts.
---
# Google Workspace BYoK (Bring Your Own Key)
Direct Google Calendar and Gmail API access using your own GCP project OAuth2 credentials. Supports multiple Google accounts.
## Prerequisites
- **Node.js** (v18+)
- A **Google Cloud project** with Calendar and Gmail APIs enabled
- OAuth2 **Desktop app** credentials from your GCP project
## Setup
### Step 1: Install Dependencies
```bash
cd {baseDir}/scripts && npm install
```
This installs `googleapis` (Google API client) and `mupdf` (PDF text extraction for email attachments).
### Step 2: Create a Google Cloud Project
1. Go to [Google Cloud Console](https://console.cloud.google.com) and create a new project (or use an existing one)
2. Enable the **Google Calendar API** and **Gmail API**:
- Go to **APIs & Services → Library**
- Search for "Google Calendar API" → click **Enable**
- Search for "Gmail API" → click **Enable**
### Step 3: Configure the OAuth Consent Screen
1. Go to **Google Auth Platform → Audience** ([direct link](https://console.cloud.google.com/auth/audience))
2. If prompted, configure the consent screen:
- **App name**: anything (e.g., "OpenClaw")
- **User support email**: your email
- **Scopes**: skip (the auth script requests scopes at runtime)
3. If your app is in **Testing** publishing status (the default), add every Google account you want to authorize as a **test user**:
- Under **Test users**, click **Add users**
- Enter the email addresses of each account you'll connect
- Save
> **⚠️ Important:** Apps in "Testing" status have a **7-day token expiry**. To get long-lived tokens, publish your app to "Production" in the Audience settings. For personal Gmail accounts (External user type), you can skip Google's verification review — you'll just see an "unverified app" warning during consent. This is fine for personal use.
### Step 4: Create OAuth Credentials
1. Go to **Google Auth Platform → Clients** ([direct link](https://console.cloud.google.com/auth/clients))
2. Click **Create Client** → choose **Desktop app** as the application type
3. Name it whatever you like (e.g., "OpenClaw")
4. Click **Create** and **download the credentials JSON**
5. Run the setup script:
```bash
node {baseDir}/scripts/setup.js --credentials /path/to/downloaded-credentials.json
```
This copies your credentials to `~/.openclaw/google-workspace-byok/credentials.json`.
### Step 5: Authorize Google Accounts
For each Google account you want to connect:
```bash
node {baseDir}/scripts/auth.js --account <label>
```
The `<label>` is a friendly name you'll use to reference this account (e.g., "personal", "work", "household").
**Auth flow:**
1. The script prints an authorization URL
2. Open the URL in your browser and sign in with the Google account
3. Grant the requested permissions
4. You'll be redirected to `http://localhost/...` — **the page won't load, and that's expected**
5. Copy the **full URL** from your browser's address bar and paste it back into the script
6. The script exchanges the code for tokens and saves them
**Scopes requested (default — read/write):**
- `calendar` — Full read/write access to Google Calendar
- `gmail.readonly` — Read-only access to Gmail
Pass `--readonly` to request read-only calendar access instead.
Tokens are stored in `~/.openclaw/google-workspace-byok/tokens/<label>.json`.
## Usage
All scripts are in `{baseDir}/scripts/`. Run them with `node`.
### Calendar
```bash
# List all calendars
node {baseDir}/scripts/calendar.js --account <label> --action list-calendars
# List upcoming events (default: next 7 days, primary calendar)
node {baseDir}/scripts/calendar.js --account <label> --action events
# List events with options
node {baseDir}/scripts/calendar.js --account <label> --action events --calendar <calendarId> --days <number> --max <number>
# Get a specific event
node {baseDir}/scripts/calendar.js --account <label> --action get-event --calendar <calendarId> --event-id <eventId>
# Check free/busy
node {baseDir}/scripts/calendar.js --account <label> --action freebusy --days <number>
```
### Gmail
```bash
# List recent emails (default: 10)
node {baseDir}/scripts/gmail.js --account <label> --action list
# Search emails
node {baseDir}/scripts/gmail.js --account <label> --action list --query "from:[email protected]" --max 20
# Read a specific email (includes attachment metadata with IDs)
node {baseDir}/scripts/gmail.js --account <label> --action read --message-id <messageId>
# Download all attachments from an email
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --out-dir /tmp/attachments
# Download a specific attachment
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <messageId> --attachment-id <id> --out-dir /tmp
# List labels
node {baseDir}/scripts/gmail.js --account <label> --action labels
```
Gmail search uses the same query syntax as the Gmail web search box (e.g., `is:unread`, `from:`, `newer_than:1d`, `has:attachment`).
### Reading PDF Attachments
The skill includes `mupdf` for extracting text from PDF attachments — useful for newsletters, invoices, school letters, etc. It handles multilingual text (Japanese, Chinese, etc.) well.
```bash
# 1. Download the attachment
mkdir -p /tmp/attachments
node {baseDir}/scripts/gmail.js --account <label> --action attachment --message-id <id> --out-dir /tmp/attachments
# 2. Extract text from the PDF
node --input-type=module -e "
import * as mupdf from '{baseDir}/scripts/node_modules/mupdf/dist/mupdf.js';
import fs from 'fs';
const data = fs.readFileSync('/tmp/attachments/filename.pdf');
const doc = mupdf.Document.openDocument(data, 'application/pdf');
for (let i = 0; i < doc.countPages(); i++) {
const page = doc.loadPage(i);
console.log(page.toStructuredText('preserve-whitespace').asText());
}
"
```
> **Note:** `mupdf` is an ESM module — use `node --input-type=module` with `import` syntax, not `require()`.
### Account Management
```bash
# List configured accounts
node {baseDir}/scripts/accounts.js --action list
# Check token status
node {baseDir}/scripts/accounts.js --action status --account <label>
```
## File Layout
```
~/.openclaw/google-workspace-byok/
├── credentials.json # Your GCP OAuth credentials
└── tokens/
├── personal.json # Token for "personal" account
└── work.json # Token for "work" account
```
## Troubleshooting
### `Error 403: access_denied` — "has not completed the Google verification process"
Your app is in **Testing** mode and the Google account isn't listed as a test user. Fix: **Google Auth Platform → Audience → Test users → Add** the email.
### `Error: invalid_grant`
The refresh token expired or was revoked. Re-run `node {baseDir}/scripts/auth.js --account <label>` to re-authorize.
### Tokens expire after 7 days
Apps in "Testing" publishing status issue tokens that expire after 7 days. Publish your app to "Production" for long-lived tokens. For personal Gmail (External user type), you can skip verification and just accept the "unverified app" warning.
### `Error: redirect_uri_mismatch`
Your credentials.json doesn't include `http://localhost` as a redirect URI. Edit your OAuth client in GCP Console → **Authorized redirect URIs** → add `http://localhost`.
### `npm install` fails or `mupdf` won't install
`mupdf` requires a C++ build toolchain on some platforms. If it fails, you can still use all other features — PDF text extraction is the only feature that requires it. Try: `npm install --ignore-scripts` to skip native compilation, then install `mupdf` separately if needed.
This skill provides Google Calendar and Gmail integration using your own Google Cloud project OAuth2 credentials (BYoK — Bring Your Own Key). It lets you connect multiple Google accounts directly, read calendars, events, and emails, download attachments, and extract text from PDF attachments. Use your own GCP credentials so tokens and consent flow run under your project and policies.
The skill runs local Node.js scripts that use direct OAuth2 against your Google Cloud Desktop-app credentials. It stores OAuth credentials and per-account tokens locally, calls the Gmail and Calendar APIs to list/search/read messages and events, and uses mupdf for optional PDF text extraction. You authorize each Google account once by following the printed auth URL and pasting back the redirect URL to obtain tokens.
Why do tokens expire after 7 days?
Apps in Testing status issue short-lived refresh tokens. Publish your app to Production in Google Auth Platform to obtain long-lived tokens.
What if mupdf fails to install?
mupdf may require a native build toolchain. The core Gmail/Calendar features still work without it; install mupdf separately when you have the required build tools.