[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72492":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":11,"languages":10,"totalLinesOfCode":10,"stars":12,"forks":13,"watchers":14,"openIssues":15,"contributorsCount":16,"subscribersCount":16,"size":16,"stars1d":17,"stars7d":18,"stars30d":19,"stars90d":16,"forks30d":16,"starsTrendScore":20,"compositeScore":21,"rankGlobal":10,"rankLanguage":10,"license":22,"archived":23,"fork":23,"defaultBranch":24,"hasWiki":25,"hasPages":23,"topics":26,"createdAt":10,"pushedAt":10,"updatedAt":47,"readmeContent":48,"aiSummary":49,"trendingCount":16,"starSnapshotCount":16,"syncStatus":50,"lastSyncTime":51,"discoverSource":52},72492,"google_workspace_mcp","taylorwilsdon\u002Fgoogle_workspace_mcp","taylorwilsdon","Control Gmail, Google Calendar, Docs, Sheets, Slides, Chat, Forms, Tasks, Search & Drive with AI - Comprehensive Google Workspace \u002F G Suite MCP Server & CLI Tool","https:\u002F\u002Fworkspacemcp.com",null,"Python",2645,802,15,52,0,25,122,267,75,110.71,"MIT License",false,"main",true,[27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46],"ai","g-suite","gmail","google-calendar","google-chat","google-docs","google-drive","google-forms","google-sheets","google-tasks","google-workspace","gsuite","llm","llm-tools","mcp","mcp-server","model-context-protocol","model-context-protocol-server","model-context-protocol-servers","workspace","2026-06-12 04:01:06","\u003C!-- mcp-name: io.github.taylorwilsdon\u002Fworkspace-mcp -->\n\n\u003Cdiv align=\"center\">\n\n# \u003Cspan style=\"color:#cad8d9\">Google Workspace MCP Server\u003C\u002Fspan> \u003Cimg src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fb89524e4-6e6e-49e6-ba77-00d6df0c6e5c\" width=\"80\" align=\"right\" \u002F>\n\n[![License: MIT](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FLicense-MIT-yellow.svg)](https:\u002F\u002Fopensource.org\u002Flicenses\u002FMIT)\n[![Python 3.10+](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FPython-3.10%2B-blue.svg)](https:\u002F\u002Fwww.python.org\u002Fdownloads\u002F)\n[![PyPI](https:\u002F\u002Fimg.shields.io\u002Fpypi\u002Fv\u002Fworkspace-mcp.svg)](https:\u002F\u002Fpypi.org\u002Fproject\u002Fworkspace-mcp\u002F)\n[![PyPI Downloads](https:\u002F\u002Fstatic.pepy.tech\u002Fpersonalized-badge\u002Fworkspace-mcp?period=total&units=INTERNATIONAL_SYSTEM&left_color=BLACK&right_color=BLUE&left_text=pypi)](https:\u002F\u002Fpepy.tech\u002Fprojects\u002Fworkspace-mcp)\n[![Website](https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FWebsite-workspacemcp.com-green.svg)](https:\u002F\u002Fworkspacemcp.com)\n\n*Full natural language control over Google Calendar, Drive, Gmail, Docs, Sheets, Slides, Forms, Tasks, Contacts, and Chat through all MCP clients, AI assistants and developer tools.*\n\n*Includes a full featured CLI & Code Mode for use with tools like Claude Code and Codex!*\n\n**The most feature-complete Google Workspace MCP server**, it can do things that Google's own tooling and the built in integrations with Claude and ChatGPT can't even dream of. With Remote OAuth2.1 multi-user support, fine-grained editing tools and the most extensive coverage of any Google Workspace tool in existance, Workspace MCP is in a different class. Offering native OAuth 2.1, stateless mode and external auth server support, it's also the only Workspace MCP you can host for your whole organization centrally & securely!\n\n###### Support for all free Google accounts & Google Workspace plans (Starter, Standard, Plus, Enterprise, Non Profit) with expanded app options like Chat & Spaces. \u003Cbr\u002F>\u003Cbr \u002F> Interested in a private, managed cloud instance? [That can be arranged.](https:\u002F\u002Fworkspacemcp.com\u002Fworkspace-mcp-cloud)\n\n\n\u003C\u002Fdiv>\n\n\u003Cp align=\"center\">\n  \u003Ca href=\"https:\u002F\u002Fworkspacemcp.com\u002Fdocs\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FRead%20the%20Docs-0969DA?style=for-the-badge&logo=readthedocs&logoColor=white\" alt=\"Read the Docs\">\n  \u003C\u002Fa>\u003Cbr \u002F>\u003Ca href=\"https:\u002F\u002Fworkspacemcp.com\u002Fquick-start\">\n    \u003Cimg src=\"https:\u002F\u002Fimg.shields.io\u002Fbadge\u002FQuick%20Start-2EA44F?style=for-the-badge\" alt=\"Quick Start Guide\">\n  \u003C\u002Fa>\n\u003C\u002Fp>\n\n\u003Cdiv align=\"center\">\n\u003Ca href=\"https:\u002F\u002Fwww.pulsemcp.com\u002Fservers\u002Ftaylorwilsdon-google-workspace\">\n\u003Cimg width=\"375\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F0794ef1a-dc1c-447d-9661-9c704d7acc9d\" align=\"center\"\u002F>\n\u003C\u002Fa>\n\u003C\u002Fdiv>\n\n---\n\n\u003Cdiv align=\"center\">\n\u003Ctable>\n\u003Ctr>\n\u003Ctd align=\"center\">\n\u003Cb>⚡ Start\u003C\u002Fb>\u003Cbr>\n\u003Csub>\n\u003Ca href=\"#quick-start\">Quick Start\u003C\u002Fa> · \u003Ca href=\"#prerequisites\">Prerequisites\u003C\u002Fa>\u003Cbr>\n\u003Ca href=\"#configuration\">Google Cloud\u003C\u002Fa> · \u003Ca href=\"#-credential-configuration\">Credentials\u003C\u002Fa>\n\u003C\u002Fsub>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cb>🧰 Tools\u003C\u002Fb>\u003Cbr>\n\u003Csub>\n\u003Ca href=\"#-available-tools\">All Tools\u003C\u002Fa> · \u003Ca href=\"#tool-tiers\">Tool Tiers\u003C\u002Fa>\u003Cbr>\n\u003Ca href=\"#cli\">CLI\u003C\u002Fa> · \u003Ca href=\"#start-the-server\">Start Server\u003C\u002Fa>\n\u003C\u002Fsub>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cb>🔌 Connect\u003C\u002Fb>\u003Cbr>\n\u003Csub>\n\u003Ca href=\"#quick-start--connect-claude-to-google-workspace\">Quick Start\u003C\u002Fa> · \u003Ca href=\"#connect-to-claude-desktop\">Claude Desktop\u003C\u002Fa>\u003Cbr>\n\u003Ca href=\"#claude-code-mcp-client-support\">Claude Code\u003C\u002Fa> · \u003Ca href=\"#vs-code-mcp-client-support\">VS Code\u003C\u002Fa> · \u003Ca href=\"#connect-to-lm-studio\">LM Studio\u003C\u002Fa>\n\u003C\u002Fsub>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cb>🚀 Deploy\u003C\u002Fb>\u003Cbr>\n\u003Csub>\n\u003Ca href=\"#oauth-21-support-multi-user-bearer-token-authentication\">OAuth 2.1\u003C\u002Fa> · \u003Ca href=\"#stateless-mode-container-friendly\">Stateless\u003C\u002Fa>\u003Cbr>\n\u003Ca href=\"#external-oauth-21-provider-mode\">External OAuth\u003C\u002Fa> · \u003Ca href=\"#reverse-proxy-setup\">Reverse Proxy\u003C\u002Fa>\n\u003C\u002Fsub>\n\u003C\u002Ftd>\n\u003Ctd align=\"center\">\n\u003Cb>📐 Develop\u003C\u002Fb>\u003Cbr>\n\u003Csub>\n\u003Ca href=\"#-development\">Architecture\u003C\u002Fa> · \u003Ca href=\"#local-development-setup\">Dev Setup\u003C\u002Fa>\u003Cbr>\n\u003Ca href=\"#-security\">Security\u003C\u002Fa> · \u003Ca href=\"#-license\">License\u003C\u002Fa>\n\u003C\u002Fsub>\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\u003C\u002Fdiv>\n\n**See it in action:**\n\u003Cdiv align=\"center\">\n  \u003Cvideo width=\"400\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fa342ebb4-1319-4060-a974-39d202329710\">\u003C\u002Fvideo>\n\u003C\u002Fdiv>\n\n---\n\n## \u003Cspan style=\"color:#adbcbc\">Overview\u003C\u002Fspan>\n\nWorkspace MCP is the single most complete MCP server, the only that integrates all major Google Workspace services with AI assistants and all agent platforms. The entire toolset is available for CLI usage supporting both local and remote instances.\n\n## \u003Cspan style=\"color:#adbcbc\">Features\u003C\u002Fspan>\n\n> **12 services** &ensp;—&ensp; Gmail · Drive · Calendar · Docs · Sheets · Slides · Forms · Chat · Apps Script · Tasks · Contacts · Search\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**📧 Gmail** — Complete email management, end-to-end coverage\u003Cbr>\n**📁 Drive** — File operations with sharing, permissions, Office files, PDFs & images\u003Cbr>\n**📅 Calendar** — Full event management with advanced features\u003Cbr>\n**📝 Docs** — Deep, fine-grained editing, formatting & comments\u003Cbr>\n**📊 Sheets** — Flexible cell management, formatting & conditional rules\u003Cbr>\n**🖼️ Slides** — Presentation creation, updates & content manipulation\u003Cbr>\n**📋 Forms** — Creation, publish settings & response management\u003Cbr>\n**💬 Chat** — Space management, messaging & reactions\n\n\u003C\u002Ftd>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**⚡ Apps Script** — Cross-application workflow automation\u003Cbr>\n\u003Csub>&ensp;Projects · deployments · versions · execution · debugging\u003C\u002Fsub>\n\n**✅ Tasks** — Task & list management with hierarchy\u003Cbr>\n**👤 Contacts** — People API with groups & batch operations\u003Cbr>\n**🔍 Custom Search** — Programmable Search Engine integration\n\n---\n\n**🔐 Authentication & Security**\u003Cbr>\n\u003Csub>OAuth 2.0 & 2.1 · auto token refresh · multi-user bearer tokens · transport-aware callbacks · CORS proxy\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n---\n\n## \u003Cspan style=\"color:#adbcbc\">Security & Compliance\u003C\u002Fspan>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**For Security Teams**\n\nThis server sends no data anywhere except Google's APIs, on behalf of the authenticated user, using your own OAuth client credentials. There is no telemetry, no usage reporting, no analytics, no license server, and no SaaS dependency. The entire data path is: your infrastructure → Google APIs.\n\n- **Fully open source** — every line is auditable in this repo\n- **Your OAuth client, your GCP project** — credentials never leave your environment\n- **You control the scopes** — read-only, granular per-service permissions, or full access\n- **You control the network** — deploy behind your reverse proxy, in your VPC, on your own terms\n- **No third-party services** — no intermediary servers, no token relays, no hosted backends\n- **Stateless mode** — zero disk writes for locked-down container environments\n- **Sensitive path blocking** — local file reads default to the managed attachment directory, and `validate_file_path()` still blocks `.env*` files plus common home-directory credential stores such as `~\u002F.ssh\u002F` and `~\u002F.aws\u002F` even if `ALLOWED_FILE_DIRS` is broadened\n\nFull dependency tree in `pyproject.toml`, pinned in `uv.lock`.\n\n\u003C\u002Ftd>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**For Legal & Procurement**\n\nThis project is [MIT licensed](LICENSE) — not \"open core,\" not \"source available,\" not \"free with a CLA.\" There is no dual licensing, no commercial tier gating features, and no contributor license agreement.\n\n- **Use commercially without restriction** — build products, sell services, deploy internally\n- **Fork, embed, redistribute** — MIT requires only attribution\n- **No CLA** — contributions remain under MIT\n- **No telemetry to disclose** — nothing to flag in a privacy review\n- **No network effects** — the server never contacts any endpoint you didn't configure\n- **Standard dependency licenses** — MIT, Apache 2.0, and BSD throughout the dependency chain; no copyleft, no AGPL\n\nThe license is 21 lines and says what it means.\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n---\n\n## Quick Start\n\n> Set credentials → pick a launch command → connect your client\n\n\u003Cdiv align=\"center\">\n\n> 💡 **New to Workspace MCP?** Check out the **[Interactive Quick Start Guide →](https:\u002F\u002Fworkspacemcp.com\u002Fquick-start)** with step-by-step setup, screenshots, and troubleshooting tips!\n\n\u003C\u002Fdiv>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**Confidential Client Quick Start**\n\n```bash\n# 1. Credentials\nexport GOOGLE_OAUTH_CLIENT_ID=\"...\"\nexport GOOGLE_OAUTH_CLIENT_SECRET=\"...\"\n\n# 2. Launch — pick a tier\nuvx workspace-mcp --tool-tier core       # essential tools\nuvx workspace-mcp --tool-tier extended   # core + management ops\nuvx workspace-mcp --tool-tier complete   # everything\n\n# Or cherry-pick services\nuv run main.py --tools gmail drive calendar\n```\n\n\u003C\u002Ftd>\n\u003Ctd valign=\"top\" width=\"50%\">\n\n**Secretless \u002F Public OAuth 2.1 (PKCE) Quick Start**\n\n```bash\n# 1. Credentials\nexport MCP_ENABLE_OAUTH21=true\nexport GOOGLE_OAUTH_CLIENT_ID=\"...\"\nexport WORKSPACE_MCP_PORT=8000\nexport GOOGLE_OAUTH_REDIRECT_URI=\"http:\u002F\u002Flocalhost:${WORKSPACE_MCP_PORT}\u002Foauth2callback\"\nexport OAUTHLIB_INSECURE_TRANSPORT=1\n# Leave GOOGLE_OAUTH_CLIENT_SECRET unset for public PKCE clients\nexport FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY=\"$(openssl rand -hex 32)\"\n\n# 2. Launch — OAuth 2.1 requires HTTP transport\nuvx workspace-mcp --transport streamable-http --tool-tier core\nuvx workspace-mcp --transport streamable-http --tool-tier extended\nuvx workspace-mcp --transport streamable-http --tool-tier complete\n\n# Or cherry-pick services\nuv run main.py --transport streamable-http --tools gmail drive calendar\n```\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003Csub>[Credential setup →](#-credential-configuration) · [All launch options →](#start-the-server) · [Tier details →](#tool-tiers)\u003C\u002Fsub>\n\n\u003Cdetails open>\n\u003Csummary>\u003Cb>Environment Variable Reference\u003C\u002Fb>\u003C\u002Fsummary>\n\u003Csub>\n\n| Variable | | Purpose |\n|----------|:---:|---------|\n| **🔐 Authentication** | | |\n| `GOOGLE_OAUTH_CLIENT_ID` | **required** | OAuth client ID from Google Cloud |\n| `GOOGLE_OAUTH_CLIENT_SECRET` | | OAuth client secret for confidential clients; optional for public OAuth 2.1 PKCE clients |\n| `OAUTHLIB_INSECURE_TRANSPORT` | **required**&ast; | Set to `1` for development — allows `http:\u002F\u002F` redirect |\n| `USER_GOOGLE_EMAIL` | | Default email for single-user auth |\n| `GOOGLE_CLIENT_SECRET_PATH` | | Custom path to `client_secret.json` |\n| `GOOGLE_MCP_CREDENTIALS_DIR` | | Credential directory — default `~\u002F.google_workspace_mcp\u002Fcredentials` |\n| **🖥️ Server** | | |\n| `WORKSPACE_MCP_BASE_URI` | | Base server URI (no port) — default `http:\u002F\u002Flocalhost` |\n| `WORKSPACE_MCP_PORT` | | Listening port — default `8000`. Also controls the stdio-mode OAuth callback port. The `PORT` env var takes precedence if set. |\n| `WORKSPACE_MCP_HOST` | | Bind host — default `0.0.0.0` |\n| `WORKSPACE_MCP_TRANSPORT` | | `stdio` or `streamable-http`; used when `--transport` is not passed |\n| `WORKSPACE_MCP_HTTP_PORT` | | Advanced legacy-stdio sidecar `\u002Fmcp` port for local `workspace-cli` access. Disabled when empty. Binds to `127.0.0.1` only and is accessible to local processes. |\n| `WORKSPACE_EXTERNAL_URL` | | External URL for reverse proxy setups |\n| `WORKSPACE_ATTACHMENT_DIR` | | Downloaded attachments dir and default trusted local attachment directory — default `~\u002F.workspace-mcp\u002Fattachments\u002F` |\n| `WORKSPACE_MCP_URL` | | Remote MCP endpoint URL for CLI |\n| `ALLOWED_FILE_DIRS` | | Colon-separated allowlist for local file reads |\n| **🧰 Tool Selection** | | |\n| `WORKSPACE_MCP_TOOLS` | | Comma-separated services, e.g. `gmail,drive,calendar`; empty means all services |\n| `WORKSPACE_MCP_TOOL_TIER` | | `core`, `extended`, or `complete`; empty means all tools |\n| `WORKSPACE_MCP_READ_ONLY` | | `true`, `1`, or `yes` to request read-only scopes and filter write tools |\n| `WORKSPACE_MCP_PERMISSIONS` | | Space-separated `service:level` entries, e.g. `gmail:send drive:readonly`; mutually exclusive with tools and read-only |\n| **🔑 OAuth 2.1 & Multi-User** | | |\n| `MCP_ENABLE_OAUTH21` | | `true` to enable OAuth 2.1 multi-user support |\n| `EXTERNAL_OAUTH21_PROVIDER` | | `true` for external OAuth flow with bearer tokens |\n| `WORKSPACE_MCP_STATELESS_MODE` | | `true` for stateless container-friendly operation |\n| `GOOGLE_OAUTH_REDIRECT_URI` | | Override OAuth callback URL — default auto-constructed |\n| `OAUTH_CUSTOM_REDIRECT_URIS` | | Comma-separated additional redirect URIs |\n| `OAUTH_ALLOWED_ORIGINS` | | Comma-separated additional CORS origins |\n| `WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND` | | `memory`, `disk`, or `valkey` — see [storage backends](#oauth-proxy-storage-backends) |\n| `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY` | | Custom encryption key for OAuth proxy storage; required for public OAuth 2.1 clients when `GOOGLE_OAUTH_CLIENT_SECRET` is omitted |\n| `WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS` | | Comma-separated allowlist of redirect URIs that dynamically-registered OAuth clients may use. Default is unset (any URI permitted, per DCR). Supports FastMCP's glob patterns (`*`, `*.example.com`) |\n| **🗄️ Credential Store** | | |\n| `WORKSPACE_MCP_CREDENTIAL_STORE_BACKEND` | | `local_directory` (default) or `gcs` — see [credential store system](#credential-store-system) |\n| `WORKSPACE_MCP_CREDENTIALS_DIR` | | Directory for the `local_directory` backend |\n| `GOOGLE_MCP_CREDENTIALS_DIR` | | Backward-compatible alias for `WORKSPACE_MCP_CREDENTIALS_DIR` |\n| `WORKSPACE_MCP_GCS_BUCKET` | | **Required when backend is `gcs`** — GCS bucket name |\n| `WORKSPACE_MCP_GCS_PREFIX` | | Optional object-name prefix for the `gcs` backend |\n| `WORKSPACE_MCP_GCS_REQUIRE_CMEK` | | `true` to require a bucket default KMS key at startup (fails fast if unset) |\n| **🔧 Service Account** | | |\n| `GOOGLE_SERVICE_ACCOUNT_KEY_FILE` | | Path to service account JSON key file (domain-wide delegation) |\n| `GOOGLE_SERVICE_ACCOUNT_KEY_JSON` | | Inline service account JSON key (alternative to file) |\n| `DWD_ALLOWED_DOMAINS` | | Comma-separated domain allowlist for per-request impersonation (optional) |\n| **🔍 Custom Search** | | |\n| `GOOGLE_PSE_API_KEY` | | API key for Programmable Search Engine |\n| `GOOGLE_PSE_ENGINE_ID` | | Search Engine ID for PSE |\n\n&ast;Required for development only. Claude Desktop stores credentials securely in the OS keychain — set them once in the extension pane.\n\n\u003C\u002Fsub>\n\u003C\u002Fdetails>\n\n---\n\n### Quick Start — Connect Claude to Google Workspace\n\nThe recommended setup is to run an instance and connect Claude to it via a **Connector**. Full instructions at **[workspacemcp.com\u002Fquick-start](https:\u002F\u002Fworkspacemcp.com\u002Fquick-start)**.\n\n\u003Cdiv align=\"center\">\n  \u003Cvideo width=\"832\" src=\"https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F83cca4b3-5e94-448b-acb3-6e3a27341d3a\">\u003C\u002Fvideo>\n\u003C\u002Fdiv>\n\n---\n\n### Prerequisites\n\n**Python 3.10+** · **[uv\u002Fuvx](https:\u002F\u002Fgithub.com\u002Fastral-sh\u002Fuv)** · **Google Cloud Project** with OAuth 2.0 credentials\n\nIf you want the GCS credential store backend, install the optional dependency first:\n\n```bash\nuv sync --extra gcs\n# or\npip install \"workspace-mcp[gcs]\"\n```\n\n### Configuration\n\n\u003Cdetails open>\n\u003Csummary>\u003Cb>Google Cloud Setup\u003C\u002Fb>\u003C\u002Fsummary>\n\n1. **Create Project** — [Open Console →](https:\u002F\u002Fconsole.cloud.google.com\u002F) → Create new project\n2. **Create OAuth Credentials** — APIs & Services → Credentials → Create Credentials → OAuth Client ID\n   - Choose **Desktop Application** for a public PKCE client (no redirect URIs needed) or **Web Application** for a confidential client\n   - Download and note your Client ID and, if issued, Client Secret\n3. **Enable APIs** — APIs & Services → Library, then enable each service:\n\n   | | | | |\n   |:--|:--|:--|:--|\n   | [Calendar](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=calendar-json.googleapis.com) | [Drive](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=drive.googleapis.com) | [Gmail](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=gmail.googleapis.com) | [Docs](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=docs.googleapis.com) |\n   | [Sheets](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=sheets.googleapis.com) | [Slides](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=slides.googleapis.com) | [Forms](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=forms.googleapis.com) | [Tasks](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=tasks.googleapis.com) |\n   | [Chat](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=chat.googleapis.com) | [People](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=people.googleapis.com) | [Custom Search](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=customsearch.googleapis.com) | [Apps Script](https:\u002F\u002Fconsole.cloud.google.com\u002Fflows\u002Fenableapi?apiid=script.googleapis.com) |\n\n4. **Set Credentials** — see [Environment Variable Reference](#quick-start) above, or:\n   ```bash\n   export GOOGLE_OAUTH_CLIENT_ID=\"your-client-id\"\n   export GOOGLE_OAUTH_CLIENT_SECRET=\"your-secret\"\n   ```\n   For public OAuth 2.1 PKCE clients, omit `GOOGLE_OAUTH_CLIENT_SECRET` and set `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY` instead.\n\n\u003Csub>[Full OAuth documentation →](https:\u002F\u002Fdevelopers.google.com\u002Fworkspace\u002Fguides\u002Fauth-overview) · [Credential setup details →](#-credential-configuration)\u003C\u002Fsub>\n\n\u003C\u002Fdetails>\n\n### Google Custom Search Setup\n\n\u003Cdetails open>\n\u003Csummary>◆ \u003Cb>Custom Search Configuration\u003C\u002Fb> \u003Csub>\u003Csup>← Enable web search capabilities\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**1. Create Search Engine**\n```text\nprogrammablesearchengine.google.com\n\u002Fcontrolpanel\u002Fcreate\n\n→ Configure sites or entire web\n→ Note your Engine ID (cx)\n```\n\u003Csub>[Open Control Panel →](https:\u002F\u002Fprogrammablesearchengine.google.com\u002Fcontrolpanel\u002Fcreate)\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**2. Get API Key**\n```text\ndevelopers.google.com\n\u002Fcustom-search\u002Fv1\u002Foverview\n\n→ Create\u002Fselect project\n→ Enable Custom Search API\n→ Create credentials (API Key)\n```\n\u003Csub>[Get API Key →](https:\u002F\u002Fdevelopers.google.com\u002Fcustom-search\u002Fv1\u002Foverview)\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"34%\" align=\"center\">\n\n**3. Set Variables**\n```bash\nexport GOOGLE_PSE_API_KEY=\\\n  \"your-api-key\"\nexport GOOGLE_PSE_ENGINE_ID=\\\n  \"your-engine-id\"\n```\n\u003Csub>Configure in environment\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd colspan=\"3\">\n\n\u003Cdetails open>\n\u003Csummary>≡ \u003Cb>Quick Setup Guide\u003C\u002Fb> \u003Csub>\u003Csup>← Step-by-step instructions\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n**Complete Setup Process:**\n\n1. **Create Search Engine** - Visit the [Control Panel](https:\u002F\u002Fprogrammablesearchengine.google.com\u002Fcontrolpanel\u002Fcreate)\n   - Choose \"Search the entire web\" or specify sites\n   - Copy the Search Engine ID (looks like: `017643444788157684527:6ivsjbpxpqw`)\n\n2. **Enable API & Get Key** - Visit [Google Developers Console](https:\u002F\u002Fconsole.cloud.google.com\u002F)\n   - Enable \"Custom Search API\" in your project\n   - Create credentials → API Key\n   - Restrict key to Custom Search API (recommended)\n\n3. **Configure Environment** - Add to your shell or `.env`:\n   ```bash\n   export GOOGLE_PSE_API_KEY=\"AIzaSy...\"\n   export GOOGLE_PSE_ENGINE_ID=\"01764344478...\"\n   ```\n\n≡ [Full Documentation →](https:\u002F\u002Fdevelopers.google.com\u002Fcustom-search\u002Fv1\u002Foverview)\n\n\u003C\u002Fdetails>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003C\u002Fdetails>\n\n### Start the Server\n\n> **📌 Transport Mode Guidance**: Use **streamable HTTP mode** (`--transport streamable-http`) for all modern MCP clients including Claude Code, VS Code MCP, and MCP Inspector. For Claude Desktop, run an instance and connect via a [Connector](https:\u002F\u002Fworkspacemcp.com\u002Fquick-start). Stdio mode is a legacy fallback. For deployments, prefer OAuth 2.1 with stateless mode (`MCP_ENABLE_OAUTH21=true`, `WORKSPACE_MCP_STATELESS_MODE=true`) unless you need local attachment or credential storage.\n\n> **OAuth state safety**: Legacy stdio starts a local-only OAuth callback server. In single-user mode only, it may recover a missing Google `state` parameter by consuming the most recent pending local OAuth state. This fallback is intentionally disabled outside single-user mode because it can cross session boundaries. Do not enable or emulate this behavior in streamable HTTP, hosted, or multi-user deployments; those modes must require an explicit state match.\n\n\u003Cdetails open>\n\u003Csummary>▶ \u003Cb>Launch Commands\u003C\u002Fb> \u003Csub>\u003Csup>← Choose your startup mode\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**▶ Legacy Mode**\n```bash\nuv run main.py\n```\n\u003Csub>⚠️ Stdio mode (incomplete MCP clients only)\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**◆ HTTP Mode (Recommended)**\n```bash\nuv run main.py \\\n  --transport streamable-http\n```\n\u003Csub>✅ Full MCP spec compliance & OAuth 2.1\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"34%\" align=\"center\">\n\n**@ Single User**\n```bash\nuv run main.py \\\n  --single-user\n```\n\u003Csub>Simplified authentication\u003C\u002Fsub>\n\u003Csub>⚠️ Cannot be used with OAuth 2.1 mode\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd colspan=\"3\">\n\n\u003Cdetails open>\n\u003Csummary>◆ \u003Cb>Advanced Options\u003C\u002Fb> \u003Csub>\u003Csup>← Tool selection, tiers & Docker\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n**▶ Selective Tool Loading**\n```bash\n# Load specific services only\nuv run main.py --tools gmail drive calendar\nuv run main.py --tools sheets docs\n\n# Combine with other flags\nuv run main.py --single-user --tools gmail\n```\n\n\n**🔒 Read-Only Mode**\n```bash\n# Requests only read-only scopes & disables write tools\nuv run main.py --read-only\n\n# Combine with specific tools or tiers\nuv run main.py --tools gmail drive --read-only\nuv run main.py --tool-tier core --read-only\n```\nRead-only mode provides secure, restricted access by:\n- Requesting only `*.readonly` OAuth scopes (e.g., `gmail.readonly`, `drive.readonly`)\n- Automatically filtering out tools that require write permissions at startup\n- Allowing read operations: list, get, search, and export across all services\n\n**🔐 Granular Permissions**\n```bash\n# Per-service permission levels\nuv run main.py --permissions gmail:organize drive:readonly\n\n# Combine permissions with tier filtering\nuv run main.py --permissions gmail:send drive:full --tool-tier core\n```\nGranular permissions mode provides service-by-service scope control:\n- Format: `service:level` (one entry per service)\n- Gmail levels: `readonly`, `organize`, `drafts`, `send`, `full` (cumulative)\n- Tasks levels: `readonly`, `manage`, `full` (cumulative; `manage` allows create\u002Fupdate\u002Fmove but denies `delete` and `clear_completed`)\n- Other services currently support: `readonly`, `full`\n- `--permissions` and `--read-only` are mutually exclusive\n- `--permissions` cannot be combined with `--tools`; enabled services are determined by the `--permissions` entries (optionally filtered by `--tool-tier`)\n- With `--tool-tier`, only tier-matched tools are enabled and only services that have tools in the selected tier are imported\n\nThe `WORKSPACE_MCP_TOOLS`, `WORKSPACE_MCP_TOOL_TIER`, `WORKSPACE_MCP_READ_ONLY`, and `WORKSPACE_MCP_PERMISSIONS` environment variables provide the same controls for plugin and container installs. Empty strings are ignored. Non-empty malformed values fail closed at startup. Explicit CLI flags take precedence over mutually exclusive env vars.\n\n**Advanced legacy stdio sidecar**\n```bash\n# Optional bridge only for local legacy stdio sessions\nWORKSPACE_MCP_HTTP_PORT=8001 uv run main.py\nworkspace-cli --url http:\u002F\u002F127.0.0.1:8001\u002Fmcp list\n```\nThe sidecar is disabled unless `WORKSPACE_MCP_HTTP_PORT` is set. It only exists to bridge local `workspace-cli` calls into a legacy stdio server. Do not use it for normal Claude Code, VS Code, hosted, or multi-user deployments; use streamable HTTP with OAuth 2.1 instead. When enabled, it validates ports in the `1..65535` range, binds to `127.0.0.1`, and logs a warning if the port is already in use while keeping stdio running.\n\n**★ Tool Tiers**\n```bash\nuv run main.py --tool-tier core      # ● Essential tools only\nuv run main.py --tool-tier extended  # ◐ Core + additional\nuv run main.py --tool-tier complete  # ○ All available tools\n```\n\n**◆ Docker Deployment**\n```bash\ndocker build -t workspace-mcp .\ndocker run -p 8000:8000 -v $(pwd):\u002Fapp \\\n  workspace-mcp --transport streamable-http\n\n# With tool selection via environment variables\ndocker run -e TOOL_TIER=core workspace-mcp\ndocker run -e TOOLS=\"gmail drive calendar\" workspace-mcp\n```\n\n**Available Services**: `gmail` • `drive` • `calendar` • `docs` • `sheets` • `forms` • `tasks` • `contacts` • `chat` • `search`\n\n\u003C\u002Fdetails>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003C\u002Fdetails>\n\n### CLI\n\nThe `workspace-cli` command lists tools and calls them against a running server — with encrypted, disk-backed OAuth token caching so you only authenticate once. On first run it opens a browser for Google consent; subsequent runs reuse the cached tokens automatically.\n\nTokens are stored encrypted at `~\u002F.workspace-mcp\u002Fcli-tokens\u002F` using a Fernet key auto-generated at `~\u002F.workspace-mcp\u002F.cli-encryption-key`.\n\nTo use workspace-cli globally, you'll want to start in this repo and run `uv tool install .`\n\nOnce complete, you'll have workspace-cli available globally via `workspace-cli`\n\nNote: there is a public (but abandoned) pypi package with the same name - do not use uvx, as it will pull the wrong thing. \n\n\u003Cdetails open>\n\u003Csummary>▶ \u003Cb>workspace-cli Commands\u003C\u002Fb> \u003Csub>\u003Csup>← Persistent OAuth, no re-auth on every call\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"50%\" align=\"center\">\n\n**▶ List Tools**\n```bash\nuv run workspace-cli list\nuv run workspace-cli --url https:\u002F\u002Fcustom.server\u002Fmcp list\n\n# Or, if installed globally:\nworkspace-cli list\nworkspace-cli --url https:\u002F\u002Fcustom.server\u002Fmcp list\n```\n\u003Csub>View all available tools\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"50%\" align=\"center\">\n\n**◆ Call a Tool**\n```bash\nuv run workspace-cli call search_gmail_messages \\\n  query=\"is:unread\" max_results=5\n```\n\u003Csub>Execute a tool with key=value arguments\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\nSet URL for remote endpoints with `--url` or the `WORKSPACE_MCP_URL` environment variable.\n\n\u003Cdetails open>\n\u003Csummary>≡ \u003Cb>Advanced: FastMCP CLI\u003C\u002Fb> \u003Csub>\u003Csup>← inspect, install, discover\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\nThe upstream [FastMCP CLI](https:\u002F\u002Fgofastmcp.com\u002Fcli) is also bundled and provides additional commands for schema inspection, client installation, and editor discovery. Note that `fastmcp` uses in-memory token storage, so each invocation may re-trigger the OAuth flow.\n\n```bash\nfastmcp inspect fastmcp_server.py                        # print tools, resources, prompts\nfastmcp install claude-code fastmcp_server.py             # one-command client setup\nfastmcp install cursor fastmcp_server.py\nfastmcp discover                                          # find servers configured in editors\n```\n\nSee `fastmcp --help` or the [FastMCP CLI docs](https:\u002F\u002Fgofastmcp.com\u002Fcli) for the full command reference.\n\n\u003C\u002Fdetails>\n\n\u003C\u002Fdetails>\n\n### Tool Tiers\n\nThe server organizes tools into **three progressive tiers** for simplified deployment. Choose a tier that matches your usage needs and API quota requirements.\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"65%\" valign=\"top\">\n\n#### \u003Cspan style=\"color:#72898f\">Available Tiers\u003C\u002Fspan>\n\n**\u003Cspan style=\"color:#2d5b69\">●\u003C\u002Fspan> Core** (`--tool-tier core`)\nEssential tools for everyday tasks. Perfect for light usage with minimal API quotas. Includes search, read, create, and basic modify operations across all services.\n\n**\u003Cspan style=\"color:#72898f\">●\u003C\u002Fspan> Extended** (`--tool-tier extended`)\nCore functionality plus management tools. Adds labels, folders, batch operations, and advanced search. Ideal for regular usage with moderate API needs.\n\n**\u003Cspan style=\"color:#adbcbc\">●\u003C\u002Fspan> Complete** (`--tool-tier complete`)\nFull API access including comments, headers\u002Ffooters, publishing settings, and administrative functions. For power users needing maximum functionality.\n\n\u003C\u002Ftd>\n\u003Ctd width=\"35%\" valign=\"top\">\n\n#### \u003Cspan style=\"color:#72898f\">Important Notes\u003C\u002Fspan>\n\n\u003Cspan style=\"color:#72898f\">▶\u003C\u002Fspan> **Start with `core`** and upgrade as needed\n\u003Cspan style=\"color:#72898f\">▶\u003C\u002Fspan> **Tiers are cumulative** – each includes all previous\n\u003Cspan style=\"color:#72898f\">▶\u003C\u002Fspan> **Mix and match** with `--tools` for specific services\n\u003Cspan style=\"color:#72898f\">▶\u003C\u002Fspan> **Configuration** in `core\u002Ftool_tiers.yaml`\n\u003Cspan style=\"color:#72898f\">▶\u003C\u002Fspan> **Authentication** included in all tiers\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n#### \u003Cspan style=\"color:#72898f\">Usage Examples\u003C\u002Fspan>\n\n```bash\n# Basic tier selection\nuv run main.py --tool-tier core                            # Start with essential tools only\nuv run main.py --tool-tier extended                        # Expand to include management features\nuv run main.py --tool-tier complete                        # Enable all available functionality\n\n# Selective service loading with tiers\nuv run main.py --tools gmail drive --tool-tier core        # Core tools for specific services\nuv run main.py --tools gmail --tool-tier extended          # Extended Gmail functionality only\nuv run main.py --tools docs sheets --tool-tier complete    # Full access to Docs and Sheets\n\n# Combine tier selection with granular permission levels\nuv run main.py --permissions gmail:organize drive:full --tool-tier core\n```\n\n## 📋 Credential Configuration\n\n\u003Cdetails open>\n\u003Csummary>🔑 \u003Cb>OAuth Credentials Setup\u003C\u002Fb> \u003Csub>\u003Csup>← Essential for all installations\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n\u003Ctable>\n\u003Ctr>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**🚀 Environment Variables**\n```bash\nexport GOOGLE_OAUTH_CLIENT_ID=\\\n  \"your-client-id\"\nexport GOOGLE_OAUTH_CLIENT_SECRET=\\\n  \"your-secret\"\n```\n\u003Csub>Best for production\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"33%\" align=\"center\">\n\n**📁 File-based**\n```bash\n# Download & place in project root\nclient_secret.json\n\n# Or specify custom path\nexport GOOGLE_CLIENT_SECRET_PATH=\\\n  \u002Fpath\u002Fto\u002Fsecret.json\n```\n\u003Csub>Traditional method\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003Ctd width=\"34%\" align=\"center\">\n\n**⚡ .env File**\n```bash\ncp .env.oauth21 .env\n# Edit .env with credentials\n```\n\u003Csub>Best for development\u003C\u002Fsub>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003Ctr>\n\u003Ctd colspan=\"3\">\n\n\u003Cdetails open>\n\u003Csummary>📖 \u003Cb>Credential Loading Details\u003C\u002Fb> \u003Csub>\u003Csup>← Understanding priority & best practices\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n**Loading Priority**\n1. Environment variables (`export VAR=value`)\n2. `.env` file in project root (warning - if you run via `uvx` rather than `uv run` from the repo directory, you are spawning a standalone process not associated with your clone of the repo and it will not find your .env file without specifying it directly)\n3. `client_secret.json` via `GOOGLE_CLIENT_SECRET_PATH`\n4. Default `client_secret.json` in project root\n\n**Why Environment Variables?**\n- ✅ **Docker\u002FK8s ready** - Native container support\n- ✅ **Cloud platforms** - Heroku, Railway, Vercel\n- ✅ **CI\u002FCD pipelines** - GitHub Actions, Jenkins\n- ✅ **No secrets in git** - Keep credentials secure\n- ✅ **Easy rotation** - Update without code changes\n\n\u003C\u002Fdetails>\n\n\u003C\u002Ftd>\n\u003C\u002Ftr>\n\u003C\u002Ftable>\n\n\u003C\u002Fdetails>\n\n---\n\n## 🧰 Available Tools\n\n> **Note**: All tools support automatic authentication via `@require_google_service()` decorators with 30-minute service caching.\n\n\u003Cdiv align=\"center\">\n\n> 📖 **Looking for detailed parameters?** Visit the **[Complete Documentation →](https:\u002F\u002Fworkspacemcp.com\u002Fdocs)** for comprehensive tool reference, examples, and API guides!\n\n\u003C\u002Fdiv>\n\n#### 📅 Google Calendar \u003Csub>[`calendar_tools.py`](gcalendar\u002Fcalendar_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`list_calendars`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>List accessible calendars\u003C\u002Fsub> |\n| \u003Csub>`get_events`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve events with time range filtering\u003C\u002Fsub> |\n| \u003Csub>`manage_event`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create, update, or delete calendar events\u003C\u002Fsub> |\n| \u003Csub>`create_calendar`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create a new secondary Google Calendar\u003C\u002Fsub> |\n| \u003Csub>`query_freebusy`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Query free\u002Fbusy information for calendars\u003C\u002Fsub> |\n| \u003Csub>`manage_out_of_office`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create, list, update, or delete Out of Office events\u003C\u002Fsub> |\n| \u003Csub>`manage_focus_time`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create, list, update, or delete Focus Time events\u003C\u002Fsub> |\n\n#### 📁 Google Drive \u003Csub>[`drive_tools.py`](gdrive\u002Fdrive_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`search_drive_files`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Search files with query syntax\u003C\u002Fsub> |\n| \u003Csub>`get_drive_file_content`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Read file content (Office, PDF, image)\u003C\u002Fsub> |\n| \u003Csub>`get_drive_file_download_url`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Download Drive files to local disk\u003C\u002Fsub> |\n| \u003Csub>`create_drive_file`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create files or fetch from URLs\u003C\u002Fsub> |\n| \u003Csub>`create_drive_folder`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create empty folders in Drive or shared drives\u003C\u002Fsub> |\n| \u003Csub>`import_to_google_doc`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Import files (MD, DOCX, HTML, etc.) as Google Docs\u003C\u002Fsub> |\n| \u003Csub>`get_drive_shareable_link`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Get shareable links for a file\u003C\u002Fsub> |\n| \u003Csub>`list_drive_items`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List folder contents or shared drives\u003C\u002Fsub> |\n| \u003Csub>`copy_drive_file`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Copy existing files (templates) with optional renaming\u003C\u002Fsub> |\n| \u003Csub>`update_drive_file`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Update file metadata, move between folders\u003C\u002Fsub> |\n| \u003Csub>`manage_drive_access`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Grant, update, revoke permissions, and transfer ownership\u003C\u002Fsub> |\n| \u003Csub>`set_drive_file_permissions`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Set link sharing and file-level sharing settings\u003C\u002Fsub> |\n| \u003Csub>`get_drive_file_permissions`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Get file metadata, parents, and permissions\u003C\u002Fsub> |\n| \u003Csub>`check_drive_file_public_access`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Check public sharing status\u003C\u002Fsub> |\n\n#### 📧 Gmail \u003Csub>[`gmail_tools.py`](gmail\u002Fgmail_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`search_gmail_messages`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Search with Gmail operators\u003C\u002Fsub> |\n| \u003Csub>`get_gmail_message_content`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve message content\u003C\u002Fsub> |\n| \u003Csub>`get_gmail_messages_content_batch`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Batch retrieve message content\u003C\u002Fsub> |\n| \u003Csub>`send_gmail_message`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Send emails\u003C\u002Fsub> |\n| \u003Csub>`get_gmail_thread_content`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Get full thread content\u003C\u002Fsub> |\n| \u003Csub>`modify_gmail_message_labels`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Modify message labels\u003C\u002Fsub> |\n| \u003Csub>`list_gmail_labels`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List available labels\u003C\u002Fsub> |\n| \u003Csub>`list_gmail_filters`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List Gmail filters\u003C\u002Fsub> |\n| \u003Csub>`manage_gmail_label`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create\u002Fupdate\u002Fdelete labels\u003C\u002Fsub> |\n| \u003Csub>`manage_gmail_filter`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create or delete Gmail filters\u003C\u002Fsub> |\n| \u003Csub>`draft_gmail_message`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create drafts\u003C\u002Fsub> |\n| \u003Csub>`get_gmail_threads_content_batch`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Batch retrieve thread content\u003C\u002Fsub> |\n| \u003Csub>`batch_modify_gmail_message_labels`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Batch modify labels\u003C\u002Fsub> |\n| \u003Csub>`start_google_auth`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Legacy OAuth 2.0 auth (disabled when OAuth 2.1 is enabled)\u003C\u002Fsub> |\n\n\u003Cdetails open>\n\u003Csummary>\u003Cb>📎 Email Attachments\u003C\u002Fb> \u003Csub>\u003Csup>← Send emails with files\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\nBoth `send_gmail_message` and `draft_gmail_message` support attachments via two methods:\n\n**Option 1: File Path** (local server only)\n```python\nattachments=[{\"path\": \"\u002Fpath\u002Fto\u002Freport.pdf\"}]\n```\nReads file from disk, auto-detects MIME type. Optional `filename` override.\n\n**Option 2: Base64 Content** (works everywhere)\n```python\nattachments=[{\n    \"filename\": \"report.pdf\",\n    \"content\": \"JVBERi0xLjQK...\",  # base64-encoded\n    \"mime_type\": \"application\u002Fpdf\"   # optional\n}]\n```\n\n**⚠️ Centrally Hosted Servers**: When the MCP server runs remotely (cloud, shared instance), it cannot access your local filesystem. Use **Option 2** with base64-encoded content. Your MCP client must encode files before sending.\n\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n\u003Csummary>\u003Cb>📥 Downloaded Attachment Storage\u003C\u002Fb> \u003Csub>\u003Csup>← Where downloaded files are saved\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\nWhen downloading Gmail attachments (`get_gmail_attachment_content`) or Drive files (`get_drive_file_download_url`), files are saved to a persistent local directory rather than a temporary folder in the working directory.\n\n**Default location:** `~\u002F.workspace-mcp\u002Fattachments\u002F`\n\nFiles are saved with their original filename plus a short UUID suffix for uniqueness (e.g., `invoice_a1b2c3d4.pdf`). In **stdio mode**, the tool returns the absolute file path for direct filesystem access. In **HTTP mode**, it returns a download URL via the `\u002Fattachments\u002F{file_id}` endpoint.\n\nTo customize the storage directory:\n```bash\nexport WORKSPACE_ATTACHMENT_DIR=\"\u002Fpath\u002Fto\u002Fcustom\u002Fdir\"\n```\n\nSaved files expire after 1 hour and are cleaned up automatically.\n\n\u003C\u002Fdetails>\n\n#### 📝 Google Docs \u003Csub>[`docs_tools.py`](gdocs\u002Fdocs_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`get_doc_content`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Extract document text\u003C\u002Fsub> |\n| \u003Csub>`create_doc`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create new documents\u003C\u002Fsub> |\n| \u003Csub>`modify_doc_text`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Insert, replace, and richly format text with tab\u002Fsegment targeting, append-to-segment support, advanced typography, and link management\u003C\u002Fsub> |\n| \u003Csub>`search_docs`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Find documents by name\u003C\u002Fsub> |\n| \u003Csub>`find_and_replace_doc`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Find and replace text\u003C\u002Fsub> |\n| \u003Csub>`list_docs_in_folder`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List docs in folder\u003C\u002Fsub> |\n| \u003Csub>`insert_doc_elements`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Add tables, lists, page breaks\u003C\u002Fsub> |\n| \u003Csub>`update_paragraph_style`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Apply advanced paragraph styling including headings, spacing, direction, pagination controls, shading, and bulleted\u002Fnumbered\u002Fcheckbox lists with nesting\u003C\u002Fsub> |\n| \u003Csub>`get_doc_as_markdown`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Export document as formatted Markdown with optional comments\u003C\u002Fsub> |\n| \u003Csub>`insert_doc_image`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Insert images from Drive\u002FURLs\u003C\u002Fsub> |\n| \u003Csub>`update_doc_headers_footers`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create or update headers and footers with correct segment-aware writes\u003C\u002Fsub> |\n| \u003Csub>`batch_update_doc`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Execute atomic multi-step Docs API operations including named ranges, section breaks, document\u002Fsection layout, header\u002Ffooter creation, segment-aware inserts, images, tables, and rich formatting\u003C\u002Fsub> |\n| \u003Csub>`inspect_doc_structure`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Analyze document structure, including safe insertion points, tables, section breaks, headers\u002Ffooters, and named ranges\u003C\u002Fsub> |\n| \u003Csub>`export_doc_to_pdf`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Export document to PDF\u003C\u002Fsub> |\n| \u003Csub>`create_table_with_data`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create data tables\u003C\u002Fsub> |\n| \u003Csub>`debug_table_structure`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Debug table issues\u003C\u002Fsub> |\n| \u003Csub>`list_document_comments`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>List all document comments\u003C\u002Fsub> |\n| \u003Csub>`manage_document_comment`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, reply to, or resolve comments\u003C\u002Fsub> |\n| \u003Csub>`manage_doc_tab`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, rename, delete, or populate tabs from markdown\u003C\u002Fsub> |\n\n#### 📊 Google Sheets \u003Csub>[`sheets_tools.py`](gsheets\u002Fsheets_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`read_sheet_values`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Read cell ranges\u003C\u002Fsub> |\n| \u003Csub>`modify_sheet_values`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Write\u002Fupdate\u002Fclear cells\u003C\u002Fsub> |\n| \u003Csub>`create_spreadsheet`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create new spreadsheets\u003C\u002Fsub> |\n| \u003Csub>`list_spreadsheets`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List accessible spreadsheets\u003C\u002Fsub> |\n| \u003Csub>`get_spreadsheet_info`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Get spreadsheet metadata\u003C\u002Fsub> |\n| \u003Csub>`format_sheet_range`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Apply colors, number formats, text wrapping, alignment, bold\u002Fitalic, font size\u003C\u002Fsub> |\n| \u003Csub>`list_sheet_tables`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List structured tables with IDs, names, ranges, and columns\u003C\u002Fsub> |\n| \u003Csub>`create_sheet`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Add sheets to existing files\u003C\u002Fsub> |\n| \u003Csub>`move_sheet_rows`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Move rows between sheets within a spreadsheet\u003C\u002Fsub> |\n| \u003Csub>`append_table_rows`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Append rows to a structured table, auto-extending the table range\u003C\u002Fsub> |\n| \u003Csub>`list_spreadsheet_comments`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>List all spreadsheet comments\u003C\u002Fsub> |\n| \u003Csub>`manage_spreadsheet_comment`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, reply to, or resolve comments\u003C\u002Fsub> |\n| \u003Csub>`manage_conditional_formatting`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Add, update, or delete conditional formatting rules\u003C\u002Fsub> |\n\n#### 🖼️ Google Slides \u003Csub>[`slides_tools.py`](gslides\u002Fslides_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`create_presentation`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create new presentations\u003C\u002Fsub> |\n| \u003Csub>`get_presentation`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve presentation details\u003C\u002Fsub> |\n| \u003Csub>`batch_update_presentation`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Apply multiple updates\u003C\u002Fsub> |\n| \u003Csub>`get_page`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Get specific slide information\u003C\u002Fsub> |\n| \u003Csub>`get_page_thumbnail`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Generate slide thumbnails\u003C\u002Fsub> |\n| \u003Csub>`list_presentation_comments`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>List all presentation comments\u003C\u002Fsub> |\n| \u003Csub>`manage_presentation_comment`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, reply to, or resolve comments\u003C\u002Fsub> |\n\n#### 📋 Google Forms \u003Csub>[`forms_tools.py`](gforms\u002Fforms_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`create_form`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create new forms\u003C\u002Fsub> |\n| \u003Csub>`get_form`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve form details & URLs\u003C\u002Fsub> |\n| \u003Csub>`set_publish_settings`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Configure form settings\u003C\u002Fsub> |\n| \u003Csub>`get_form_response`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Get individual responses\u003C\u002Fsub> |\n| \u003Csub>`list_form_responses`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List all responses with pagination\u003C\u002Fsub> |\n| \u003Csub>`batch_update_form`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Apply batch updates (questions, settings)\u003C\u002Fsub> |\n\n#### ✓ Google Tasks \u003Csub>[`tasks_tools.py`](gtasks\u002Ftasks_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`list_tasks`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>List tasks with filtering\u003C\u002Fsub> |\n| \u003Csub>`get_task`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve task details\u003C\u002Fsub> |\n| \u003Csub>`manage_task`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create, update, delete, or move tasks\u003C\u002Fsub> |\n| \u003Csub>`list_task_lists`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>List task lists\u003C\u002Fsub> |\n| \u003Csub>`get_task_list`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Get task list details\u003C\u002Fsub> |\n| \u003Csub>`manage_task_list`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, update, delete task lists, or clear completed tasks\u003C\u002Fsub> |\n\n#### 👤 Google Contacts \u003Csub>[`contacts_tools.py`](gcontacts\u002Fcontacts_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`search_contacts`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Search contacts by name, email, phone\u003C\u002Fsub> |\n| \u003Csub>`get_contact`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve detailed contact info\u003C\u002Fsub> |\n| \u003Csub>`list_contacts`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>List contacts with pagination\u003C\u002Fsub> |\n| \u003Csub>`manage_contact`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create, update, or delete contacts\u003C\u002Fsub> |\n| \u003Csub>`list_contact_groups`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List contact groups\u002Flabels\u003C\u002Fsub> |\n| \u003Csub>`get_contact_group`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Get group details with members\u003C\u002Fsub> |\n| \u003Csub>`manage_contacts_batch`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Batch create, update, or delete contacts\u003C\u002Fsub> |\n| \u003Csub>`manage_contact_group`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Create, update, delete groups, or modify membership\u003C\u002Fsub> |\n\n#### 💬 Google Chat \u003Csub>[`chat_tools.py`](gchat\u002Fchat_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`list_spaces`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List chat spaces\u002Frooms\u003C\u002Fsub> |\n| \u003Csub>`get_messages`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve space messages\u003C\u002Fsub> |\n| \u003Csub>`send_message`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Send messages to spaces\u003C\u002Fsub> |\n| \u003Csub>`search_messages`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Search across chat history\u003C\u002Fsub> |\n| \u003Csub>`create_reaction`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Add emoji reaction to a message\u003C\u002Fsub> |\n| \u003Csub>`download_chat_attachment`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Download attachment from a chat message\u003C\u002Fsub> |\n\n#### 🔍 Google Custom Search \u003Csub>[`search_tools.py`](gsearch\u002Fsearch_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`search_custom`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Perform web searches (supports site restrictions via sites parameter)\u003C\u002Fsub> |\n| \u003Csub>`get_search_engine_info`\u003C\u002Fsub> | \u003Csub>Complete\u003C\u002Fsub> | \u003Csub>Retrieve search engine metadata\u003C\u002Fsub> |\n\n#### ⚡ Google Apps Script \u003Csub>[`apps_script_tools.py`](gappsscript\u002Fapps_script_tools.py)\u003C\u002Fsub>\n\n| \u003Csub>Tool\u003C\u002Fsub> | \u003Csub>Tier\u003C\u002Fsub> | \u003Csub>Description\u003C\u002Fsub> |\n|------|------|-------------|\n| \u003Csub>`list_script_projects`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>List accessible Apps Script projects\u003C\u002Fsub> |\n| \u003Csub>`get_script_project`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Get complete project with all files\u003C\u002Fsub> |\n| \u003Csub>`get_script_content`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Retrieve specific file content\u003C\u002Fsub> |\n| \u003Csub>`create_script_project`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Create new standalone or bound project\u003C\u002Fsub> |\n| \u003Csub>`update_script_content`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Update or create script files\u003C\u002Fsub> |\n| \u003Csub>`run_script_function`\u003C\u002Fsub> | \u003Csub>Core\u003C\u002Fsub> | \u003Csub>Execute function with parameters\u003C\u002Fsub> |\n| \u003Csub>`list_deployments`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>List all project deployments\u003C\u002Fsub> |\n| \u003Csub>`manage_deployment`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>Create, update, or delete script deployments\u003C\u002Fsub> |\n| \u003Csub>`list_script_processes`\u003C\u002Fsub> | \u003Csub>Extended\u003C\u002Fsub> | \u003Csub>View recent executions and status\u003C\u002Fsub> |\n\n\u003Csub>\n\n**Tool Tier Legend:**\u003Cbr>\n\u003Cspan style=\"color:#2d5b69\">●\u003C\u002Fspan> **Core** — Essential tools for basic functionality · Minimal API usage · Getting started\u003Cbr>\n\u003Cspan style=\"color:#72898f\">●\u003C\u002Fspan> **Extended** — Core + additional features · Regular usage · Expanded capabilities\u003Cbr>\n\u003Cspan style=\"color:#adbcbc\">●\u003C\u002Fspan> **Complete** — All available tools including advanced features · Power users · Full API access\n\n\u003C\u002Fsub>\n\n---\n\n### Connect to Claude Desktop\n\nThe recommended way to use Google Workspace MCP with Claude Desktop is to run a server instance and connect Claude to it via a **Connector**. This provides proper OAuth flow, multi-user support, and the best experience.\n\nSee the **[Quick Start Guide](https:\u002F\u002Fworkspacemcp.com\u002Fquick-start)** for setup instructions.\n\n\u003Cdetails>\n\u003Csummary>📝 \u003Cb>Legacy: Manual stdio configuration\u003C\u002Fb> \u003Csub>\u003Csup>← For clients without Connector support\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n> **⚠️ Note**: Stdio mode is a legacy fallback for clients that don't support Connectors. Prefer the Connector-based approach above.\n>\n> **OAuth callback caveat**: The legacy stdio callback path includes a local recovery fallback for rare Google redirects that omit the `state` parameter, but only when `--single-user` is active. That recovery can only be safe in a single-user local process; in HTTP or hosted multi-user scenarios it could consume another user's pending OAuth state. There is no environment variable to enable this globally.\n\n1. Open Claude Desktop Settings → Developer → Edit Config\n   - **macOS**: `~\u002FLibrary\u002FApplication Support\u002FClaude\u002Fclaude_desktop_config.json`\n   - **Windows**: `%APPDATA%\\Claude\\claude_desktop_config.json`\n\n2. Add the server configuration:\n```json\n{\n  \"mcpServers\": {\n    \"google_workspace\": {\n      \"command\": \"uvx\",\n      \"args\": [\"workspace-mcp\"],\n      \"env\": {\n        \"GOOGLE_OAUTH_CLIENT_ID\": \"your-client-id\",\n        \"GOOGLE_OAUTH_CLIENT_SECRET\": \"your-secret\",\n        \"OAUTHLIB_INSECURE_TRANSPORT\": \"1\"\n      }\n    }\n  }\n}\n```\n\u003C\u002Fdetails>\n\n### Connect to LM Studio\n\nAdd a new MCP server in LM Studio (Settings → MCP Servers) using the same JSON format:\n\n```json\n{\n  \"mcpServers\": {\n    \"google_workspace\": {\n      \"command\": \"uvx\",\n      \"args\": [\"workspace-mcp\"],\n      \"env\": {\n        \"GOOGLE_OAUTH_CLIENT_ID\": \"your-client-id\",\n        \"GOOGLE_OAUTH_CLIENT_SECRET\": \"your-secret\",\n        \"OAUTHLIB_INSECURE_TRANSPORT\": \"1\",\n      }\n    }\n  }\n}\n```\n\n\n### 2. Advanced \u002F Cross-Platform Installation\n\nIf you’re developing, deploying to servers, or using another MCP-capable client, keep reading.\n\n#### Instant CLI (uvx)\n\n\u003Cdetails open>\n\u003Csummary>⚡ \u003Cb>Quick Start with uvx\u003C\u002Fb> \u003Csub>\u003Csup>← No installation required!\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n```bash\n# Requires Python 3.10+ and uvx\n# First, set credentials (see Credential Configuration above)\nuvx workspace-mcp --tool-tier core  # or --tools gmail drive calendar\n```\n\n> **Note**: Configure [OAuth credentials](#credential-configuration) before running. Supports environment variables, `.env` file, or `client_secret.json`.\n\n\u003C\u002Fdetails>\n\n### Local Development Setup\n\n\u003Cdetails open>\n\u003Csummary>🛠️ \u003Cb>Developer Workflow\u003C\u002Fb> \u003Csub>\u003Csup>← Install deps, lint, and test\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n```bash\n# Install everything needed for linting, tests, and release tooling\nuv sync --group dev\n\n# Run the same linter that git hooks invoke automatically\nuv run ruff check .\n\n# Execute the full test suite (async fixtures require pytest-asyncio)\nuv run pytest\n```\n\n- `uv sync --group test` installs only the testing stack if you need a slimmer environment.\n- `uv run main.py --transport streamable-http` launches the server with your checked-out code for manual verification.\n- Ruff is part of the `dev` group because pre-push hooks call `ruff check` automatically—run it locally before committing to avoid hook failures.\n\n\u003C\u002Fdetails>\n\n### OAuth 2.1 Support (Multi-User Bearer Token Authentication)\n\nThe server includes OAuth 2.1 support for bearer token authentication, enabling multi-user session management. **OAuth 2.1 automatically reuses your existing `GOOGLE_OAUTH_CLIENT_ID` and, for confidential clients, `GOOGLE_OAUTH_CLIENT_SECRET` credentials** - no additional Google-side configuration needed. Public PKCE clients are also supported: if you omit `GOOGLE_OAUTH_CLIENT_SECRET`, set `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY` explicitly.\n\n**When to use OAuth 2.1:**\n- Multiple users accessing the same MCP server instance\n- Need for bearer token authentication instead of passing user emails\n- Building web applications or APIs on top of the MCP server\n- Production environments requiring secure session management\n- Browser-based clients requiring CORS support\n\n**⚠️ Important: Mutually exclusive authentication modes**\n\nOAuth 2.1 mode (`MCP_ENABLE_OAUTH21=true`) cannot be used together with `--single-user` or service account mode:\n- **Single-user mode**: For legacy clients that pass user emails in tool calls\n- **OAuth 2.1 mode**: For modern multi-user scenarios with bearer token authentication\n- **Service account mode**: For headless\u002Fserver-to-server use via domain-wide delegation\n\nChoose one authentication method - combining incompatible modes will result in a startup error.\n\n**Enabling OAuth 2.1:**\nTo enable OAuth 2.1, set the `MCP_ENABLE_OAUTH21` environment variable to `true`.\n\n```bash\n# OAuth 2.1 requires HTTP transport mode\nexport MCP_ENABLE_OAUTH21=true\nuv run main.py --transport streamable-http\n```\n\nIf `MCP_ENABLE_OAUTH21` is not set to `true`, the server will use legacy authentication, which is suitable for clients that do not support OAuth 2.1.\n\n\u003Cdetails open>\n\u003Csummary>🔐 \u003Cb>How the FastMCP GoogleProvider handles OAuth\u003C\u002Fb> \u003Csub>\u003Csup>← Advanced OAuth 2.1 details\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\nFastMCP ships a native `GoogleProvider` that we now rely on directly. It solves the two tricky parts of using Google OAuth with MCP clients:\n\n1.  **Dynamic Client Registration**: Google still doesn't support OAuth 2.1 DCR, but the FastMCP provider exposes the full DCR surface and forwards registrations to Google using your fixed credentials. MCP clients register as usual and the provider hands them your Google client ID and, when configured, client secret under the hood.\n\n2.  **CORS & Browser Compatibility**: The provider includes an OAuth proxy that serves all discovery, authorization, and token endpoints with proper CORS headers. We no longer maintain custom `\u002Foauth2\u002F*` routes—the provider handles the upstream exchanges securely and advertises the correct metadata to clients.\n\nThe result is a leaner server that still enables any OAuth 2.1 compliant client (including browser-based ones) to authenticate through Google without bespoke code.\n\n**Restricting DCR client redirect URIs:**\n\nBy default, any client going through Dynamic Client Registration can declare any `redirect_uri`. For publicly-exposed deployments, this is a phishing vector — an attacker can register a client with a `redirect_uri` they control and harvest authorization codes from tricked users. Set `WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS` to a comma-separated allowlist of permitted URIs:\n\n```bash\n# Public deployment — restrict to Claude's hosted OAuth callbacks\nexport WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS=\"https:\u002F\u002Fclaude.ai\u002Fapi\u002Fmcp\u002Fauth_callback,https:\u002F\u002Fclaude.com\u002Fapi\u002Fmcp\u002Fauth_callback\"\n\n# Add Claude Code CLI (loopback redirects on ephemeral ports)\nexport WORKSPACE_MCP_ALLOWED_CLIENT_REDIRECT_URIS=\"https:\u002F\u002Fclaude.ai\u002Fapi\u002Fmcp\u002Fauth_callback,https:\u002F\u002Fclaude.com\u002Fapi\u002Fmcp\u002Fauth_callback,http:\u002F\u002Flocalhost:*\u002Fcallback,http:\u002F\u002F127.0.0.1:*\u002Fcallback\"\n```\n\nPatterns use FastMCP's matcher: `*` wildcards any port or path component; `*.example.com` matches subdomains. Leaving the variable unset preserves the default DCR behaviour (any URI accepted), which is appropriate for local development but unsafe for public deployments.\n\n\u003C\u002Fdetails>\n\n### Stateless Mode (Container-Friendly)\n\nThe server supports a stateless mode designed for containerized environments where file system writes should be avoided:\n\n**Enabling Stateless Mode:**\n```bash\n# Stateless mode requires OAuth 2.1 to be enabled\nexport MCP_ENABLE_OAUTH21=true\nexport WORKSPACE_MCP_STATELESS_MODE=true\nuv run main.py --transport streamable-http\n```\n\n**Key Features:**\n- **No file system writes**: Credentials are never written to disk\n- **No debug logs**: File-based logging is completely disabled\n- **Memory-only sessions**: All tokens stored in memory via OAuth 2.1 session store\n- **Container-ready**: Perfect for Docker, Kubernetes, and serverless deployments\n- **Token per request**: Each request must include a valid Bearer token\n\n**Requirements:**\n- Must be used with `MCP_ENABLE_OAUTH21=true`\n- Incompatible with single-user mode\n- Clients must handle OAuth flow and send valid tokens with each request\n\nThis mode is ideal for:\n- Cloud deployments where persistent storage is unavailable\n- Multi-tenant environments requiring strict isolation\n- Containerized applications with read-only filesystems\n- Serverless functions and ephemeral compute environments\n\n**MCP Inspector**: No additional configuration needed with desktop OAuth client.\n\n**Claude Code**: No additional configuration needed with desktop OAuth client.\n\n### OAuth Proxy Storage Backends\n\nThe server supports pluggable storage backends for OAuth proxy state management via FastMCP 2.13.0+. Choose a backend based on your deployment needs.\n\n**Available Backends:**\n\n| Backend | Best For | Persistence | Multi-Server |\n|---------|----------|-------------|--------------|\n| Memory | Development, testing | ❌ | ❌ |\n| Disk | Single-server production | ✅ | ❌ |\n| Valkey\u002FRedis | Distributed production | ✅ | ✅ |\n\n**Configuration:**\n\n```bash\n# Memory storage (fast, no persistence)\nexport WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=memory\n\n# Disk storage (persists across restarts)\nexport WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=disk\nexport WORKSPACE_MCP_OAUTH_PROXY_DISK_DIRECTORY=~\u002F.fastmcp\u002Foauth-proxy\n\n# Valkey\u002FRedis storage (distributed, multi-server)\nexport WORKSPACE_MCP_OAUTH_PROXY_STORAGE_BACKEND=valkey\nexport WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST=redis.example.com\nexport WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT=6379\n```\n\n> Disk support requires `workspace-mcp[disk]` (or `py-key-value-aio[disk]`) when installing from source.\n> The official Docker image includes the `disk` extra by default.\n> Valkey support is optional. Install `workspace-mcp[valkey]` (or `py-key-value-aio[valkey]`) only if you enable the Valkey backend.\n> Windows: building `valkey-glide` from source requires MSVC C++ build tools with C11 support. If you see `aws-lc-sys` C11 errors, set `CFLAGS=\u002Fstd:c11`.\n\n\u003Cdetails open>\n\u003Csummary>🔐 \u003Cb>Valkey\u002FRedis Configuration Options\u003C\u002Fb>\u003C\u002Fsummary>\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_HOST` | localhost | Valkey\u002FRedis host |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PORT` | 6379 | Port (6380 auto-enables TLS) |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_DB` | 0 | Database number |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USE_TLS` | auto | Enable TLS (auto if port 6380) |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_USERNAME` | - | Authentication username |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_PASSWORD` | - | Authentication password |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_REQUEST_TIMEOUT_MS` | 5000 | Request timeout for remote hosts |\n| `WORKSPACE_MCP_OAUTH_PROXY_VALKEY_CONNECTION_TIMEOUT_MS` | 10000 | Connection timeout for remote hosts |\n\n**Encryption:** Disk and Valkey storage are encrypted with Fernet. The encryption key is derived from `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY` if set, otherwise from `GOOGLE_OAUTH_CLIENT_SECRET`. Public OAuth 2.1 client setups without a client secret must set `FASTMCP_SERVER_AUTH_GOOGLE_JWT_SIGNING_KEY`.\n\n\u003C\u002Fdetails>\n\n### External OAuth 2.1 Provider Mode\n\nThe server supports an external OAuth 2.1 provider mode for scenarios where authentication is handled by an external system. In this mode, the MCP server does not manage the OAuth flow itself but expects valid bearer tokens in the Authorization header of tool calls.\n\n**Enabling External OAuth 2.1 Provider Mode:**\n```bash\n# External OAuth provider mode requires OAuth 2.1 to be enabled\nexport MCP_ENABLE_OAUTH21=true\nexport EXTERNAL_OAUTH21_PROVIDER=true\nuv run main.py --transport streamable-http\n```\n\n**How It Works:**\n- **Protocol-level auth enabled**: All MCP requests (including `initialize` and `tools\u002Flist`) require a valid Bearer token, following the standard OAuth 2.1 flow. Unauthenticated requests receive a `401` with resource metadata pointing to Google's authorization server.\n- **External OAuth flow**: Your external system handles the OAuth flow and obtains Google access tokens (`ya29.*`)\n- **Token validation**: Server validates bearer tokens by calling Google's userinfo API\n- **Multi-user support**: Each request is authenticated independently based on its bearer token\n- **Resource metadata discovery**: The server serves `\u002F.well-known\u002Foauth-protected-resource` (RFC 9728) advertising Google as the authorization server and the required scopes\n\n**Key Features:**\n- **No local OAuth flow**: Server does not provide `\u002Fauthorize`, `\u002Ftoken`, or `\u002Fregister` endpoints — only resource metadata\n- **Bearer token only**: All authentication via `Authorization: Bearer \u003Ctoken>` headers\n- **Stateless by design**: Works seamlessly with `WORKSPACE_MCP_STATELESS_MODE=true`\n- **External identity providers**: Integrate with your existing authentication infrastructure\n\n**Requirements:**\n- Must be used with `MCP_ENABLE_OAUTH21=true`\n- OAuth client ID still required for token validation; client secret is optional for public clients (`GOOGLE_OAUTH_CLIENT_ID`, optional `GOOGLE_OAUTH_CLIENT_SECRET`)\n- External system must obtain valid Google OAuth access tokens (ya29.*)\n- Each tool call request must include valid bearer token\n\n**Use Cases:**\n- Integrating with existing authentication systems\n- Custom OAuth flows managed by your application\n- API gateways that handle authentication upstream\n- Multi-tenant SaaS applications with centralized auth\n- Mobile or web apps with their own OAuth implementation\n\n\n### Service Account Mode (Domain-Wide Delegation)\n\n> **WARNING: This mode uses Google Workspace domain-wide delegation, which grants the service account the ability to impersonate any user in your domain for the configured scopes. This is powerful and dangerous — do not use this unless you fully understand the security implications. A misconfigured service account with broad scopes can read, modify, and delete data across every user in your organization. Only use this in tightly controlled environments where you know exactly what you're doing.**\n\nService account mode allows the server to authenticate using a Google Cloud service account with domain-wide delegation instead of interactive OAuth flows. The service account impersonates a single configured domain user for all API calls.\n\n**When to use service account mode:**\n- Headless or unattended environments where no browser is available for OAuth consent\n- Server-to-server integrations that need to act on behalf of a specific domain user\n- CI\u002FCD pipelines or automation scripts\n- Environments where you cannot or do not want to manage per-user OAuth tokens\n\n**Enabling Service Account Mode:**\n\n```bash\n# Option 1: Key file on disk\nexport GOOGLE_SERVICE_ACCOUNT_KEY_FILE=\"\u002Fpath\u002Fto\u002Fservice-account-key.json\"\nexport USER_GOOGLE_EMAIL=\"user@yourdomain.com\"\nuv run main.py\n\n# Option 2: Inline JSON key (e.g., from a secret manager)\nexport GOOGLE_SERVICE_ACCOUNT_KEY_JSON='{\"type\":\"service_account\",\"project_id\":\"...\",\"private_key\":\"...\",\"client_email\":\"...\"}'\nexport USER_GOOGLE_EMAIL=\"user@yourdomain.com\"\nuv run main.py\n```\n\n**Prerequisites:**\n1. A Google Cloud service account with a JSON key\n2. Domain-wide delegation enabled for the service account in your Google Workspace Admin Console (Security → API controls → Domain-wide delegation)\n3. The required OAuth scopes authorized for the service account's client ID in the Admin Console\n4. `USER_GOOGLE_EMAIL` set to the domain user the service account will impersonate\n\n**Incompatibilities:**\n- Cannot be combined with `--single-user` mode\n- Cannot be combined with `MCP_ENABLE_OAUTH21=true`\n- Only one key source may be provided — set either `GOOGLE_SERVICE_ACCOUNT_KEY_FILE` or `GOOGLE_SERVICE_ACCOUNT_KEY_JSON`, not both\n\n**Key Behaviors:**\n- The OAuth callback server is not started (no interactive auth needed)\n- Credentials directory permission checks are skipped\n- When a tool call supplies `user_google_email`, service account mode uses that email as the domain-wide delegation impersonation subject.\n- `USER_GOOGLE_EMAIL` is still required and serves as the fallback when no caller email is provided.\n- The service account key is validated at startup (checks for required fields and correct type)\n\n**Per-Request Impersonation:**\n\nThe caller-supplied `user_google_email` on each tool call is used as the DWD impersonation subject instead of the static `USER_GOOGLE_EMAIL`. This lets a single server instance act on behalf of multiple domain users.\n\n```bash\n# Optional: restrict which domains may be impersonated\nexport DWD_ALLOWED_DOMAINS=\"corp.com,subsidiary.io\"\n```\n\n- If `DWD_ALLOWED_DOMAINS` is set, only emails whose domain appears in the comma-separated list are accepted; all others raise an authentication error.\n- If `DWD_ALLOWED_DOMAINS` is unset, any email accepted by the service account's delegation scope is allowed.\n\n### VS Code MCP Client Support\n\n> **✅ Recommended**: VS Code MCP extension properly supports the full MCP specification. **Always use HTTP transport mode** for proper OAuth 2.1 authentication.\n\n\u003Cdetails open>\n\u003Csummary>🆚 \u003Cb>VS Code Configuration\u003C\u002Fb> \u003Csub>\u003Csup>← Setup for VS Code MCP extension\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n```json\n{\n    \"servers\": {\n        \"google-workspace\": {\n            \"url\": \"http:\u002F\u002Flocalhost:8000\u002Fmcp\u002F\",\n            \"type\": \"http\"\n        }\n    }\n}\n```\n\n*Note: Make sure to start the server with `--transport streamable-http` when using VS Code MCP.*\n\u003C\u002Fdetails>\n\n### Claude Code MCP Client Support\n\n> **✅ Recommended**: Claude Code is a modern MCP client that properly supports the full MCP specification. **Always use HTTP transport mode** with Claude Code for proper OAuth 2.1 authentication and multi-user support.\n\n\u003Cdetails open>\n\u003Csummary>🆚 \u003Cb>Claude Code Configuration\u003C\u002Fb> \u003Csub>\u003Csup>← Setup for Claude Code MCP support\u003C\u002Fsup>\u003C\u002Fsub>\u003C\u002Fsummary>\n\n```bash\n# Start the server in HTTP mode first\nuv run main.py --transport streamable-http\n\n# Then add to Claude Code\nclaude mcp add --transport http workspace-mcp http:\u002F\u002Flocalhost:8000\u002Fmcp\n\n# Optional: install the bundled Claude skill for better Workspace tool routing\nmkdir -p ~\u002F.claude\u002F","该项目通过AI技术实现了对Gmail、Google日历、文档、表格、幻灯片、聊天、表单、任务、搜索和云端硬盘等Google Workspace应用的全面控制。其核心功能包括自然语言处理能力，支持多种MCP客户端、AI助手及开发者工具，并提供了一个功能丰富的命令行界面。技术特点上，它基于Python 3.10+开发，采用OAuth 2.1进行多用户认证，支持无状态模式和外部认证服务器，确保了组织级部署的安全性和灵活性。适用于需要统一管理和自动化处理Google Workspace服务的企业或个人场景，特别是那些希望利用AI提升工作效率的情况。",2,"2026-06-11 03:42:16","high_star"]