Google Workspace Domain-Wide Delegation Setup

Prerequisites

• Google Workspace Admin access
• Google Cloud Console access
• Service account already created and configured

Step 1: Enable Domain-Wide Delegation in Google Cloud Console

1. Go to Google Cloud Console: https://console.cloud.google.com/
2. Select your project (the one with your service account)
3. Navigate to: IAM & Admin → Service Accounts
4. Find your service account (the one you're using for the calendar API)
5. Click on the service account to open its details
6. Go to the "Details" tab
7. Click "Show domain-wide delegation"
8. Check "Enable Google Workspace Domain-wide Delegation"
9. Note down the "Client ID" (you'll need this for the next step)

Step 2: Configure Domain-Wide Delegation in Google Workspace Admin

1. Go to Google Workspace Admin Console: https://admin.google.com/
2. Navigate to: Security → API Controls
3. Click "Domain-wide delegation"
4. Click "Add new"
5. Enter the Client ID from Step 1
6. Add OAuth Scopes (copy and paste these exactly):

   https://www.googleapis.com/auth/calendar,https://www.googleapis.com/auth/calendar.events,https://www.googleapis.com/auth/calendar.settings.readonly,https://www.googleapis.com/auth/calendar.freebusy

   Copy

7. Click "Authorize"

OAuth Scopes Explained:

• calendar - Full calendar access (create, read, update, delete events)
• calendar.events - Event management (create, update, delete events)
• calendar.settings.readonly - Read calendar settings (working hours, timezone)
• calendar.freebusy - Access free/busy information for availability checking

Step 3: Update Environment Variables

GOOGLE_CLIENT_EMAIL=your-service-account@your-project.iam.gserviceaccount.com
GOOGLE_PRIVATE_KEY="-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----\n"
GOOGLE_CALENDAR_ID=carl@cascadiamarquee.com

Step 4: Test the Setup

1. Restart your development server to pick up the new authentication
2. Submit a test booking using your Gmail address
3. Check the server logs for successful event creation
4. Check your Google Calendar to verify:
   • Event appears with Google Meet link
   • Attendees are listed
   • You receive a calendar invite

Troubleshooting

Error: "Service accounts cannot invite attendees without Domain-Wide Delegation of Authority"

• Verify that Domain-Wide Delegation is enabled in Google Cloud Console
• Verify that the Client ID is correctly added in Google Workspace Admin
• Verify that the OAuth scopes are exactly as specified above
• Make sure you're using the correct Google Workspace admin email in the subject field

Error: "Insufficient Permission"

• Verify that the service account has the correct scopes
• Verify that the Google Workspace admin email is correct
• Check that the service account has access to the calendar

No Google Meet Link Generated

• Verify that conferenceDataVersion: 1 is included in the API call
• Check that the conferenceData object is properly formatted
• Ensure the calendar supports Google Meet (most Google Workspace calendars do)

Security Notes

• Domain-Wide Delegation gives the service account broad access to your Google Workspace
• Only enable this for trusted service accounts
• Regularly review and audit the permissions
• Consider using more specific scopes if possible

What This Enables

• ✅ Create calendar events with attendees
• ✅ Send automatic calendar invites
• ✅ Generate Google Meet links
• ✅ Access shared calendars
• ✅ Manage event permissions

Next Steps

1. Test with a real booking
2. Verify calendar invites are received
3. Confirm Google Meet links work
4. Remove debug logging for production
5. Re-enable email domain restrictions if desired