← Back to setup

Frequently Asked Questions

Start here — this covers everything you need to get up and running.

Getting Started

What do I need to get started with Workspace MCP Cloud?

You'll need to decide on three things during onboarding:

  1. OAuth Client: Use your own internal client ID and client secret, or use the central/shared one. If you're in a corporate Google Workspace environment, an internal client ID is recommended — certain workspace-specific features like Google Chat spaces require your own app.
  2. Access Model: Choose between an allowlist model (only specific email addresses can sign in) or open access to all addresses.
  3. Endpoint: You can get a custom subdomain (e.g., yourcompany.workspacemcp.com) or use the standard endpoint.

How do I submit my OAuth client ID and secret?

Submit them securely at https://workspacemcp.com/welcome. It's a one-way submission to an encrypted database that is purged after your instance is configured.

What is my MCP server endpoint URL?

Your endpoint follows the pattern: https://yoursubdomain.workspacemcp.com/mcp if you chose a custom endpoint. If you selected central, your address will be https://mcp.workspacemcp.com/mcp — custom client ID is not supported for this model.

OAuth & Google Cloud Setup

What OAuth client type should I use — Desktop or Web Application?

You must use "Web Application" type. This is the single most common mistake new users make. The Desktop application type is only appropriate for local/self-hosted instances where you're running it directly in Claude Code via stdio. Because Workspace MCP Cloud is a hosted remote server, it requires the Web Application client type.

If you accidentally created a Desktop type client, you'll need to recreate it as Web Application and resubmit your credentials.

What do I put for Authorized JavaScript Origins and Authorized Redirect URIs?

For a hosted Workspace MCP Cloud deployment, configure your Google Cloud Web Application client like this:

  • Authorized JavaScript Origins: https://yoursubdomain.workspacemcp.com
  • Authorized Redirect URIs: https://yoursubdomain.workspacemcp.com/oauth2callback

Replace yoursubdomain with your actual subdomain. If you are also testing a browser client locally, you can add http://localhost:8000 as an additional JavaScript origin. The example below shows that dual setup.

Example Google Cloud OAuth web application client configuration showing a Workspace MCP subdomain origin and localhost:8000 as an additional browser origin
Example Google Cloud client configuration for a hosted Workspace MCP deployment. For cloud-only setups, the hosted subdomain origin and matching /oauth2callback redirect URI are the required values.

Where do I find the Client ID configuration page in Google Cloud?

Navigate to: Google Auth Platform > Clients > (your Client ID)

The Authorized JavaScript Origins and Authorized Redirect URIs fields are on this page. Note: These fields only appear for "Web Application" client types, not Desktop types.

Which Google APIs do I need to enable?

The Workspace MCP GitHub README has a section with "Quick API Enable Links" that provides direct links to enable each required API, saving you from clicking around in the console. See: OAuth Credential Setup Guide

Client Setup

How do I set up Workspace MCP in Claude Code?

Run this command in your terminal:

claude mcp add --transport http workspace https://yoursubdomain.workspacemcp.com/mcp

After running the command, use /mcp in Claude Code to trigger the authentication flow. You'll be redirected to sign in with your Google account.

Tip: If you get a paste formatting error, make sure you're copying the command cleanly without any hidden formatting characters. Type or paste it fresh.

How do I set up Workspace MCP in Cursor?

Option 1 — Deeplink (Recommended): An "Add to Cursor" deeplink can be provided that installs it automatically. After clicking it, the server will show "needs authentication" — click "Connect" and sign in with Google.

Option 2 — Manual mcp.json config: Add the following to your Cursor mcp.json file:

{
  "mcpServers": {
    "workspace": {
      "url": "https://yoursubdomain.workspacemcp.com/mcp"
    }
  }
}

Important: Make sure Cursor is updated to the latest version. Older versions may not display the MCP settings pane at all.

How do I set up Workspace MCP in VS Code?

Install VS Code from Microsoft's download page (macOS, Windows, and Linux). VS Code's agent mode supports MCP with Streamable HTTP and OAuth 2.1 (plus OAuth 2.0 IdPs).

You can add the server in several ways:

  • Open the MCP gallery in the Extensions view (@mcp) and use MCP: Add Server
  • Edit .vscode/mcp.json or your user mcp.json directly
  • Use the CLI: code --add-mcp

For a remote HTTP server, add a config block like:

{
  "servers": {
    "workspace": {
      "type": "http",
      "url": "https://yoursubdomain.workspacemcp.com/mcp"
    }
  }
}

How do I set up Workspace MCP in Claude Desktop?

Download Claude Desktop for macOS or Windows. Claude Desktop and Claude on the web both support remote MCP servers with OAuth and Streamable HTTP.

To add Workspace MCP:

  1. Open Customize > Connectors > Add custom connector
  2. Enter a name and your server URL: https://yoursubdomain.workspacemcp.com/mcp
  3. Optional advanced settings let you supply an OAuth client ID and secret

Important: Remote MCP servers must be added through Settings > Connectors, not by editing claude_desktop_config.json.

How do I set up Workspace MCP in Windsurf?

Install Windsurf for macOS, Windows, or Linux. Windsurf supports stdio, Streamable HTTP, and SSE transports, with OAuth support for each.

To add the server:

  • Marketplace: Open the MCP Marketplace from Cascade and click Install
  • Manual: Edit ~/.codeium/windsurf/mcp_config.json and add your server using serverUrl or url

How do I set up Workspace MCP in Open WebUI?

  1. Open Admin Settings → External Tools
  2. Click + (Add Server)
  3. Set Type to MCP (Streamable HTTP)
  4. Enter your Server URL: https://yoursubdomain.workspacemcp.com/mcp
  5. Set Auth type to OAuth 2.1
  6. Save. If prompted, restart Open WebUI.

Can I use Workspace MCP with other clients or agent frameworks?

Yes. Any client compatible with the MCP spec can connect to your endpoint at https://yoursubdomain.workspacemcp.com/mcp and step through a standard OAuth authentication flow.

Common Errors & Troubleshooting

I'm getting error: missing required argument 'commandOrUrl' when adding the MCP in Claude Code.

This is almost always a paste formatting issue. When copying the command from an email or web page, invisible formatting characters can get included. Try:

  1. Type the command manually instead of pasting
  2. Paste into a plain-text editor first, then re-copy
  3. Use this exact string: claude mcp add --transport http workspace https://yoursubdomain.workspacemcp.com/mcp

I'm seeing Error 400: redirect_uri_mismatch during Google authentication.

This means your OAuth client is not configured with the correct redirect URIs. To fix:

  1. Open your OAuth Client ID in Google Cloud Platform Console
  2. Confirm you're using the Web Application client type (not Desktop)
  3. Set Authorized JavaScript Origins to: https://yoursubdomain.workspacemcp.com
  4. Set Authorized Redirect URIs to: https://yoursubdomain.workspacemcp.com/oauth2callback
  5. Save and try again

If you used the Desktop client type, you'll need to recreate it as Web Application since Desktop clients don't have the redirect URI fields.

I'm getting a Cloudflare "Bad Gateway" error when trying to authenticate.

This typically happens right after initial setup when SSL certificates and DNS are still propagating. Wait 5–15 minutes and try again. This has resolved itself in every reported case without any intervention needed.

I see "Access blocked: This app's request is invalid" during sign-in.

This is the same redirect_uri_mismatch issue described above. Verify your Authorized JavaScript Origins and Authorized Redirect URIs are set correctly in the Google Cloud Platform console, and ensure you're using the Web Application client type.

Cursor can't find MCP settings or the MCP pane doesn't appear.

Update Cursor to the latest version. MCP support was added in a recent update, and older versions won't show the configuration pane.

I see a "testing" or "unverified app" warning during the consent flow.

This is expected. We generally recommend keeping your OAuth app in testing mode unless you have a specific reason to make it publicly facing. Testing mode is fully functional — the only difference is the consent screen warning.

  • The app works fine, but shows a warning screen during sign-in
  • You may need to click "Advanced" and "Go to (app) (unsafe)" to proceed
  • Verified public OAuth is only available when using the central client ID with no allowlist
  • If you need a verified public-facing app or your organization blocks unverified apps entirely, see Google App Verification below

Google App Verification

My company blocks unverified Google OAuth applications. What can I do?

The best path depends on your organization's security posture, but here are your options in order of what we typically recommend:

  1. Provide your own client ID (recommended): Supply your own OAuth client ID and secret from your organization's GCP project. This is the strongest option for enterprise environments — your security team retains full ownership of the OAuth client, has access to Cloud Console audit logs, controls API rate limits and quotas, and can manage the app lifecycle through your existing governance processes. The app will be implicitly trusted within your domain since it lives in your own GCP organization. Client ID verification is included as part of the enterprise plan.
  2. Use your own GCP project with a personal account: Create the GCP project with a personal account that has admin access, then add your company email to the project via IAM. This lets you use the OAuth client from within your organization without going through a full procurement process.
  3. Wait for verification on the central client: If you're using the central client ID, Google verification takes 3–5 business days after submission. Once verified, the warning goes away and blocked organizations can use it. Note that verified public OAuth is only available for the central client ID with no allowlist.

How long does Google OAuth verification take?

Typically 3–5 business days after submission. The verification requires listing all OAuth scopes the app will request. If you don't use certain services (e.g., Google Tasks), those scopes can be excluded from the verification request. Keep in mind that most deployments don't need verification at all — if you're using your own client ID, the app is already trusted within your domain, and testing mode works fine for allowlisted users.

Until verification is complete, can I still use open user access?

No. Verified public OAuth is only available when using the central client ID with no allowlist. Until the app is verified, you must use the allowlist model where specific email addresses are granted access. For most organizations using their own client ID, testing mode with an allowlist is the standard and recommended approach.

Multi-User & Agent Deployments

Can multiple users authenticate with the same Workspace MCP instance?

Yes. A single Workspace MCP Cloud instance can support multiple users, each authenticating with their own Google Workspace account. If you're using the allowlist model, each user's email address must be added to the allowlist.

Can I connect autonomous AI agents to Workspace MCP?

In theory, yes — any framework that supports MCP servers and OAuth logins should work. However, there are key considerations:

  • The agent must be able to handle the Google OAuth login flow (including any browser-based consent screens)
  • If MFA is enabled on the Google accounts, the agent needs to handle that as well, which can be complicated for autonomous operation
  • Each agent connecting with a different workspace account needs that account on the allowlist

How does authentication work for remote AI agents?

Using any client compatible with the MCP spec, you connect to your MCP server endpoint and step through an OAuth authentication flow. Each agent framework has its own way of handling this. The flow is no different than any other OAuth remote MCP server — your agent needs to be able to complete the browser-based Google sign-in.

What's the difference between Workspace MCP Cloud and the Google Workspace CLI?

FeatureCloudCLI
Multi-user supportYesNo (single user)
Hosted/shareableYesNo (local only)
AuthenticationOAuth 2.1, statelessSame OAuth flow
Setup complexityManaged for youSelf-maintained

Feature Notes

Does Workspace MCP support Google Docs tab management?

Yes. Tab management features including creating, editing, and navigating document tabs are supported.

I have a feature request. How do I submit it?

Reply directly to your welcome email. Paying customers have priority on feature requests.

Is my data stored or cached by Workspace MCP?

Workspace MCP Cloud runs in Stateless OAuth 2.1 mode. No credentials or logs are stored or cached on the server. OAuth client secrets submitted during setup are stored in an encrypted database and purged after configuration.

Cancellation

How do I cancel my subscription?

You can cancel at any time by ending your subscription. Your access will remain active until the end of your current paid-up period — 30 days from your last monthly payment. No further charges will be made after cancellation.

Quick Reference: Setup Checklist

Central endpoint (fastest path)

No setup work required on your end. Just:

  • Add https://mcp.workspacemcp.com/mcp to your client
  • Complete the Google sign-in flow

That's it — you're connected.

Custom subdomain + your own client ID (full control)

A one-time setup that gives you full ownership of your OAuth client and a dedicated endpoint. Once it's done, you don't touch it again.

  1. Create a Web Application OAuth client in Google Cloud Platform
  2. Enable required Google APIs (quick links in the GitHub README)
  3. Set Authorized JavaScript Origins to https://yoursubdomain.workspacemcp.com
  4. Set Authorized Redirect URIs to https://yoursubdomain.workspacemcp.com/oauth2callback
  5. Submit your client ID and secret at https://workspacemcp.com/welcome
  6. Wait for your subdomain and SSL certificate to be provisioned
  7. Add the MCP server to your client and complete the Google sign-in flow

If you see a "testing" warning on the consent screen, this is normal — your app works fine in testing mode.