Privacy & scopes

What this server asks Google for, where the tokens live, and how to revoke.

Who operates this

This is a single-operator instance of the open-source Google Workspace MCP server run by forrest@nlma.io. No company, no analytics, no third-party processors.

Scopes requested

When you grant access, your Google account sees an OAuth consent screen listing every scope below. You can review and revoke at any time. No scope is used without your explicit approval.

Identity

openid, userinfo.email, userinfo.profile — identify the logged-in user

Gmail

gmail.readonly, gmail.modify, gmail.compose, gmail.send, gmail.labels, gmail.settings.basic — search, read, send, label, draft, and manage filters

Drive & Docs / Sheets / Slides / Forms

drive, drive.file, drive.readonly — search, read, create, share
documents, documents.readonly, spreadsheets, spreadsheets.readonly, presentations, presentations.readonly, forms.body, forms.body.readonly, forms.responses.readonly

Calendar & Tasks

calendar, calendar.events, calendar.readonly, tasks, tasks.readonly

Chat & Contacts

chat.messages, chat.messages.readonly, chat.spaces, chat.spaces.readonly, contacts, contacts.readonly

Apps Script & Programmable Search

script.projects, script.projects.readonly, script.deployments, script.deployments.readonly, script.processes, script.metrics, cse

The full scope list is baked into the MCP server's tool tier (complete). Narrower tool tiers would request fewer scopes, but that change isn't exposed on this instance.

What the server stores

After you grant, Google issues a refresh token. FastMCP stores it on the VPS at /opt/gsuite-mcp/oauth-proxy/mcp-upstream-tokens/, Fernet-encrypted at rest with a key that exists only on the server. Plain refresh tokens never hit disk unencrypted and never leave the VPS.

No message, file, or calendar content is stored or logged. Every tool call fetches from Google on demand; responses go back to your MCP client and are not retained on this side.

Testing-mode constraints

Google classifies this OAuth client as Testing. Two consequences:

Only accounts on the GCP test-user list can sign in (capped at 100).
Refresh tokens expire after 7 days, so you will need to re-grant weekly.

Lifting these limits requires publishing and a Google CASA audit. It has not been done.

How to revoke

Go to myaccount.google.com/permissions, find the entry for gsuite-mcp (or whatever you see under project gsuite-mcp-493905), and remove it. Google invalidates the refresh token immediately; any remaining access token it has issued dies within an hour. After that, the server has nothing that can reach your account.

If you also want the stored token wiped from this VPS before its natural expiry, email forrest@nlma.io.