Google OAuth 2.0: New Authorization and Token Endpoints Explained

amit1697
Jan 27, 2023
2 min read

When building applications that connect with Google APIs, such as Gmail, Google Drive, or other GCP services, OAuth 2.0 is the standard method for securely authenticating and obtaining an access token. Recently, Google refined its OAuth 2.0 authorization and token endpoints, making integration even clearer and more reliable.

Understanding Google OAuth 2.0

OAuth 2.0 is a widely used protocol for delegated access. Your app:

Redirects the user to Google’s authorization endpoint to get consent,
Then exchanges the returned authorization code for an access token from the token endpoint.

This token is then included in API requests, giving your app secure, temporary access.

New Google OAuth 2.0 Endpoints

Here are the official, recommended endpoints:

Authorization endpoint:
Bash https://accounts.google.com/o/oauth2/v2/auth

Token endpoint:
Bash https://oauth2.googleapis.com/token

Using these ensures your app stays compatible with Google’s latest OAuth implementation.

How It Works (Step by Step)

Redirect to Authorization Endpoint
Your app starts the OAuth process by redirecting the user here:
bash

https://accounts.google.com/o/oauth2/v2/auth
?client_id=YOUR_CLIENT_ID
&response_type=code
&scope=https://www.googleapis.com/auth/gmail.readonly
&redirect_uri=YOUR_REDIRECT_URI
&access_type=offline
- client_id: Get this from your Google Cloud Console.
- scope: The permissions you’re requesting (e.g., Gmail, Drive).
- access_type=offline: To get a refresh token.
User Grants Permission
Your app receives an authorization code as a result.
Exchange Code for Access Token
Once the user consents, your app gets an authorization code. Send a POST request to the token endpoint:

bash

POST https://oauth2.googleapis.com/token
Content-Type: application/x-www-form-urlencoded

Body:
makefile
code=AUTHORIZATION_CODE
&client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&redirect_uri=YOUR_REDIRECT_URI
&grant_type=authorization_code

The response includes:
- access_token (e.g., for Gmail API)
- refresh_token (to get new tokens)
- expires_in (token lifetime)
Refreshing Tokens
Since access tokens expire (usually after an hour), use the refresh_token to request a new one without user interaction:
bash

POST https://oauth2.googleapis.com/token
Body:
makefile

client_id=YOUR_CLIENT_ID
&client_secret=YOUR_CLIENT_SECRET
&refresh_token=YOUR_REFRESH_TOKEN
&grant_type=refresh_token

Why This Matters for Google Endpoint Authentication

Using the correct Google endpoint authentication flow avoids errors.
Helps apps securely get a GCP access token to call APIs.
Supports integration into services like Google Drive, Sheets, and Gmail.

These practices are key when delivering Google Cloud consulting services or building production apps.

Best Practices

Never store your client secret in frontend code.
Use secure storage (e.g., environment variables or vaults).
Always request only the scopes your app truly needs.
Test your integration before going live.

Conclusion

Google’s updated OAuth 2.0 authorization and token endpoints make integration straightforward, secure, and scalable.Whether you’re looking to build a custom app, get a gmail access token, or create broader Google Cloud solutions, understanding these endpoints is the foundation.

See our related guide on how to get Client ID and Client Secret in Google Cloud Platform, it explains how to set up your Google endpoint authentication step by step.

Power Your OAuth Integration with CSL

At CSL Consulting, we specialize in:

Setting up OAuth flows (including PKCE and incremental authorization) with zero guesswork.
Secure token handling, encryption, and environment-specific secrets management.
Enterprise-grade authentication architectures, including OIDC and service accounts.
Delivery assurance and compliance, helping ensure your integrations are production-ready, secure, and scalable.