You can create a maximum of 36 OAuth clients for each project with the
Google Cloud console. You can create a maximum of 500 OAuth clients for each
project with the Google Cloud CLI.
Console
Complete the following steps to create an OAuth client by using the
Google Cloud console.
Following are limitations for OAuth clients created programmatically
using the API:
OAuth clients created by the API can only be modified by using the API. You
cannot modify an OAuth client using the Google Cloud console if it was created
by using the API.
The OAuth clients created by the API are locked for IAP usage only, and
therefore the API does not allow any updates to the redirect URI or other
attributes.
The API does not operate on the OAuth clients that were created using
the Google Cloud console.
Only 500 OAuth clients are allowed per project when using the API.
API-created OAuth consent screen brands have specific limitations. See the
section for more information.
Understanding brands and branding state
The OAuth consent screen,
which contains branding information for users, is known as a brand. Brands
can be limited to internal users or public users. An internal brand makes the
OAuth flow accessible to someone who belongs to the same Google Workspace
organization as the project. A public brand makes the OAuth flow available to
anyone on the internet.
Brands can be created manually or programmatically by using an API. Brands created using an API
are automatically configured with the following settings:
On the OAuth consent screen page, note that the User Type is
automatically set to Internal. To set it to Public, click
Edit App. More configuration options become available.
Under Application type, click Public.
To trigger a brand review for an unreviewed API-created brand:
On the OAuth consent screen page, enter any required information, and
then click Submit for verification.
The verification process may take up to several weeks, and you will receive
email updates as it progresses.
Learn more about
verification. While the verification process is ongoing, you can still use the
application within your Google Workspace organization.
Learn more about how
your application will behave before it's verified.
Required permissions
Before creating the client, ensure that the caller has been granted the following permissions:
clientauthconfig.brands.list
clientauthconfig.brands.create
clientauthconfig.brands.get
clientauthconfig.clients.create
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.delete
clientauthconfig.clients.update
These permissions are included in the Editor (roles/editor) and Owner
(roles/owner) basic roles,
however we recommend that you create a
custom role that contains these
permissions and grant it to the caller instead.
Set up OAuth for IAP
The following steps describe how to configure the consent screen and create and
oauth client for IAP.
Configuring consent screen
Check if you already have an existing brand by using the
list command. You may
only have one brand per project.
gcloudiapoauth-brandslist
The following is an example gcloud response, if the brand exists:
The above fields are required when calling this API:
supportEmail: The support email displayed on the OAuth consent screen.
This email address can either be a user's address or a Google Groups alias.
While service accounts also have an email address, they are not actual
valid email addresses, and cannot be used when creating a brand. However,
a service account can be the owner of a Google Group. Either create a
new Google Group or configure an existing group and set the desired service
account as an owner of the group.
applicationTitle: The application name displayed on OAuth consent
screen.
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-07 UTC."],[[["\u003cp\u003eThis page provides instructions on creating OAuth clients for use with Identity-Aware Proxy (IAP) and customized OAuth configurations, using either the Google Cloud console or the Google Cloud CLI.\u003c/p\u003e\n"],["\u003cp\u003eYou can create up to 36 OAuth clients per project using the Google Cloud console, or up to 500 using the Google Cloud CLI, but OAuth clients created via the API can only be managed through the API and are exclusively for IAP.\u003c/p\u003e\n"],["\u003cp\u003eCreating a brand, which holds OAuth consent screen information, is required and can be internal or public, and brands created via API are initially internal and unreviewed, requiring manual updates to change to public and trigger a review process.\u003c/p\u003e\n"],["\u003cp\u003eBefore creating an OAuth client, the caller needs specific permissions, such as \u003ccode\u003eclientauthconfig.brands.create\u003c/code\u003e and \u003ccode\u003eclientauthconfig.clients.create\u003c/code\u003e, which can be granted through basic or custom roles.\u003c/p\u003e\n"],["\u003cp\u003eThe setup process for an IAP OAuth client involves configuring the OAuth consent screen by checking for or creating a brand, then using the \u003ccode\u003egcloud\u003c/code\u003e command to create the client using the brand name.\u003c/p\u003e\n"]]],[],null,["# Creating custom OAuth clients for IAP\n\nThis page describes how to create an OAuth client when using the [customized OAuth configuration](/iap/docs/custom-oauth-configuration) to enable IAP with Google identities.\n\nIf you want to use a Google-managed OAuth client to use for enabling\nIAP, see [Enable IAP using a Google-managed OAuth client](/iap/docs/managed-oauth-client).\n\nCreate an OAuth client\n----------------------\n\nYou can create a maximum of 36 OAuth clients for each project with the\nGoogle Cloud console. You can create a maximum of 500 OAuth clients for each\nproject with the Google Cloud CLI. \n\n### Console\n\nComplete the following steps to create an OAuth client by using the\nGoogle Cloud console.\n\n1. Configure the OAuth consent screen by following the instructions in [Setting up your OAuth consent screen](https://support.google.com/cloud/answer/10311615).\n\n2. Create an OAuth client by following the instructions in [Setting up OAuth 2.0](https://support.google.com/cloud/answer/6158849).\n\n### gcloud\n\n| **Caution:** The Identity-Aware Proxy OAuth API is deprecated and is scheduled to be shut down.\n| For more details on the deprecation, see\n| [Identity-Aware Proxy OAuth API deprecation](/iap/docs/deprecations).\n\n### Known limitations\n\nFollowing are limitations for OAuth clients created programmatically\nusing the API:\n\n- OAuth clients created by the API can only be modified by using the API. You cannot modify an OAuth client using the Google Cloud console if it was created by using the API.\n- The OAuth clients created by the API are locked for IAP usage only, and therefore the API does not allow any updates to the redirect URI or other attributes.\n- The API does not operate on the OAuth clients that were created using the Google Cloud console.\n- Only 500 OAuth clients are allowed per project when using the API.\n- API-created OAuth consent screen brands have specific limitations. See the [section](#branding) for more information.\n\nUnderstanding brands and branding state\n---------------------------------------\n\nThe [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent),\nwhich contains branding information for users, is known as a **brand**. Brands\ncan be limited to internal users or public users. An internal brand makes the\nOAuth flow accessible to someone who belongs to the same Google Workspace\norganization as the project. A public brand makes the OAuth flow available to\nanyone on the internet.\n\nBrands can be created manually or programmatically by using an API. Brands created using an API\nare automatically configured with the following settings:\n\n- Internal. You must manually set to public.\n\n- Unreviewed. You must trigger a brand review.\n\nTo set an internal brand to public:\n\n1. Open the [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent).\n2. Select a project from the drop-down menu.\n3. On the **OAuth consent screen** page, note that the **User Type** is automatically set to **Internal** . To set it to **Public** , click **Edit App**. More configuration options become available.\n4. Under **Application type** , click **Public**.\n\n| **Note:** When an API-created internal brand is set to public, the [`identityAwareProxyClients.create()`](/iap/docs/reference/rest/v1/projects.brands.identityAwareProxyClients/create) API will stop working, as it requires the brand to be set to internal. Therefore, you cannot create new OAuth clients using the API after an internal brand is made public.\n\nTo trigger a brand review for an unreviewed API-created brand:\n\n1. Open the [OAuth consent screen](https://console.cloud.google.com/apis/credentials/consent).\n2. Select a project from the drop-down menu.\n3. On the **OAuth consent screen** page, enter any required information, and then click **Submit for verification**.\n\nThe verification process may take up to several weeks, and you will receive\nemail updates as it progresses.\n[Learn more](https://support.google.com/cloud/answer/9110914) about\nverification. While the verification process is ongoing, you can still use the\napplication within your Google Workspace organization.\n[Learn more](https://support.google.com/cloud/answer/7454865) about how\nyour application will behave before it's verified.\n\n### Required permissions\n\nBefore creating the client, ensure that the caller has been granted the following permissions:\n\n- `clientauthconfig.brands.list`\n- `clientauthconfig.brands.create`\n- `clientauthconfig.brands.get`\n- `clientauthconfig.clients.create`\n- `clientauthconfig.clients.listWithSecrets`\n- `clientauthconfig.clients.getWithSecret`\n- `clientauthconfig.clients.delete`\n- `clientauthconfig.clients.update`\n\nThese permissions are included in the Editor (`roles/editor`) and Owner\n(`roles/owner`) [basic roles](/iam/docs/understanding-roles#basic),\nhowever we recommend that you create a\n[custom role](/iam/docs/understanding-roles#custom_roles) that contains these\npermissions and grant it to the caller instead.\n\n### Set up OAuth for IAP\n\nThe following steps describe how to configure the consent screen and create and\noauth client for IAP.\n\n### Configuring consent screen\n\n1. Check if you already have an existing brand by using the\n [list](/sdk/gcloud/reference/iap/oauth-brands/list) command. You may\n only have one brand per project.\n\n ```bash\n gcloud iap oauth-brands list\n ```\n\n The following is an example gcloud response, if the brand exists: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]\n applicationTitle: [APPLICATION_TITLE]\n supportEmail: [SUPPORT_EMAIL]\n orgInternalOnly: true\n\n | **Note:** If a brand already exists for a project and has been configured for external users (`orgInternalOnly: false`), but you want to restrict it to internal users, you must make that change manually from the [OAuth consent screen](https://console.cloud.google.com/auth/audience) in order to create OAuth clients with this API.\n2. If no brand exists, use the\n [create](/sdk/gcloud/reference/iap/oauth-brands/create) command:\n\n ```bash\n gcloud iap oauth-brands create --application_title=APPLICATION_TITLE --support_email=SUPPORT_EMAIL\n ```\n\n\n The above fields are required when calling this API:\n - `supportEmail`: The support email displayed on the OAuth consent screen.\n This email address can either be a user's address or a Google Groups alias.\n While service accounts also have an email address, they are not actual\n valid email addresses, and cannot be used when creating a brand. However,\n a service account can be the owner of a Google Group. Either create a\n new Google Group or configure an existing group and set the desired service\n account as an owner of the group.\n\n | **Note:** The user issuing the request must be an owner of the specified support email address.\n - `applicationTitle`: The application name displayed on OAuth consent\n screen.\n\n The response contains the following fields: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_ID]\n applicationTitle: [APPLICATION_TITLE]\n supportEmail: [SUPPORT_EMAIL]\n orgInternalOnly: true\n\n### Creating an IAP OAuth Client\n\n1. Use the create command to\n [create](/sdk/gcloud/reference/iap/oauth-clients/create) a client. Use\n the brand `name` from previous step.\n\n ```bash\n gcloud iap oauth-clients create projects/PROJECT_NUMBER/brands/BRAND-ID --display_name=NAME\n ```\n\n The response contains the following fields: \n\n name: projects/[PROJECT_NUMBER]/brands/[BRAND_NAME]/identityAwareProxyClients/[CLIENT_ID]\n secret: [CLIENT_SECRET]\n displayName: [NAME]"]]
