# Which Google scopes does Cronofy utilize?

Cronofy utilizes Google's OAuth 2.0 to access Google Workspace data about *Users, Organizations, Resources* and their *Calendar* data.

When a user is authenticating themselves via Individual Connect, Cronofy requests access to their profile and their calendar.

When using Enterprise Connect to connect your organization, Cronofy requests access to list users & resources, organization information, and calendars.

We are also able to connect with less permissive scopes which give Cronofy access to only the Free/Busy information of a user's calendar.

## Individual Connect
Cronofy requests the following scopes from individuals when connecting via the **Cronofy Google Calendar** application for Individual Connect.

<dl>
  <dt>Scopes</dt>
    <dd><a href="#email">email</a></dd>
    <dd><a href="#profile">profile</a></dd>
    <dd><a href="#authcalendar">auth/calendar</a></dd>
    <dd><a href="#authdrivefile">auth/drive.file</a> - Required to attach files to calendar events. See <a href="/developers/api/attachments/authorization/">Attachments</a> for more details.</dd>
</dl>
## Enterprise Connect
Cronofy requests the following scopes when connecting via the **[Cronofy Google Workspace Application](https://gsuite.google.com/marketplace/app/cronofy/902414518019)** for Enterprise Connect.

<dl>
  <dt>User Specific Scopes</dt>
    <dd><a href="#email">email</a></dd>
    <dd><a href="#profile">profile</a></dd>
  <dt>Workspace and Directory Specific Scopes</dt>
    <dd><a href="#authadmindirectoryuserreadonly">auth/admin.directory.user.readonly</a></dd>
    <dd><a href="#authadmindirectorydomainreadonly">auth/admin.directory.domain.readonly</a></dd>
  <dt>Calendar and Resources (Granted via the Marketplace install)</dt>
    <dd><a href="#authcalendar">auth/calendar</a></dd>
    <dd><a href="#authadmindirectoryresourcecalendar">auth/admin.directory.resource.calendar</a></dd>
</dl>
## Individual Connect (Free/Busy)
Cronofy requests the following scopes when connecting via Individual Connect Free/Busy.

<dl>
  <dt>Scopes</dt>
    <dd><a href="#email">email</a></dd>
    <dd><a href="#profile">profile</a></dd>
    <dd><a href="#authcalendarcalendarlistreadonly">auth/calendar.calendarlist.readonly</a></dd>
    <dd><a href="#authcalendareventsfreebusy">auth/calendar.events.freebusy</a></dd>
</dl>
## Enterprise Connect (Free/Busy)
Cronofy requests the following scopes when connecting via Enterprise Connect Free/Busy.

<dl>
  <dt>User Specific Scopes</dt>
    <dd><a href="#email">email</a></dd>
    <dd><a href="#profile">profile</a></dd>
    <dd><a href="#authcalendarcalendarlistreadonly">auth/calendar.calendarlist.readonly</a></dd>
    <dd><a href="#authcalendareventsfreebusy">auth/calendar.events.freebusy</a></dd>
  <dt>Directory Specific Scopes</dt>
    <dd><a href="#authadmindirectoryuserreadonly">auth/admin.directory.user.readonly</a></dd>
    <dd><a href="#authadmindirectorydomainreadonly">auth/admin.directory.domain.readonly</a></dd>
    <dd><a href="#authadmindirectoryresourcecalendarreadonly">auth/admin.directory.resource.calendar.readonly</a></dd>
</dl>
# Scopes
### email
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#google-sign-in)

Cronofy uses the `email` scope to identify the user who is authenticating. This allows Cronofy to associate the calendar connection with the correct user account.

### profile
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#google-sign-in)

Cronofy uses the `profile` scope to access basic profile information, such as the user's name, which is needed to allow Cronofy to act on behalf of the user.

### auth/calendar
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#calendar)

Cronofy requires the `calendar` scope to create, read, update, and delete events in user and room calendars when connecting via Individual Connect or Enterprise Connect Read-Write.

### auth/drive.file
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#drive)

Cronofy requires the `drive.file` scope to attach files to calendar events. This scope only allows access to files that Cronofy itself uploads — Cronofy cannot read any other files in a user's Drive.

> **INFO:** Due to a restriction of Google Marketplace applications only being allowed one set of scopes, this scope is requested for all Individual Connect users regardless of whether they intend to use calendar event attachments.

### auth/calendar.calendarlist.readonly
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#calendar)

Cronofy requires `calendar.calendarlist.readonly` to retrieve the list of calendars in a user's account. This allows Cronofy to identify which calendars to check for Free/Busy availability.

### auth/calendar.events.freebusy
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#calendar)

Cronofy requires `calendar.events.freebusy` to access the Free/Busy schedule for a given user. This scope only provides visibility into whether a time slot is free or busy — event details such as titles and attendees are not accessible.

### auth/admin.directory.user.readonly
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory-api)

Cronofy requires `admin.directory.user.readonly` to list users and resources (such as meeting rooms) within your Google Workspace organization. This allows Cronofy to add user accounts and resources for synchronization.

### auth/admin.directory.domain.readonly
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory-api)

Cronofy requires `admin.directory.domain.readonly` to retrieve the primary domain for your Google Workspace organization. This is used during the verification of the service account connection.

### auth/admin.directory.resource.calendar
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory-api)

Cronofy requires `admin.directory.resource.calendar` to view and manage conference rooms and other calendar resources within your organization when connecting via Enterprise Connect Read-Write.

### auth/admin.directory.resource.calendar.readonly
[Google API doc](https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory-api)

Cronofy requires `admin.directory.resource.calendar.readonly` to view conference rooms and other calendar resources within your organization when connecting via Enterprise Connect Free/Busy. This read-only scope ensures Cronofy cannot make changes to resource configurations.

## What are my options for restricting access?
Connecting with Read-Write permissions provides the most seamless experience — Cronofy is able to create events directly in the calendar and make use of integrated Google Meet conferencing, if available.

When privacy is a concern, the Free/Busy Calendar Access Mode is available (see our docs on [Enterprise Connect Free/Busy](/calendar-admins/enterprise-connect-gsuite/free-busy-access-mode/index.md)), whereby only the Free/Busy information from a user's schedule is granted to Cronofy.

When connecting via Free/Busy, only the `status`, `start`, and `end` times of each event are accessible to Cronofy — event titles, attendees, and other details are not shared.

You may also limit which users' data Cronofy is able to access by configuring Organizational Units. See the [Restricting Service Account Access](/calendar-admins/enterprise-connect-gsuite/restrict-google-service-account/index.md) guide for more details.

## Further reading
Further information about the above listed scopes can be found at [Google OAuth 2.0 Scopes](https://developers.google.com/identity/protocols/oauth2/scopes).


---
[Read in HTML](/calendar-admins/enterprise-connect-gsuite/which-google-scopes-does-cronofy-utilize/)