One CLI for all of Google Workspace — built for humans and AI agents.
Drive, Gmail, Calendar, and every Workspace API. Zero boilerplate. Structured JSON output. 40+ agent skills included.
[!IMPORTANT] Temporarily disabling non-collaborator pull requests. See this discussion, https://github.com/googleworkspace/cli/discussions/249.
[!NOTE] This is not an officially supported Google product.
npm install -g @googleworkspace/cli
gws doesn’t ship a static list of commands. It reads Google’s own Discovery Service at runtime and builds its entire command surface dynamically. When Google Workspace adds an API endpoint or method, gws picks it up automatically.
[!IMPORTANT] This project is under active development. Expect breaking changes as we march toward v1.0.
npm install (or download a pre-built binary from GitHub Releases)gcloud CLI or with the gws auth setup command.npm install -g @googleworkspace/cli
The npm package bundles pre-built native binaries for your OS and architecture. No Rust toolchain required.
Pre-built binaries are also available on the GitHub Releases page.
Or build from source:
cargo install --git https://github.com/googleworkspace/cli --locked
A Nix flake is also available at github:googleworkspace/cli
nix run github:googleworkspace/cli
gws auth setup # walks you through Google Cloud project config
gws auth login # subsequent OAuth login
gws drive files list --params '{"pageSize": 5}'
For humans — stop writing curl calls against REST docs. gws gives you --help on every resource, --dry-run to preview requests, and auto‑pagination.
For AI agents — every response is structured JSON. Pair it with the included agent skills and your LLM can manage Workspace without custom tooling.
# List the 10 most recent files
gws drive files list --params '{"pageSize": 10}'
# Create a spreadsheet
gws sheets spreadsheets create --json '{"properties": {"title": "Q1 Budget"}}'
# Send a Chat message
gws chat spaces messages create \
--params '{"parent": "spaces/xyz"}' \
--json '{"text": "Deploy complete."}' \
--dry-run
# Introspect any method's request/response schema
gws schema drive.files.list
# Stream paginated results as NDJSON
gws drive files list --params '{"pageSize": 100}' --page-all | jq -r '.files[].name'
The CLI supports multiple auth workflows so it works on your laptop, in CI, and on a server.
| I have… | Use |
|---|---|
gcloud installed and authenticated |
gws auth setup (fastest) |
A GCP project but no gcloud |
Manual OAuth setup |
| An existing OAuth access token | GOOGLE_WORKSPACE_CLI_TOKEN |
| Existing Credentials | GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE |
Credentials are encrypted at rest (AES-256-GCM) with the key stored in your OS keyring.
gws auth setup # one-time: creates a Cloud project, enables APIs, logs you in
gws auth login # subsequent scope selection and login
gws auth setuprequires thegcloudCLI. If you don’t havegcloud, use the manual setup below instead.
[!WARNING] Scope limits in testing mode: If your OAuth app is unverified (testing mode), Google limits consent to ~25 scopes. The
recommendedscope preset includes 85+ scopes and will fail for unverified apps (especially for@gmail.comaccounts). Choose individual services instead to filter the scope picker:gws auth login -s drive,gmail,sheets
Use this when gws auth setup cannot automate project/client creation, or when you want explicit control.
https://console.cloud.google.com/apis/credentials/consent?project=<PROJECT_ID>https://console.cloud.google.com/apis/credentials?project=<PROJECT_ID>~/.config/gws/client_secret.json[!IMPORTANT] You must add yourself as a test user. In the OAuth consent screen, click Test users → Add users and enter your Google account email. Without this, login will fail with a generic “Access blocked” error.
Then run:
gws auth login
You can complete OAuth either manually or with browser automation.
gws auth login, open the printed URL, approve scopes.If consent shows “Google hasn’t verified this app” (testing mode), click Continue. If scope checkboxes appear, select required scopes (or Select all) before continuing.
gws auth export --unmasked > credentials.json
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json
gws drive files list # just works
Point to your key file; no login needed.
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/service-account.json
gws drive files list
Useful when another tool (e.g. gcloud) already mints tokens for your environment.
export GOOGLE_WORKSPACE_CLI_TOKEN=$(gcloud auth print-access-token)
| Priority | Source | Set via |
|---|---|---|
| 1 | Access token | GOOGLE_WORKSPACE_CLI_TOKEN |
| 2 | Credentials file | GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE |
| 3 | Encrypted credentials | gws auth login |
| 4 | Plaintext credentials | ~/.config/gws/credentials.json |
Environment variables can also live in a .env file.
The repo ships 100+ Agent Skills (SKILL.md files) — one for every supported API, plus higher-level helpers for common workflows and 50 curated recipes for Gmail, Drive, Docs, Calendar, and Sheets. See the full Skills Index for the complete list.
# Install all skills at once
npx skills add https://github.com/googleworkspace/cli
# Or pick only what you need
npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-drive
npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-gmail
Authenticate the CLI first:
gws auth setup
Install the extension into the Gemini CLI:
gemini extensions install https://github.com/googleworkspace/cli
Installing this extension gives your Gemini CLI agent direct access to all gws commands and Google Workspace agent skills. Because gws handles its own authentication securely, you simply need to authenticate your terminal once prior to using the agent, and the extension will automatically inherit your credentials.
gws drive files create --json '{"name": "report.pdf"}' --upload ./report.pdf
| Flag | Description | Default |
|---|---|---|
--page-all |
Auto-paginate, one JSON line per page (NDJSON) | off |
--page-limit <N> |
Max pages to fetch | 10 |
--page-delay <MS> |
Delay between pages | 100 ms |
Sheets ranges use ! which bash interprets as history expansion. Always wrap values in single quotes:
# Read cells A1:C10 from "Sheet1"
gws sheets spreadsheets values get \
--params '{"spreadsheetId": "SPREADSHEET_ID", "range": "Sheet1!A1:C10"}'
# Append rows
gws sheets spreadsheets values append \
--params '{"spreadsheetId": "ID", "range": "Sheet1!A1", "valueInputOption": "USER_ENTERED"}' \
--json '{"values": [["Name", "Score"], ["Alice", 95]]}'
Integrate Google Cloud Model Armor to scan API responses for prompt injection before they reach your agent.
gws gmail users messages get --params '...' \
--sanitize "projects/P/locations/L/templates/T"
| Variable | Description |
|---|---|
GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE |
Default Model Armor template |
GOOGLE_WORKSPACE_CLI_SANITIZE_MODE |
warn (default) or block |
All variables are optional. See .env.example for a copy-paste template.
| Variable | Description |
|---|---|
GOOGLE_WORKSPACE_CLI_TOKEN |
Pre-obtained OAuth2 access token (highest priority) |
GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE |
Path to OAuth credentials JSON (user or service account) |
GOOGLE_WORKSPACE_CLI_CLIENT_ID |
OAuth client ID (alternative to client_secret.json) |
GOOGLE_WORKSPACE_CLI_CLIENT_SECRET |
OAuth client secret (paired with CLIENT_ID) |
GOOGLE_WORKSPACE_CLI_CONFIG_DIR |
Override config directory (default: ~/.config/gws) |
GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE |
Default Model Armor template |
GOOGLE_WORKSPACE_CLI_SANITIZE_MODE |
warn (default) or block |
GOOGLE_WORKSPACE_PROJECT_ID |
GCP project ID override for quota/billing and fallback for helper commands |
Environment variables can also be set in a .env file (loaded via dotenvy).
gws uses a two-phase parsing strategy:
argv[1] to identify the service (e.g. drive)clap::Command tree from the document’s resources and methodsAll output — success, errors, download metadata — is structured JSON.
Your OAuth app is in testing mode and your account is not listed as a test user.
Fix: Open the OAuth consent screen in your GCP project → Test users → Add users → enter your Google account email. Then retry gws auth login.
Expected when your app is in testing mode. Click Advanced → Go to <app name> (unsafe) to proceed. This is safe for personal use; verification is only required to publish the app to other users.
Unverified (testing mode) apps are limited to ~25 OAuth scopes. The recommended scope preset includes many scopes and will exceed this limit.
Fix: Select only the scopes you need:
gws auth login --scopes drive,gmail,calendar
gcloud CLI not foundgws auth setup requires the gcloud CLI to automate project creation. You have three options:
gcloud directly.gws auth setup which wraps gcloud calls.gcloud entirely — set up OAuth credentials manually in the Cloud Consoleredirect_uri_mismatchThe OAuth client was not created as a Desktop app type. In the Credentials page, delete the existing client, create a new one with type Desktop app, and download the new JSON.
accessNotConfiguredIf a required Google API is not enabled for your GCP project, you will see a
403 error with reason accessNotConfigured:
{
"error": {
"code": 403,
"message": "Gmail API has not been used in project 549352339482 ...",
"reason": "accessNotConfigured",
"enable_url": "https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482"
}
}
gws also prints an actionable hint to stderr:
💡 API not enabled for your GCP project.
Enable it at: https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482
After enabling, wait a few seconds and retry your command.
Steps to fix:
enable_url link (or copy it from the enable_url JSON field).gws command.[!TIP] You can also run
gws auth setupwhich walks you through enabling all required APIs for your project automatically.
cargo build # dev build
cargo clippy -- -D warnings # lint
cargo test # unit tests
./scripts/coverage.sh # HTML coverage report → target/llvm-cov/html/
Apache-2.0
[!CAUTION] This is not an officially supported Google product.