[INTERNAL] Google Workspace permissions: user phone numbers and addresses
Last updated: April 3, 2026
Applicable to:
- Twingate Component: IdP - Google Workspace (GSuite)
Overview
Google Workspace prompts upon IdP configuration to allow permissions to user addresses and user phone numbers:
Twingate does not access such information. However, in order for the IdP sync to take place, Google requires such permissions.
Details
Twingate's data privacy for the Google Workspace IdP:
https://www.twingate.com/docs/google-workspace-configuration/
Data privacy
Twingate only syncs the information that is necessary to provide our service:
- User first and last names
- User email addresses
- User avatars
- Group membership (if Group Sync is enabled)
In order for Twingate to sync this data, Twingate went through Google's verification process:
https://developers.google.com/identity/protocols/oauth2/scopes
If your public application uses scopes that permit access to certain user data, it must complete a verification process. If you seeunverified appon the screen when testing your application, you must submit a verification request to remove it. Find out more aboutunverified appsand get answers tofrequently asked questions about app verificationin the Help Center.
For the authentication flows we will utilize the below scopes to obtain the user email address and profile picture.
https://developers.google.com/identity/protocols/oauth2/scopes#oauth2
Google OAuth2 API, v2
| Scopes | |
|---|---|
| https://www.googleapis.com/auth/userinfo.email | See your primary Google Account email address |
| https://www.googleapis.com/auth/userinfo.profile | See your personal info, including any personal info you've made publicly available |
| openid | Associate you with your personal info on Google |
For the sync flows we utilize the below scopes. The scope that raises the phone number + addresses item is from the user read permission. Unfortunately, Twingate is unable to further limit the scope utilized. As such, we are unable to request lower level permissions for only what Twingate syncs.
https://developers.google.com/identity/protocols/oauth2/scopes#admin-directory
Admin SDK API, v1
| Scopes | |
|---|---|
| https://www.googleapis.com/auth/admin.directory.group.readonly | View groups on your domain |
| https://www.googleapis.com/auth/admin.directory.orgunit.readonly | View organization units on your domain |
| https://www.googleapis.com/auth/admin.directory.user.readonly | See info about users on your domain |