google-forms-api

What is the difference between the token and client secret in the google forms API?


I recently got into working with the google forms API. I tried to use the watch script from the google developer site, and I'm stuck trying to figure out what the difference between the token and client secret files is. I don't remember this being explained when I first learned about this API. I have an oauth client and the corresponding json file for it, so do I need an API key too?

If the answer to this is painfully obvious, please direct me toward a good starting point for learning about how to do this. I've worked with google cloud console before, but last time I used gspread for google sheets and only had to get a service account.


Solution

  • Essentially, the client secret identifies the application requesting the data and the token is proof that the user has given that sole application permission to access certain data only.

    When making an API call to a Google service you need to identify yourself (your application in this case) to successfully retrieve information or make changes to existing information. You can do the same with an API Key when accessing public information.

    What about accessing private data that a user owns?

    The client secret allows your application to request user consent, meaning that your application will present itself to Google service and will request the user to accept access to their data, the screen the user sees is called OAuth consent screen, here an example:

    OAuth consent screen sample

    After the user clicks "Allow" on the consent screen Google gives the application a token, the token identifies the user and the scopes the application has been granted.

    The token can only be used by that application, Google will make sure that only the authorized application is accessing the data that the token allows thanks to the client secret.

    A more technical explanation is available in this Help Center article https://support.google.com/a/answer/2538798, including this image that better illustrates how the 3-legged authentication flow works. 3-legged OAuth in Google Workspace