Google OAuth setup
1. Create a Google Cloud project and OAuth client
Section titled “1. Create a Google Cloud project and OAuth client”- Open Google Cloud Console and create (or select) a project.
- Navigate to APIs & Services → Credentials → Create Credentials → OAuth 2.0 Client ID.
- Set the application type to Web application.
2. Register the redirect URIs
Section titled “2. Register the redirect URIs”Add both of the following as Authorized redirect URIs in your OAuth client. Replace https://book.example.com with your actual APP_BASE_URL:
${APP_BASE_URL}/api/google/callback${APP_BASE_URL}/api/google/login/callbackBoth URIs must be registered — one is used for the per-user Calendar connection flow, the other for Google sign-in.
3. Set the environment variables
Section titled “3. Set the environment variables”Copy the Client ID and Client Secret from the Credentials page, then set:
GOOGLE_OAUTH_CLIENT_ID=your-client-idGOOGLE_OAUTH_CLIENT_SECRET=your-client-secret# Strong random string shared by ALL replicasGOOGLE_OAUTH_STATE_SECRET=<openssl rand -hex 32>GOOGLE_OAUTH_STATE_SECRET must be the same value on every replica. Generate it with:
openssl rand -hex 324. Secure tokens at rest
Section titled “4. Secure tokens at rest”TOKEN_ENCRYPTION_KEY encrypts stored Google OAuth tokens with AES-256-GCM. See the Configuration reference for details.
5. Connect accounts and use
Section titled “5. Connect accounts and use”Each user connects their own Google account from the owner console (/me). Once connected, every new booking automatically:
- Creates a Google Calendar event on the user’s calendar.
- Generates a Google Meet link included in the booking confirmation.
OAuth verification
Section titled “OAuth verification”Until your OAuth app is verified, Google shows users an “Google hasn’t verified this app” warning and caps the app at 100 new users (a per-project lifetime cap that cannot be reset). To remove the warning and lift the cap, complete verification in the Google Cloud Console:
- Set
OPERATOR_NAMEandPRIVACY_CONTACT_EMAIL(see configuration). calit then serves a complete privacy policy at${APP_BASE_URL}/privacyand terms at${APP_BASE_URL}/terms, including the required Google Limited Use disclosure. - On the OAuth consent screen, set the privacy-policy link to
${APP_BASE_URL}/privacy(and, optionally, terms to${APP_BASE_URL}/terms). - Verify domain ownership — either set
GOOGLE_SITE_VERIFICATIONto the token from Google Search Console (calit renders the<meta>tag on every page), or add the DNS TXT record Google offers. - Submit for verification.
Disconnect detection
Section titled “Disconnect detection”A Google connection can break without warning — access is revoked, the account password is changed, or the refresh token simply expires. calit detects this and fails closed: while an owner’s Google account is disconnected, their public booking page shows “Scheduling temporarily unavailable” instead of offering every slot as free. This prevents bookings landing on top of calendar events calit can no longer see.
Each connected account is probed on a schedule (every GOOGLE_PROBE_INTERVAL, default 1h) for a still-valid connection; the probe also keeps the refresh token warm. When a disconnect is found, the owner is emailed once per outage with a link to reconnect on the /me/google settings page.