Google Workspace Setup
Junto connects to Google Workspace through the Google Admin SDK and Gmail API, giving the AI agent access to users, groups, organizational units, licenses, mobile devices, and email settings across your customer domains.
Prerequisites
A Google Workspace account with Super Admin access for the customer's domain
The customer domain must have Google Workspace (Business, Enterprise, or Education)
Connect via OAuth
In Junto, go to the company's Integrations page.
Find Google Workspace and click Connect.
Authenticate with Super Admin credentials for the customer's domain.
Review and accept the requested permissions.
After authorization, you are redirected back to Junto with an active connection.
The connection is managed automatically from there, including token refresh.
Domain-Wide Delegation
Domain-Wide Delegation (DWD) is an Alpha feature that lets Junto act on behalf of individual mailboxes in your Google Workspace tenant. It unlocks three Gmail-settings tools — Set Email Signature, Get Vacation Settings, and Set Vacation Settings — that cannot work through OAuth alone. Every other Google Workspace tool works through OAuth and does not require DWD.
Setting up DWD requires a Google Cloud service account with domain-wide delegation authorized in the Google Admin Console, then uploading the service account's JSON key to Junto.
Prerequisites
A Google Cloud project associated with the customer's Workspace tenant
Owner or Service Account Admin role on that Google Cloud project
Google Workspace Super Admin access for the Admin Console authorization step
The Gmail API enabled on the project (covered in Step 4 below)
Step 1 — Create the service account
In Google Cloud Console, select the customer's project and go to IAM & Admin → Service Accounts → Create service account. Give it a name like junto-dwd and a description. You do not need to grant any project roles — DWD acts on Workspace APIs, not Google Cloud resources. Click Done to finish creating the service account.
Step 2 — Copy the service account's Client ID
Open the service account, expand Advanced settings on the Details tab, and copy the Client ID shown in the Domain-wide Delegation section. You'll need it in Step 5.
Step 3 — Create a JSON key
Switch to the Keys tab, click Add key → Create new key, choose JSON, and click Create. Google downloads the .json file to your computer. Store it securely — it contains the service account's private key and cannot be recovered if lost. You'll upload it to Junto in Step 6.
If key creation is blocked
Google's "Secure by default" program enforces an organization policy — iam.disableServiceAccountKeyCreation — that blocks service account key creation on new projects. If you see "Service account key creation is disabled", you need to override the policy at the project level.
In Google Cloud Console, go to IAM & Admin → Organization Policies, search for "Disable service account key creation", open it, and click Manage policy. Choose Override parent's policy, click Add a rule, set Enforcement: Off, click Done, then Set policy.
Return to your service account's Keys tab and retry Step 3. This change typically requires the Organization Policy Administrator role (roles/orgpolicy.policyAdmin). If you don't have it, your platform or security team will need to apply the override.
Step 4 — Enable the Gmail API
In Google Cloud Console, open APIs & Services → Library, search for "Gmail API", and click Enable. The Gmail API must be enabled on the project for the service account to mint tokens for Gmail scopes.
Step 5 — Authorize the service account in Google Admin Console
Sign in to admin.google.com as a Super Admin and go to Security → Access and data control → API controls → Domain-wide delegation. Click Add new, paste the Client ID from Step 2, and add exactly these two scopes as a comma-separated list:
Click Authorize.
Step 6 — Upload the key in Junto
In Junto, open the company's Integrations page, click into Google Workspace, then Configure Domain-Wide Delegation. Click Upload service account key.
Paste the JSON key contents or use Upload file to pick the .json file from Step 3. Click Save.
Junto validates the JSON, encrypts the private key at rest, and stores the service account email and key ID. The card then shows Configured and active:
After the upload, delete the downloaded JSON key file from your computer — Junto has the only copy it needs, and the file on disk is a standing credential.
Rotating or removing the key
Replace key uploads a new JSON key, overwriting the stored one. Use this for periodic key rotation. Remove takes the three Gmail-settings tools offline for the company but leaves every other OAuth-based Google tool working.
What the AI Agent Can Do
Once connected, the AI agent can help manage the customer's Google Workspace environment across the following areas.
User Management
Tool | Description | Risk Level |
List Users | List all users in the domain with optional filtering | Low |
Get User | View user details including name, email, org unit, admin status, and last login | Low |
Create User | Create a new user account | Medium |
Update User | Update user profile properties | Medium |
Suspend User | Suspend a user account, preventing sign-in | High |
Unsuspend User | Reactivate a suspended user account | Medium |
Reset Password | Reset a user's password | High |
Delete User | Permanently delete a user account | High |
Group Management
Tool | Description | Risk Level |
List Groups | List all groups in the domain | Low |
Get Group | View group details | Low |
Create Group | Create a new group | Medium |
Update Group | Update group properties | Medium |
List Group Members | View all members of a group | Low |
Add Group Member | Add a user to a group | Medium |
Remove Group Member | Remove a user from a group | Medium |
Delete Group | Permanently delete a group | High |
Organizational Units
Tool | Description | Risk Level |
List Org Units | List organizational units in the domain | Low |
Move User to Org Unit | Move a user to a different organizational unit | Medium |
Email Aliases
Tool | Description | Risk Level |
List User Aliases | List email aliases for a user | Low |
Add User Alias | Add an email alias for a user | Medium |
Delete User Alias | Remove an email alias from a user | Medium |
Licensing
Tool | Description | Risk Level |
List Licenses | List all license assignments for a product, optionally filtered by SKU | Low |
Get User License | Check if a user has a specific license | Low |
Assign License | Assign a Google Workspace license to a user | Medium |
Remove License | Remove a license from a user | Medium |
Security & Access Control
Tool | Description | Risk Level |
List User Tokens | List OAuth tokens issued to third-party applications for a user | Low |
Revoke User Token | Revoke a third-party application's access token for a user | High |
Mobile Device Management
Tool | Description | Risk Level |
List Mobile Devices | List mobile devices managed by Google Workspace | Low |
Mobile Device Action | Perform actions on a device (wipe, block, approve, account wipe) | High |
Gmail Settings
Tool | Description | Risk Level |
Set Email Signature | Set or update a user's email signature | Medium |
Get Vacation Settings | View a user's auto-reply/vacation settings | Low |
Set Vacation Settings | Configure a user's auto-reply/vacation settings | Medium |
These three Gmail Settings tools require Domain-Wide Delegation to be configured for the company.
High-impact actions (account deletion, password resets, device wipes, token revocation, and user suspension) always require technician approval before the agent proceeds.
Troubleshooting
OAuth connection fails -- Ensure you are signing in as a Super Admin of the customer's Google Workspace domain.
Missing data -- Some features may require specific Google Workspace editions (Business, Enterprise, Education).
Token expired -- The integration refreshes tokens automatically. If the connection shows an error, disconnect and reconnect.
Mobile device actions fail -- Ensure the device is enrolled in Google Workspace mobile management.
"Service account key creation is disabled" -- The
iam.disableServiceAccountKeyCreationorganization policy is blocking key creation. Override it at the project level (see If key creation is blocked).Gmail-settings tools return "Domain-Wide Delegation not configured" -- The DWD card in Junto shows "not yet configured", or the scopes in Admin Console don't match. Verify both
gmail.settings.basicandgmail.settings.sharingare authorized in Admin Console for the service account's Client ID.Gmail-settings tools fail with "Google rejected the token request" -- Usually means the Client ID in Admin Console doesn't match the uploaded key, the Gmail API is not enabled on the project, or the impersonated user doesn't exist in the Workspace domain. Check Steps 2, 4, and 5.