gum logofield manual
StartAuthGoogle APIs for agents and terminals

Auth

gum does not ship a hidden Google account. It resolves credentials from the selected local profile and calls only with credentials you configure.

Credential paths

Use case Path Command
Gmail, Calendar, Drive, Docs, Sheets, Slides, Tasks, YouTube, People, Photos, Chat, Classroom, Meet, Apps Script, Admin, Vault, Search Console, Google Ads Bring-your-own OAuth gum auth use-oauth-client, then gum login --service <name>
Automation already running in Google Cloud ADC Configure ADC in the host environment
Maps and Custom Search API key gum auth use-api-key --stdin
Service-account variants Service account key gum auth use-service-account <key.json>
Google Ads Keyword Planner operations OAuth plus developer token gum auth use-ads-developer-token, then gum login --service googleads

OAuth flow

Desktop OAuth clients from Google Cloud Console include a client ID and client secret. Google still requires the secret at the token endpoint for this client type, even when PKCE is used.

bash
printf '%s' "$GOOGLE_OAUTH_CLIENT_SECRET" \
  | gum auth use-oauth-client --client-id "$GOOGLE_OAUTH_CLIENT_ID" --secret-stdin
gum login --service gmail,calendar

gum login runs the loopback browser flow itself. It does not require gcloud. Use --scope for exact scopes, --service for service groups, or --all for the catalog scope union.

Profiles

Every command accepts --profile. Profiles keep config, local state, and credential resolution separate.

bash
gum --profile work auth status
gum --profile lab login --service drive

Use separate profiles when a human account, service account, API key, or Ads developer token should not be mixed with another workflow.

Troubleshooting

  • AUTH_REQUIRED means gum could not resolve a credential for the operation.
  • SCOPE_MISSING means the selected credential exists but lacks at least one

    • required OAuth scope.

  • accessNotConfigured comes from Google when the API is disabled in the Cloud

    • project that owns the OAuth client.

  • Workspace-only APIs require a managed Workspace domain and suitable admin

    • privileges. Consumer Gmail accounts cannot call Admin SDK or domain-wide delegation flows.