English
  • Secret Vault
  • Token storage
  • Third-party services
  • Google

Secure Google API access with OAuth authorization and token storage

Learn how to build smart productivity apps (e.g., AI agent) that integrate with Google APIs using Logto Secret Vault for secure access and refresh token storage, incremental authorization, and seamless OIDC/OAuth 2.0 integration.

Ran
Ran
Product & Design

Stop wasting weeks on user auth
Launch secure apps faster with Logto. Integrate user auth in minutes, and focus on your core product.
Get started
Product screenshot

In today's interconnected digital landscape, applications that can effortlessly integrate with third-party services provide exceptional user experiences. Whether you're building a productivity suite, an AI agent, or a document collaboration platform, the ability to securely access and utilize APIs from services like Google, GitHub, Facebook, or any other services can transform your application from good to indispensable.

Today, we'll explore how Logto's Secret Vault and Social Connector capabilities enable you to build a smart productivity application that integrates with Google APIs. We'll demonstrate secure token storage, retrieving access tokens for AI access, incremental authorization, and seamless third-party service integration.

The challenge: Building a smart calendar assistant

Imagine you're developing a "Smart Calendar Assistant", an application that helps users manage their schedules intelligently. Here's what your app needs to accomplish:

  1. Basic authentication: Users sign in with their Google account to access the app.
  2. Profile management: Display user's basic profile information.
  3. Calendar integration: Read calendar events to provide schedule insights.
  4. Advanced features: Create calendar events, send meeting invitations via Gmail, and manage Google Drive documents, but only when users explicitly request these premium features.

The challenge? You need different levels of Google API access at different times, and you must store tokens securely for ongoing API operations without constantly prompting users for re-authentication.

Solution: Logto's incremental authorization with Secret Vault

Logto's approach solves this elegantly through:

  • Minimal initial scopes: Request only essential permissions during sign-in.
  • Incremental authorization: Request additional scopes on-demand for premium features.
  • Secure token storage: Store and manage access/refresh tokens in the encrypted Secret Vault.
  • Automatic token refresh: Handle token expiration transparently.

Let's walk through the implementation.

Step 1: Setting up Google connector with basic scopes

First, create and configure your Google connector in Logto Console. During the initial setup, configure minimal scopes for basic authentication:

View Google API Library and OAuth 2.0 scopes documentation to find the scopes you need for your application.

Key Configuration Steps:

  1. Create a Google OAuth client in Google Cloud Console. Check all scopes required for your application.
  2. Configure the Logto Google connector with your client credentials. Add the minimal scopes listed above in the Scopes field.
  3. Enable Store tokens for persistent API access in the connector settings.
  4. Set Prompts to include consent and enable Offline Access to ensure refresh tokens are issued.

Read details in the Logto documentation on Google connector setup.

This setup allows users to sign in and grants your app permission to read their calendar events. This is perfect for providing basic schedule insights.

Step 2: Implementing sign-in flow

Navigate to Logto > Sign-in experience > Sign-up and sign-in. Add the Google connector under Social sign-in section to let users authenticate with Google.

When users sign in with Google, Logto automatically:

  • Authenticates the user with the configured scopes.
  • Stores the access and refresh tokens securely in the Secret Vault.
  • Returns user profile information to your application.

The tokens are now securely stored and tied to the user's Google identity, ready for API calls.

Step 3: Accessing Google APIs with stored tokens

To read the user's calendar events, retrieve the stored access token and call the Google Calendar API:

Logto handles token refresh automatically. If the access token is expired but a refresh token exists, Logto will obtain a new access token transparently.

Step 4: Incremental authorization for premium features

When users want to access premium features (like creating calendar events or accessing Gmail), use Logto's Social Verification API to request additional scopes:

After the user grants additional permissions, complete the verification and update the stored tokens:

Now your app can create calendar events and send emails with the updated token that includes the new scopes.

Step 5: Managing token status

Logto Console provides comprehensive token management capabilities. Navigate to User Management > select a user > Social Connections to view:

  • Token Status: Active, Expired, Inactive, or Not Applicable
  • Token Metadata: Creation time, last update, expiration, and granted scopes
  • Connection Management: View profile information synced from Google

This visibility helps administrators understand user connection states and troubleshoot any token-related issues.

Beyond Google: Comprehensive third-party integration

You can extend your Smart Calendar Assistant to integrate with various services beyond Google. Popular social connectors include Google for authentication, calendar, and Gmail integration, GitHub for code repositories and issue management, and Facebook for social features and marketing insights. Additional prebuilt connectors are coming soon to support token storage capabilities.

For custom integrations, Logto provides flexible options through standard OIDC or OAuth 2.0 connection. This comprehensive ecosystem allows you to connect with virtually any third-party service your organization uses.

Security and best practices

Logto's Secret Vault employs enterprise-grade security:

  • Per-secret encryption: Each token set uses unique Data Encryption Keys (DEK)
  • Key wrapping: DEKs are encrypted with Key Encryption Keys (KEK)
  • Minimal exposure: Tokens are decrypted only when needed for API calls
  • Automatic cleanup: Tokens are deleted when users disconnect accounts or connectors are removed

Conclusion

Logto is a developer-friendly authentication platform that enables secure applications with comprehensive third-party service integration.

With Logto's incremental authorization and secure token storage, your Smart Calendar Assistant delivers seamless user experience balancing functionality with security. Users enjoy frictionless onboarding through single sign-on requesting only minimal permissions for core features. As they explore advanced capabilities, progressive enhancement unlocks premium features through natural, contextual permission requests.

Persistent access via securely stored tokens enables ongoing API operations without constantly interrupting users for re-authentication, creating smooth professional experience. This system is built with security by design, leveraging enterprise-grade encryption to protect user credentials and maintain trust.

Ready to build your own third-party API integration? Here's how to start:

  1. Set up Logto: Create your Logto tenant and configure your first social connector
  2. Enable token storage: Turn on "Store tokens for persistent API access" in your connector settings
  3. Implement incremental Auth: Use the Social Verification API for on-demand scope requests
  4. Build and scale: Expand to additional providers using Logto's comprehensive connector ecosystem

The future of application development lies in seamless service integration. With Logto's Secret Vault and Connectors, you have the tools to build applications that are not just functional, but truly interconnected with the services your users rely on daily.

Want to explore more? Check out our integration guides and start building your next connected application today.