Enpass OAuth Scopes for Google Workspace

When you configure Enpass as a trusted third-party app in Google Workspace, it requests a specific set of OAuth 2.0 scopes. This page explains what each scope does, why Enpass needs it, and how it is used.

Important: All scopes are user-delegated

Every scope listed below operates under delegated authorization, and the resulting OAuth tokens are handled with strict local-only security. This means:

• Enpass never acts on its own. All Google API calls are executed on behalf of the signed-in user, within the boundaries of that user's own access.

• The user's OAuth access token and refresh token are stored only within the local Enpass app database, encrypted with the user's master password. They are never transmitted to or stored on any Enpass server.

• Because tokens exist only on the user's device, there is no risk of exposure from a server-side breach.

Scope details

openid — OpenID Connect authentication

This is a standard OpenID Connect scope that allows Enpass to authenticate the user via Google's identity platform. It does not grant access to any Google Workspace data — it simply confirms that the user is who they claim to be.

userinfo.email — View the user's email address

https://www.googleapis.com/auth/userinfo.email

Allows Enpass to retrieve the signed-in user's email address. This is used to identify the user within the Enpass app and associate their vaults with the correct account.

userinfo.profile — View the user's basic profile

https://www.googleapis.com/auth/userinfo.profile

Allows Enpass to retrieve basic profile information such as the user's name. This is used for display purposes within the Enpass app when showing which account is connected.

drive.appdata — Manage app-specific configuration data

https://www.googleapis.com/auth/drive.appdata

Grants Enpass read and write access to its own application data folder on Google Drive. This is a private, hidden folder that only the Enpass app can access — it is not visible in the Google Drive user interface and cannot be shared.

drive — Full access to Google Drive files

https://www.googleapis.com/auth/drive

Allows Enpass to access, create, update, and delete files on the user's Google Drive. This scope is required for shared vaults and team vaults that are stored in user-selected Google Drive folders or Shared Drives, enabling vault sharing with other team members via Google Drive's native sharing and permissions model.

drive.file — Access to files opened or created by Enpass

https://www.googleapis.com/auth/drive.file

Allows Enpass to view and manage only the Google Drive files and folders that the user has explicitly opened or created through Enpass.

What Enpass does NOT do with these scopes

• Enpass never scans your Google Drive automatically. All file operations are performed either within the Enpass folder (Google Drive > Enpass) or within a specific Drive folder that the user explicitly selects using a folder browser inside the app.

• No data is sent to Enpass servers. Vault data, OAuth tokens, and user credentials all remain on the user's local device, encrypted at rest.

Related topics

• Add Enpass to Google Workspace — Step-by-step guide for the admin configuration process.

• Security of Your Data on Google Workspace — How Enpass protects your vault data within Google Drive.