Configuring Google
The MCP Gateway can use Google as the identity provider behind its downstream
OAuth flow. The mcp-google-oauth-inbound policy is a Google-friendly wrapper
around the generic mcp-oauth-inbound policy: provide a Google OAuth client ID
and client secret, and the policy uses Google's fixed OIDC issuer
(https://accounts.google.com) and discovery document automatically.
This guide walks through the Google Cloud Console setup, then wires the policy into a gateway project. Read the authentication overview first for the two-layer OAuth model.
Set up Google
The MCP Gateway acts as an OAuth 2.1 authorization server in front of Google. Google handles browser login; the gateway issues its own access tokens that bind to MCP routes.
Create an OAuth client
- In the Google Cloud Console, switch to the project that should own the OAuth client, then open APIs & Services → Credentials.
- Click Create credentials → OAuth client ID. (If prompted, configure the OAuth consent screen first — pick Internal for Google Workspace tenants or External for general use, then add the user types you want to allow.)
- Choose Web application as the application type.
- Give the client a name (for example,
Zuplo MCP Gateway). - Under Authorized redirect URIs, add
https://<gateway-host>/oauth/callback. Addhttp://localhost:9000/oauth/callbackfor local development withzuplo dev. - Click Create.
Note the Client ID (looks like
123456789012-abc123def456.apps.googleusercontent.com) and the Client
secret from the dialog. The wrapper rejects values that aren't in Google's
OAuth client ID shape.
Wire the policy into the gateway
Add the policy to config/policies.json:
Code
Set the two environment variables in your project's environment configuration. The secret values belong in the project secret store.
Attach the policy to each MCP route in config/routes.oas.json and register the
gateway plugin in modules/zuplo.runtime.ts (see
Configuring Auth0
for the route and plugin patterns — they're identical across all wrappers).
What the wrapper derives
Google publishes a fixed OIDC discovery document at
https://accounts.google.com/.well-known/openid-configuration. The wrapper
hard-codes the corresponding endpoints:
| Generic field | Derived value |
|---|---|
oidc.issuer | https://accounts.google.com |
oidc.jwksUrl | https://www.googleapis.com/oauth2/v3/certs |
browserLogin.url | https://accounts.google.com/o/oauth2/v2/auth |
browserLogin.tokenUrl | https://oauth2.googleapis.com/token |
Test the configuration
The fastest sanity check is to connect an MCP client:
- Open Claude Desktop, Cursor, Claude Code, or another OAuth-aware MCP client.
- Add a remote MCP server pointing at one of your
/mcp/{slug}routes. - The client should redirect you to the Google sign-in page. After login, the gateway's consent screen renders. Approve it.
- The client receives an access token and can call
tools/list.
If something fails partway through, walk the flow manually using the
manual OAuth testing guide — it exercises every
endpoint with curl so you can see the raw responses.
Common issues
clientIdrejected at boot. The wrapper rejects values that don't use Google's OAuth client ID shape — issuer URLs, API hostnames, project numbers. Use the full123456789012-abc123def456.apps.googleusercontent.comform.redirect_uri_mismatchfrom Google. The redirect URI on the OAuth client doesn't matchhttps://<gateway-host>/oauth/callbackexactly. Match scheme, host, and path.access_deniedfor Google Workspace users. The OAuth consent screen is set to Internal but the user belongs to a different workspace, or the user isn't on the Test users list during pre-verification.