Google Workspace CLI (gws) is a versatile command-line tool designed to interact with Google Workspace services such as Drive, Gmail, Calendar, Sheets, Docs, Chat, and Admin. Built dynamically from Google's Discovery Service, it adapts to new API endpoints automatically, offering a comprehensive suite of commands for developers and IT administrators.
Key Features:
AI Agent Skills: Pre-built skills enable AI agents to perform tasks like managing files or sending messages without custom coding.
Dynamic Command Surface: Automatically generates commands from Google's Discovery Service, ensuring up-to-date support for all Workspace APIs.
Structured JSON Output: Facilitates integration with tools and workflows by providing consistent, machine-readable responses.
Multiple Authentication Methods: Supports OAuth, service accounts, access tokens, and credentials file for flexible deployment in various environments.
Integration with Automation Tools: Works seamlessly with OpenClaw and Gemini CLI for enhanced workflow automation.
Audience & Benefit:
Ideal for developers and IT administrators seeking to streamline Google Workspace interactions. Benefits include reduced boilerplate code, simplified API integration, and the ability to automate tasks across multiple services efficiently. AI agents benefit from ready-to-use skills, enabling them to manage Workspace resources without custom tooling.
Installable via winget, gws offers a powerful solution for automating and managing Google Workspace services effectively.
README
gws
One CLI for all of Google Workspace — built for humans and AI agents.
Drive, Gmail, Calendar, and every Workspace API. Zero boilerplate. Structured JSON output. 40+ agent skills included.
> [!NOTE]
> This is not an officially supported Google product.
gws doesn't ship a static list of commands. It reads Google's own Discovery Service at runtime and builds its entire command surface dynamically. When Google Workspace adds an API endpoint or method, gws picks it up automatically.
> [!IMPORTANT]
> This project is under active development. Expect breaking changes as we march toward v1.0.
Node.js 18+ — for npm install (or download a pre-built binary from GitHub Releases)
A Google Cloud project — required for OAuth credentials. You can create one via the Google Cloud Console or with the gcloud CLI or with the gws auth setup command.
A Google account with access to Google Workspace
Installation
The recommended way to install gws is to download the pre-built binary for your OS and architecture from the GitHub Releases page. Extract the archive and place the gws binary in your $PATH.
For convenience, you can also use npm to automate downloading the appropriate binary from GitHub Releases:
Credentials are encrypted at rest (AES-256-GCM) with the key stored in your OS keyring (or ~/.config/gws/.encryption_key when GOOGLE_WORKSPACE_CLI_KEYRING_BACKEND=file).
gws auth setup # one-time: creates a Cloud project, enables APIs, logs you in
gws auth login # subsequent scope selection and login
> gws auth setup requires the gcloud CLI. If you don't have gcloud, use the manual setup below instead.
> [!WARNING]
> Scope limits in testing mode: If your OAuth app is unverified (testing mode),
> Google limits consent to ~25 scopes. The recommended scope preset includes 85+
> scopes and will fail for unverified apps (especially for @gmail.com accounts).
> Choose individual services instead to filter the scope picker:
> bash > gws auth login -s drive,gmail,sheets >
Manual OAuth setup (Google Cloud Console)
Use this when gws auth setup cannot automate project/client creation, or when you want explicit control.
> [!IMPORTANT]
> You must add yourself as a test user. In the OAuth consent screen, click
> Test users → Add users and enter your Google account email. Without this,
> login will fail with a generic "Access blocked" error.
Then run:
gws auth login
Browser-assisted auth (human or agent)
You can complete OAuth either manually or with browser automation.
Human flow: run gws auth login, open the printed URL, approve scopes.
Agent-assisted flow: the agent opens the URL, selects account, handles consent prompts, and returns control once the localhost callback succeeds.
If consent shows "Google hasn't verified this app" (testing mode), click Continue.
If scope checkboxes appear, select required scopes (or Select all) before continuing.
Headless / CI (export flow)
Complete interactive auth on a machine with a browser.
Export credentials:
gws auth export --unmasked > credentials.json
On the headless machine:
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json
gws drive files list # just works
Service Account (server-to-server)
Point to your key file; no login needed.
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/service-account.json
gws drive files list
Pre-obtained Access Token
Useful when another tool (e.g. gcloud) already mints tokens for your environment.
Environment variables can also live in a .env file.
AI Agent Skills
The repo ships 100+ Agent Skills (SKILL.md files) — one for every supported API, plus higher-level helpers for common workflows and 50 curated recipes for Gmail, Drive, Docs, Calendar, and Sheets. See the full Skills Index for the complete list.
# Install all skills at once
npx skills add https://github.com/googleworkspace/cli
# Or pick only what you need
npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-drive
npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-gmail
OpenClaw setup
# Symlink all skills (stays in sync with repo)
ln -s $(pwd)/skills/gws-* ~/.openclaw/skills/
# Or copy specific skills
cp -r skills/gws-drive skills/gws-gmail ~/.openclaw/skills/
The gws-shared skill includes an install block so OpenClaw auto-installs the CLI via npm if gws isn't on PATH.
Installing this extension gives your Gemini CLI agent direct access to all gws commands and Google Workspace agent skills. Because gws handles its own authentication securely, you simply need to authenticate your terminal once prior to using the agent, and the extension will automatically inherit your credentials.
Some services ship hand-crafted helper commands alongside the auto-generated Discovery surface. Helper commands are prefixed with + so they are visually distinct and never collide with Discovery-generated method names.
Time-aware helpers (+agenda, +standup-report, +weekly-digest, +meeting-prep) automatically use your Google account timezone (fetched from Calendar Settings API and cached for 24 hours). Override with --timezone/--tz on +agenda, or set the --timezone flag for explicit control.
Run gws --help to see both Discovery methods and helper commands together.
Log level for stderr (e.g., gws=debug). Off by default.
GOOGLE_WORKSPACE_CLI_LOG_FILE
Directory for JSON log files with daily rotation. Off by default.
GOOGLE_WORKSPACE_PROJECT_ID
GCP project ID override for quota/billing and fallback for helper commands
Environment variables can also be set in a .env file (loaded via dotenvy).
Exit Codes
gws uses structured exit codes so scripts can branch on the failure type without parsing error output.
Code
Meaning
Example cause
0
Success
Command completed normally
1
API error
Google returned a 4xx/5xx response
2
Auth error
Credentials missing, expired, or invalid
3
Validation error
Bad arguments, unknown service, invalid flag
4
Discovery error
Could not fetch the API schema document
5
Internal error
Unexpected failure
gws drive files list --params '{"fileId": "bad"}'
echo $? # 1 — API error
gws unknown-service files list
echo $? # 3 — validation error (unknown service)
Architecture
gws uses a two-phase parsing strategy:
Read argv[1] to identify the service (e.g. drive)
Fetch the service's Discovery Document (cached 24 h)
Build a clap::Command tree from the document's resources and methods
Re-parse the remaining arguments
Authenticate, build the HTTP request, execute
All output — success, errors, download metadata — is structured JSON.
Troubleshooting
"Access blocked" or 403 during login
Your OAuth app is in testing mode and your account is not listed as a test user.
Fix: Open the OAuth consent screen in your GCP project → Test users → Add users → enter your Google account email. Then retry gws auth login.
"Google hasn't verified this app"
Expected when your app is in testing mode. Click Advanced → Go to \ (unsafe) to proceed. This is safe for personal use; verification is only required to publish the app to other users.
Too many scopes / consent screen error
Unverified (testing mode) apps are limited to ~25 OAuth scopes. The recommended scope preset includes many scopes and will exceed this limit.
Fix: Select only the scopes you need:
gws auth login --scopes drive,gmail,calendar
gcloud CLI not found
gws auth setup requires the gcloud CLI to automate project creation. You have three options:
Skip gcloud entirely — set up OAuth credentials manually in the Cloud Console
redirect_uri_mismatch
The OAuth client was not created as a Desktop app type. In the Credentials page, delete the existing client, create a new one with type Desktop app, and download the new JSON.
API not enabled — accessNotConfigured
If a required Google API is not enabled for your GCP project, you will see a
403 error with reason accessNotConfigured:
{
"error": {
"code": 403,
"message": "Gmail API has not been used in project 549352339482 ...",
"reason": "accessNotConfigured",
"enable_url": "https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482"
}
}
gws also prints an actionable hint to stderr:
💡 API not enabled for your GCP project.
Enable it at: https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482
After enabling, wait a few seconds and retry your command.
Steps to fix:
Click the enable_url link (or copy it from the enable_url JSON field).
In the GCP Console, click Enable.
Wait ~10 seconds, then retry your gws command.
> [!TIP]
> You can also run gws auth setup which walks you through enabling all required
> APIs for your project automatically.
Development
cargo build # dev build
cargo clippy -- -D warnings # lint
cargo test # unit tests
./scripts/coverage.sh # HTML coverage report → target/llvm-cov/html/
License
Apache-2.0
Disclaimer
> [!CAUTION]
> This is not an officially supported Google product.
