Skip to content
Sonora Sonora Documentation

Google Workspace

Google Workspace is how Sonora reaches across your team’s mailboxes and calendars without anyone individually authorizing access. Your Google admin authorizes Sonora’s service account to read on behalf of users in your domain. No passwords or tokens move between systems.

A single delegation grant covers Gmail, Google Calendar, and Google Meet recordings. You enable just the scopes you want.

What you’ll need

Section titled “What you’ll need”
  • Google Workspace admin access (Super Admin, or delegated API controls)
  • An admin account in your domain that Sonora will use for two purposes: discovering users in the domain, and (optionally) sending action emails. Most teams create a dedicated account like sonora@yourcompany.com.

Choose your scopes

Section titled “Choose your scopes”

Pick the integrations you want, then combine the scopes for the next step.

IntegrationScopeWhat syncs
Gmailhttps://www.googleapis.com/auth/gmail.readonlyEmail threads, participants, timestamps
Gmail (user discovery)https://www.googleapis.com/auth/admin.directory.user.readonlyLists domain users for multi-mailbox sync
Google Calendarhttps://www.googleapis.com/auth/calendar.readonlyEvents, attendees, meeting links
Google Meethttps://www.googleapis.com/auth/meetings.space.readonlyRecordings and transcripts for Meet conferences linked to synced events
Calendar attendee nameshttps://www.googleapis.com/auth/contacts.other.readonly, https://www.googleapis.com/auth/contacts.readonlyResolves attendee display names from each user’s “Other contacts” (auto-built) and personal contacts
Action email sendinghttps://www.googleapis.com/auth/gmail.sendOptional: sends action emails as your users so replies return to their Gmail inboxes

The two contacts scopes back distinct underlying lists and you’ll usually want both. contacts.other.readonly reads the auto-built “Other contacts” list (wide reach, mostly email-only entries); contacts.readonly reads each user’s personal contacts (smaller list, but typically has full names and titles).

Configure domain-wide delegation

Section titled “Configure domain-wide delegation”

Sonora’s client ID: 102467209466409202547

  1. Open Google Admin Console and navigate to Security → Access and data control → API controls.
  2. In Domain-wide delegation, click Manage Domain Wide Delegation.
  3. Click Add new.
  4. Paste 102467209466409202547 into Client ID.
  5. Paste your chosen scopes, comma-separated, into OAuth scopes. For the full Gmail + Calendar + Meet integration including action email sending: 
    https://www.googleapis.com/auth/gmail.readonly,https://www.googleapis.com/auth/admin.directory.user.readonly,https://www.googleapis.com/auth/calendar.readonly,https://www.googleapis.com/auth/meetings.space.readonly,https://www.googleapis.com/auth/contacts.other.readonly,https://www.googleapis.com/auth/contacts.readonly,https://www.googleapis.com/auth/gmail.send
  6. Click Authorize.

Changes typically take effect within a few minutes; Google’s documentation notes it can take up to 24 hours.

Configure Sonora

Section titled “Configure Sonora”

In Sonora’s data source configuration, enter the Admin Email — the Workspace admin Sonora will use for two purposes:

  1. User discovery: Sonora calls the Admin SDK Directory API to list all active users in your domain.
  2. Mail sync: Sonora reads each user’s mailbox via domain-wide delegation.

The admin account needs a Google Workspace license with admin privileges. A dedicated account (e.g. sonora@yourcompany.com) is recommended over a real person’s account so the integration survives team changes.

Filtering users

Section titled “Filtering users”

By default, Sonora syncs every active (non-suspended) user in your domain. Two controls narrow that:

  • Include Users — sync only the listed mailboxes. One email per line. When set, Sonora skips user discovery entirely.
  • Exclude Users — sync everyone except the listed mailboxes. Applied after user discovery.

After setup

Section titled “After setup”

The first sync pulls recent history per user; subsequent syncs are incremental. Status appears in Settings → Integrations. The most common cause of a stalled initial sync is the delegation grant not having propagated yet — wait an hour and check again.

Action email sending

Section titled “Action email sending”

By default, action emails go out from a Sonora-owned domain. Authorizing the optional gmail.send scope makes Sonora send those emails as the assigned user — so replies land in their actual Gmail inbox with their real signature.

To enable: edit the existing entry in Domain-wide delegation for client ID 102467209466409202547, add https://www.googleapis.com/auth/gmail.send to the scope list, save, and wait a few minutes for propagation.

Revoke access

Section titled “Revoke access”

Remove Sonora’s client ID from the domain-wide delegation list in the Admin Console. Access stops immediately. There’s nothing to delete on Google’s side beyond the delegation entry itself.

Security notes

Section titled “Security notes”

Domain-wide delegation grants Sonora’s service account the ability to act as users in your domain, scoped to exactly the permissions you allowed. Sonora never receives passwords, OAuth tokens, or API keys from your organization, and the grant remains entirely in your admin’s control.

If your network requires IP allowlisting, see Sonora’s static IPs.