Google Calendar API And Google App Verification Process

I'm creating a website for a client that utilizes the Google Calendar API. Essentially, the client needs to be able to input his calendar ids and have events populate on the website. This is handled via a firebase function that performs a request to the Calendar API.

The first thing I tried was following Google's quickstart tutorial for calendar API. This worked for a while until the temporary access token they provided expired, and I realized the access token was temporary.

Next, I generated my own OAuth2 client ID and used that. This worked briefly until I started receiving "Anonymous usage expired" errors from Google, which after some time I realized was because the key did not have the read-only calendar scope enabled.

In attempting to enable the scope, I was told that I need to verify my app with Google, which can take several weeks and requires that I write terms of service and privacy policy for my app. This seems a little unnecessary, as it will only be reading events from one person's calendar, and he has already granted me approval and access.

My next thought was to make the calendars public and use a static API key, but the calendar is synced from a booking service called Peak Pro, which populates the calendar descriptions with the names, emails, and phone numbers of the clients attending events. I can't expose those publicly.

Next, I was drawn to the CalDAV API, but it seems to have the same requirements with regards to verifying the OAuth2 consent screen with Google.

I wouldn't normally pose such a basic question, but I've been unable to find a solution after 3 weeks. Does Google provide another option here that I'm missing?



Unfortunately the simple answer is that no, Google doesn't provide another option for this.

For security reasons when providing a service to users outside of your domain using the G-Suite APIs, the process necessitates Google's verification of the application. This is purely for security reasons, as personal information could be read and passed by the application, and without this manual verification code could be executed beyond that which the application developer is claiming.

As a workaround for this however, you can use the iframe embed provided in the Calendar's settings to import the calendar into the webpage after making the event details of the events private. Your client can provide this link to you by completing these steps:

  1. Go to
  2. At the top right of the page, go to ⚙ -> Settings
  3. Select the Calendar you wish to display on the left-hand panel of the page.
  4. Under 'Access Permissions', click 'Make Available to Public' and change the drop down menu to have 'See only free/busy (hide details)' selected [1].
  5. Under 'Integrate Calendar', there are links to a public URL of the calendar, and an iframe embed code.

'See only free/busy (hide details)' selected

With 'See only free/busy (hide details)' selected, the only information that will be available to view to anonymous/public users is the time of the event and the owner of the calendar. All other information for an event in the calendar is hidden unless the person viewing the page is invited to the event and logged in [2].

Calendar event information is private unless user is invited