Connect Google Workspace
The Gmail and Google Drive connectors let a project query user-managed Google Workspace data without requiring a global arka-deck Google OAuth app.
The model is intentionally different from a SaaS OAuth flow:
- arka-deck does not ship or require a Google OAuth client secret;
- the user supplies the runtime credential or an API gateway token for the installation;
- the secret is encrypted server-side like other connector credentials;
- the user may attach a user-managed MCP endpoint to the same installation;
- if no MCP endpoint is declared, arka-deck does not expose a fake one.
What agents can do
Section titled “What agents can do”| Connector | Read actions | Governed write actions |
|---|---|---|
| Gmail | Search messages, read one message, list labels | Create draft, send draft |
| Google Drive | Search files, read file metadata, export a file | Create shortcut |
Write and trigger actions remain governed by project grants. If an agent lacks context, the connector prompt tells it to ask the user instead of guessing.
Configure
Section titled “Configure”- Open Settings → External services.
- Choose Gmail or Google Drive.
- Add a label and the runtime token/gateway token you control.
- Optionally add your MCP endpoint for the same connector.
- arka-deck stores only the encrypted secret reference and the non-secret MCP endpoint.
- Open the target project, then External sources → Project MCP.
- Attach the Google Workspace installation if it exposes an MCP endpoint, then test the created card.
MCP endpoint policy:
- remote endpoints must use HTTPS;
- local endpoints may use HTTP only on loopback (
127.0.0.1,localhost); - URLs containing embedded credentials are refused.
Once attached to the project, the MCP server is exposed to agents under a connector_* name. It is not available in other projects unless attached there too.
Limits
Section titled “Limits”- No global Google OAuth app is provided by arka-deck.
- No automatic Gmail or Drive mirroring into arka-deck.
- No fake MCP endpoint when the user has not configured one.
- The current API path is for user-managed tokens/gateways; production OAuth delegation is a separate product decision.