Your Own Credentials — Shapes of Intelligence

You probably don't need this yet. If you're just getting started with the book or setting up your dev environment, skip this page. Come back when a project guide (like Wall of Data or Daily Briefing) tells you it needs Google API access. You'll know when you need it.

Security warning. This guide creates OAuth credentials that can access your Google account — email, calendar, drive, everything you enable. Store credentials in a creds/ folder, add creds/ to .gitignore, and verify with git status before every commit. If you push credentials to a public repo, anyone can use them. Treat client_secret*.json and token*.json like passwords. Enable full-disk encryption on your machine (FileVault on Mac, BitLocker on Windows, LUKS on Linux). If you suspect credentials have leaked: go to Google Cloud Console → Credentials, delete the compromised OAuth client, and create a new one. Revoke any suspicious app access at myaccount.google.com/permissions.

Why you need this

You own your data. But to access it programmatically, you need credentials — an OAuth client that proves you're you. Google (and others) require this even for your own data. Without credentials, you can't write scripts, use CLI tools, or connect MCP servers to your personal accounts.

This guide walks you through creating a Google Cloud project, enabling APIs, and setting up OAuth. An agent can do most of the work — you handle the browser clicks.

What you'll end up with

A Google Cloud project (free tier, no billing required for personal use)
OAuth credentials (a JSON file) that tools like rclone, custom scripts, and MCP servers can use
APIs enabled for your personal data: Drive, Gmail, Calendar, Photos, YouTube, and more

The pain points

Google's OAuth setup is confusing by design. Here's what trips people up, so you know what to expect.

Credential types matter

Desktop (installed) vs Web vs Service Account. For CLI tools and personal scripts, you almost always want Desktop. Getting this wrong is the #1 reason OAuth fails. Web credentials need a redirect server. Service accounts can't access personal data. Desktop credentials pop a browser for consent and hand back a token.

The consent screen trap

Google treats your own unverified app as untrusted. You must add your own email as a test user on the OAuth consent screen. If you skip this, you'll get an "Access blocked" error that tells you nothing useful. This trips up everyone.

SSH passthrough

When running from a remote server or through an agent, the browser redirect can't reach you. rclone wants localhost:53682 but there's no browser. You need to either forward the port via SSH (ssh -L 53682:localhost:53682) or use the manual copy-paste flow.

The localhost trick

Set redirect URI to http://localhost. OAuth redirects there with the token in the URL. It fails — nothing's listening. But the URL in the address bar has the auth code. Copy it. Paste it. The failure IS the workflow. This is how headless OAuth works when you don't have a server running.

APIs to enable

Enable the ones you need. You can always come back and add more later. All are free for personal use at reasonable volumes.

Google Drive API Read/write files, folder structure, sharing metadata

Gmail API Read emails, search, labels

Google Calendar API Events, free/busy, attendees

Photos Library API Albums, photos, metadata

YouTube Data API v3 Watch history, liked videos, playlists

People API Contacts, contact groups

Google Tasks API Task lists and tasks

Fitness API Steps, heart rate, sleep, workouts

Google Sheets API Read/write spreadsheet data

Google Docs API Read/write document content

Vertex AI API Gemini models, embeddings, AI tools

The setup

Start your agent, paste the handoff prompt below, and it walks you through each step. You do the browser clicks — the agent tells you exactly what to click.

Instructions for you, the AI agent

Walk the user through these steps, one at a time. Do NOT try to do the browser steps yourself — tell the user what to click and wait for confirmation before moving on.

Create a Google Cloud project. Direct the user to console.cloud.google.com. Click the project dropdown at the top → New Project. Name it something descriptive (e.g., "wall", "my-data", "personal"). Note the project ID — you'll need it later.
Set up the OAuth consent screen. In the left sidebar: APIs & Services → OAuth consent screen. User type: External. App name: same as the project. Add the user's email as a test user. This step is critical — skipping the test user causes "Access blocked" errors that tell you nothing useful.
Create OAuth credentials. APIs & Services → Credentials → Create Credentials → OAuth client ID. Application type: Desktop app. Name it (e.g., "wall-scrape"). Download the JSON file. Save it to a creds/ folder in the project directory.
Enable APIs. APIs & Services → Library. Walk through the list above, enabling each one the user wants. Batch them — the user can click through the API Library quickly. Search for each API name, click it, click Enable.
Configure rclone (if the user wants Drive access). Install: brew install rclone (Mac) or winget install Rclone.Rclone (Windows). Run rclone config in a separate terminal. Choose "New remote", type "drive", use the custom client_id and client_secret from the downloaded JSON. Scope: drive. Follow the browser OAuth flow.
Test it. rclone lsd gdrive: should list Drive folders. rclone size gdrive: shows total size. If it fails with "Access blocked", go back to step 2 and make sure the user's email is added as a test user.
Store credentials safely. The JSON file contains your client secret. Don't commit it to git. Add creds/ to .gitignore. Note the project ID and client ID in a safe place — you'll need them when configuring other tools.

SSH / headless environments: If the user is working over SSH or in a terminal without a browser, use the manual copy-paste flow. Set the redirect URI to http://localhost. The OAuth redirect will fail (nothing's listening), but the auth code is in the URL bar. Copy it. Paste it back into the terminal. This is expected behavior, not an error.

Tools that use these credentials

rclone — Google Drive, OneDrive, Dropbox, S3, 40+ cloud storage providers
gcloud CLI — direct Google Cloud access for any API
Python google-auth + google-api-python-client — custom scripts for any Google API
MCP servers — Claude's Google Calendar, Gmail integrations use these same OAuth credentials
Node.js googleapis — custom Node scripts for Drive, Sheets, Gmail, and more

Patterns at work

Your Data Is Already Yours — the legal right, the technical how
PII, Keys, and Security — storing credentials safely
The Folder Is the Interface — creds/ folder as project structure
The Steering File — credentials are project-level config

Related guides

Wall of Data — the guide that needs these credentials most
Zero to Dev — start here if you haven't set up your machine

How to start

Open your terminal, create a project folder, start an agent, and point it here.

mkdir my-project && cd my-project

Or use whatever folder you keep projects in.

claude

Or codex or gemini — whichever agent you have.

Follow the instructions on this page. If anything looks unsafe or beyond what I'd reasonably want, tell me before doing it:

Paste this into the agent. It reads this page and walks you through the setup.