Secure Google Workspace MCP
Integrated Google Workspace APIs into Claude Code with enterprise-grade secret management. 1Password injects OAuth credentials at runtime—secrets never touch disk or appear in logs.
The Challenge
The Google Workspace MCP requires OAuth client credentials (client_id and client_secret) to access Gmail, Calendar, Drive, and other Google APIs. Storing these in plaintext config files or environment variables creates security risks—credentials in repos, logs, or shell history.
The Approach
Used 1Password CLI (`op run`) to inject credentials at runtime. The MCP runs wrapped in `op run --env-file=.env.template`, pulling secrets from 1Password vaults only when needed. But this created a new problem: `op run` masks ALL stdout to prevent credential leakage, which blocked the OAuth URL from displaying. Fixed by modifying the MCP to call `webbrowser.open()` directly instead of printing URLs—the browser opens automatically, bypassing stdout entirely.
The Outcome
Full Google Workspace access from Claude Code (Calendar, Gmail, Drive, Docs, Sheets, Tasks) with zero credentials stored on disk. OAuth flows work seamlessly, and `op run` continues protecting any secrets that might appear in output.
Key Details
- 1Password CLI (`op run`) injects OAuth credentials at MCP startup
- Credentials stored in 1Password vault, never in config files
- Modified MCP auth to use `webbrowser.open()` instead of stdout URLs
- Google Cloud Console requires: test user added, APIs enabled per-service
- Supported APIs: Calendar, Gmail, Drive, Docs, Sheets, Tasks
- Works with Claude Code MCP system for natural language Google access