Build Now

Google OAuth 100 User Limit: How to Scale Past the Cap (2026)

Google OAuth User Cap

Google OAuth 100 User Limit: How to Scale Past the Cap (2026)

Your app hit the Google OAuth 100 test user limit. Authorization fails, users are locked out, and the 7-day expiration trap makes it worse. Here are the 3 paths to unlimited users - ranked by speed and cost.

Scale Past the Cap Now
No 100 user cap
No 7-day expiration
CASA Tier 2 certified
OAuth Consent Screen - Test Users
100/100 Maximum reached
OAuth user cap reached. No new users can authorize.
Unipile - No cap. No expiration. Unlimited users. Pre-verified Google credentials. CASA Tier 2 certified. Connect Gmail accounts immediately - no review needed.
Definition

What Is the Google OAuth 100 User Limit?

If your app is in Testing publishing status on the OAuth consent screen, Google hard-limits you to exactly 100 test users. Once that count is reached, any new user attempting to authorize your app receives an error. This is the Google OAuth 100 user limit - and it catches most developers by surprise mid-launch.

Quick Definition

The Google OAuth 100 user limit (also called the "OAuth user cap") restricts apps in Testing mode to a maximum of 100 authorized users. It applies regardless of how many test user emails you add to the Google Cloud Console. When the cap is hit, new users cannot complete the OAuth flow - authorization fails immediately.

Google's Purpose

The cap prevents unreviewed apps from accessing sensitive user data at scale. It forces developers to go through the verification process before reaching production-level usage.

Testing vs Production

In Testing status: hard 100-user cap. In Production status: cap is removed for approved scopes only. Unapproved sensitive scopes remain capped even in production.

Where to See It

Google Cloud Console - APIs & Services - OAuth consent screen - Audience tab. The "Test users" section shows how many of the 100 slots are used.

Where does the google oauth 100 user limit appear in the Console?

1
Go to Google Cloud Console

Navigate to APIs & Services in the left menu, then click OAuth consent screen.

2
Check Publishing Status

If your app shows Testing under "Publishing status", the google oauth user cap is active. You're limited to 100 authorized users maximum.

3
Open the Audience Tab

Click Audience (previously called "Test users"). Here you see your added test user emails and the running total against the 100-user limit.

4
Check the Error in Your App

When the cap is reached, users see: "OAuth user cap reached" or "access_denied: this app hasn't been verified". Both confirm the google 100 user limit oauth cap is in effect.

Root Causes

Why You're Hitting the Cap (Even After Verification)

The google oauth user cap isn't always caused by being in Testing mode. There are 4 distinct scenarios that trigger the cap - and knowing which one applies to you determines the correct fix. Many developers are surprised to discover the cap persists even after completing verification.

01
Testing Status App - Hard Cap

Your app is in Testing publishing status. This is the most common cause of the google oauth 100 user limit. No matter how many emails you add to the test user list, the authorization count is capped at 100. The fix: move to Production via app verification.

Most Common
02
Unapproved Sensitive/Restricted Scopes

Critical insight: Even if your app is in Production, using sensitive scopes (like Gmail read/send, Calendar, Drive) that were never verified re-applies the oauth user cap. The cap is scope-specific, not just status-specific. This is why some verified apps still hit the google oauth user cap.

Often Overlooked
03
Verification Pending

You've submitted your app for verification but Google hasn't approved it yet. The cap stays firmly in place until the review is complete. Sensitive scope reviews take weeks; restricted scopes requiring CASA Tier 2 assessment can take months. No workaround exists during this window.

Waiting Game
04
Scope Expansion Re-Triggers the Cap

You were in Production with approved scopes, then added a new sensitive scope (e.g., adding Gmail access to an app that previously only used basic profile). The new scope triggers a re-review requirement, and the google oauth user cap re-applies for users authorizing the expanded scope set until the new scope is approved.

Expansion Risk
The "verified but still capped" trap

Searching "user cap reached limit although verified" is a common developer frustration. The answer is almost always scenario 02: the app is verified but the specific scopes being requested were not part of the verified scope set. Google's cap is granular: it applies per unapproved scope, not per app. Check your exact scope list against your verification approval letter.

Skip all 4 scenarios entirely. Unipile's pre-verified credentials mean your users never hit the google oauth 100 user limit - regardless of which scopes you need.

Build Without the Cap
Critical Warning

The Hidden 7-Day Expiration Trap

There's a second problem that makes the google oauth 100 user limit even worse for SaaS products. Even if your 100 slots aren't full, the authorizations granted by test users automatically expire after 7 days. This means your users must re-consent every week - completely breaking any production workflow.

The 7-Day Trap: Why "Just Add Test Users" Doesn't Work

Google's documentation buries this: refresh tokens for apps in Testing mode are automatically invalidated after 7 days. Your user granted access on Monday? By the following Monday, your app is unauthorized. Your token refresh call returns invalid_grant. The user must go back through the consent screen and re-authorize. For any app handling email sync, this is a complete showstopper.

Day 0
User Authorizes

User completes OAuth flow. Access token + refresh token granted. App works perfectly.

Day 3
Tokens Still Valid

App refreshes access token using refresh token. No user action needed. Appears stable.

Day 6
Warning: 24h Left

Token refresh still works. Tomorrow everything breaks. No warning to the user or developer.

Day 7
Authorization Expired

Token refresh fails with invalid_grant. User is effectively logged out. Must re-consent.

Email Sync Breaks

Apps syncing Gmail or Outlook lose access after 7 days. Historical sync may trigger again from scratch, causing duplicate data and confused users.

Silent Authentication Failure

There's no email or notification to the user. The app just starts failing API calls. Users discover the problem when a feature stops working, not before.

Weekly Re-Consent Friction

Users are redirected back to Google's consent screen weekly. This destroys retention. Most users won't re-authorize. Churn directly caused by the google oauth test users limit.

Bottom line: Adding test users to your google oauth 100 user limit is a temporary workaround, not a solution. The 7-day expiration makes it impossible to run any real production workload on Testing mode credentials. The three valid solutions are: complete Google verification, switch to non-sensitive scopes, or use a provider with pre-verified credentials. We cover all three in detail below.

Connect Gmail Without the 7-Day Limit
Step-by-Step

How to Add Test Users to Google OAuth

Before reaching for a permanent fix, you may need to add test users to google oauth to unblock specific people during development. Here's the exact process - plus the critical caveats that mean this is never a real solution for production apps.

1
Open Google Cloud Console

Go to console.cloud.google.com and select the project your OAuth credentials belong to. Make sure you're in the correct project - the one where your OAuth 2.0 Client ID was created.

2
Navigate to OAuth Consent Screen

In the left sidebar: APIs & Services then click OAuth consent screen. If you don't see this option, ensure the Google+ API or the correct API is enabled in your project.

3
Click the "Audience" Tab

In the OAuth consent screen settings, find the Audience tab (previously labeled "Test users" in older Console versions). This is where the google oauth 100 user limit is managed. You'll see your current publishing status and the test user count.

See also: Complete guide to the Google OAuth consent screen setup

4
Click "Add Users"

Under the "Test users" section, click the + ADD USERS button. A dialog appears where you can enter email addresses. You must use exact Google account emails (gmail.com or Google Workspace accounts).

5
Enter Emails and Save

Enter one or more email addresses (you can paste a list). Click Add, then Save. The users are now authorized to complete your OAuth flow even while the app is in Testing status. They will see the "unverified app" warning screen but can proceed.

Critical caveats: Why this doesn't solve the google oauth 100 user limit
Hard cap at 100: You cannot add more than 100 total test users. Once you hit 100, Google blocks additional entries. The only exception is Workspace accounts where all users in the domain are automatically included if set up that way.
7-day expiration: Authorizations expire after 7 days (as described in the previous section). Adding a user to the list doesn't help if their token has already expired.
Can't remove to free up slots: Removing a test user from the list does NOT free up a cap slot if they've already authorized. The count tracks authorizations, not listed emails.
Not for public apps: You can't know in advance which 100 users will sign up. If your app is public, you can't selectively add strangers. This is only useful for closed beta or internal testing with known users.
Option 1

Complete Google Verification - The Official Path

The canonical way to increase google oauth user limit is to complete the verification process. When approved, the 100-user cap is removed for your verified scopes, and authorizations no longer expire after 7 days. This is the right path if you need your own Google credentials long-term - but it's not fast.

1
Prepare Your App

Fill out the OAuth consent screen completely. Write a clear homepage URL, privacy policy, and terms of service. Describe exactly which scopes your app needs and why each is required. Incomplete forms are the #1 reason for rejection.

1-3 days
2
Submit for Review

Click "Publish App" in the OAuth consent screen to trigger verification. Google will email you with next steps. For basic scopes (email, profile), review is automated. For sensitive scopes (Gmail, Calendar, Drive), a manual review begins.

Submit in 1 day
3
Sensitive Scope Review

For scopes like gmail.readonly, calendar.events, or Drive scopes, Google's team manually evaluates your app. Expect back-and-forth emails, demo videos, and justification documents. This can take 4-6 weeks.

4-6 weeks
4
Restricted Scope - CASA Assessment

For restricted scopes (Gmail send, full account access), you need a CASA Tier 2 security assessment. Google-approved assessors audit your app's security posture. Self-serve via Tier 2 app defense is free but time-intensive. Third-party assessors cost $15k-$75k USD.

2-6 months $0-$75k
Scope Type Examples Review Time Cost Cap Removed?
Non-sensitive email, profile, openid Automated (instant) Free Yes (Production)
Sensitive Gmail readonly, Calendar read 4-6 weeks (manual) Free Yes (if approved)
Restricted Gmail full access, send 2-6 months (CASA Tier 2) $0-$75k Yes (if approved)
Important: Verification only removes the google oauth user cap for the specific scopes that were reviewed and approved. If you later add a new sensitive scope, the cap re-applies for users who authorize that new scope until the expanded scope list is re-verified. See the full Google OAuth verification guide for the complete process and what to include in your justification document.
Start Building While Verification Runs
Option 2

Restrict to Non-Sensitive Scopes - The Workaround

Some apps can remove the google oauth 100 user limit without going through verification by restricting their scope requests to non-sensitive scopes only. This is the fastest path to unlimited users - but it comes at the cost of not being able to read or write Gmail, Calendar, or Drive data.

Scope Data Accessed Sensitivity Verification? Cap Applied?
openid User identity Non-sensitive Not required No cap
email Email address only Non-sensitive Not required No cap
profile Name, photo Non-sensitive Not required No cap
gmail.readonly Read all email content Sensitive Required Cap applies
gmail.send Send email as user Restricted CASA Tier 2 Cap applies
gmail.modify Read/write all email Restricted CASA Tier 2 Cap applies
calendar.events Read/write calendar events Sensitive Required Cap applies
Works: Auth-Only Apps

If your app only needs to identify the user (SSO, "Login with Google"), using openid email profile gives you unlimited users with zero verification. Perfect for authentication flows where you don't need to access email content.

Doesn't Work: Email/Calendar Apps

If your product reads or sends Gmail messages, syncs calendar events, or accesses Drive files, there's no escape from sensitive scopes. Non-sensitive scope limitation is not a viable option for email sync, CRM enrichment, or calendar scheduling apps.

For developers building email apps: This option is essentially not available. Connecting Gmail requires at minimum gmail.readonly, which is a sensitive scope requiring verification. See the complete Gmail API scopes guide for the full breakdown of which scopes require which level of approval. If you need email access without waiting for verification, Option 3 (below) is your only real alternative.
Option 3 - Fastest

Use a Pre-Verified OAuth Provider - The Shortcut

The fastest way to remove the google oauth 100 user limit entirely is to use a provider that has already completed Google's verification and CASA Tier 2 assessment with their own credentials. Instead of waiting weeks or months, your users can authorize immediately with no cap, no 7-day expiration, and full access to Gmail and Calendar APIs from day one.

No Google OAuth User Cap

The managed provider uses their own pre-verified Google credentials. Their verification covers all Gmail and Calendar scopes. Your users authorize against credentials that have no 100-user cap and never did.

No 7-Day Token Expiration

Production-verified credentials issue refresh tokens with standard expiration (months, not days). Users never need to re-consent weekly. Gmail sync runs continuously without interruption.

Switch to Your Key Anytime

Once your own verification completes, migrate to your own Google credentials with zero downtime. No re-authentication required for your users. Zero migration cost.

How to connect Gmail accounts with Unipile (no cap, no wait)

Create a free Unipile account

Sign up at dashboard.unipile.com/signup and get your API key. Takes under 2 minutes. No credit card required for the trial.

Link a Gmail account via the API

Call POST /v1/accounts with "provider": "GOOGLE_OAUTH" and "use_unipile_credentials": true. Unipile handles the OAuth flow with its CASA Tier 2 certified credentials. No 100-user limit. See the Unipile Google OAuth docs for the full API reference.

Start reading and sending Gmail immediately

Once the account is linked, call GET /v1/emails to read messages or POST /v1/emails to send. You have full Gmail access from the first API call. Explore the Email API guide for all available endpoints.

Switch to your own credentials when ready

When your Google verification completes (weeks or months later), update the account linking to use your own OAuth credentials. Existing linked accounts continue to work. Your users never notice the transition. See the complete Google OAuth integration guide for the credential migration steps.

The test-to-production strategy: Use Unipile's credentials during your beta and early production phase. Run your Google verification process in parallel. When Google approves your scopes, switch to your own credentials with a single API call. Your linked accounts remain active throughout. This lets you ship in days rather than waiting months for the google oauth user cap to be lifted on your own credentials.

Weeks of verification.
Use Unipile's key and start now.

Don't lose customers waiting on Google's review. Connect Gmail accounts in 5 minutes with our pre-verified developer credentials. No google oauth 100 user limit, ever.

Use Unipile's Google Key
SOC 2 - GDPR - No app review needed - Switch to your own key anytime
CASA Tier 2 Certified
connect-gmail.shcurl
# No Google Cloud Console. No review.# Connect any Gmail account in 5 min. curl -X POST "https://api.unipile.com/v1/accounts" \ -H "X-API-KEY: $UNIPILE_KEY" \ -d '{ "provider": "GOOGLE_OAUTH", "use_unipile_credentials": true }'
Side-by-Side Comparison

3 Ways to Scale Past the Google OAuth User Cap

Here's an honest comparison of all three paths to remove the google oauth 100 user limit. Choose based on your timeline, budget, and whether you need Gmail or Calendar access.

Feature Option 1: Google Verification Option 2: Non-Sensitive Scopes Option 3: Managed Provider (Unipile)
Time to unlimited users 4 weeks to 6 months Instant Under 5 minutes
Cost $0 to $75,000 (CASA assessment) Free Subscription-based
Gmail/Calendar access Full access (if approved) No, basic auth only Full access immediately
7-day expiration issue Resolved after approval Not applicable No expiration, ever
Developer effort Very high (docs, reviews, CASA) None (just restrict scopes) One API call
Own credentials Yes Yes Initially shared, switch later
Best for Apps requiring full ownership of OAuth flow long-term Auth-only apps that don't need email/calendar content SaaS products that need Gmail access from day one
Option 1: Google Verification
Time to unlimited users4 weeks to 6 months
Cost$0 to $75,000 (CASA assessment)
Gmail / Calendar accessFull access (if approved)
7-day expirationResolved after approval
Developer effortVery high (docs, reviews, CASA)
Own credentialsYes
Best forApps requiring full ownership of OAuth flow long-term
Option 2: Non-Sensitive Scopes
Time to unlimited usersInstant
CostFree
Gmail / Calendar accessNo, basic auth only
7-day expirationNot applicable
Developer effortNone (just restrict scopes)
Own credentialsYes
Best forAuth-only apps that don't need email/calendar content
Option 3: Managed Provider (Unipile)
Best
Time to unlimited usersUnder 5 minutes
CostSubscription-based
Gmail / Calendar accessFull access immediately
7-day expirationNo expiration, ever
Developer effortOne API call
Own credentialsInitially shared, switch later
Best forSaaS products that need Gmail access from day one
Option 1 Best for control

If you're building a long-term product and need full ownership of the OAuth flow, verification is the right end goal, but plan for the timeline.

Option 2 Best for SSO apps

If your app only needs to identify users (not read their email), non-sensitive scopes completely bypass the cap with zero work.

Option 3 Best for speed + email access

If you need Gmail or Calendar access and can't wait months, Unipile's pre-verified credentials remove the google oauth user cap immediately.

Build Now
Troubleshooting

Common Cap-Related Errors and Fixes

The google oauth 100 user limit surfaces in several different error messages depending on where in the flow the cap is hit. Here are the 4 most common errors - with the exact cause and fix for each.

Error 1
access_denied error: oauth_user_cap_reached The app has exceeded its user cap.
OAuth User Cap Reached

The hard cap of 100 authorized users has been hit. Seen by users trying to authorize your app when it's in Testing mode and 100 users have already completed the OAuth flow.

Fixes
Submit your app for verification to move to Production status and remove the google oauth user cap for approved scopes.
Use Unipile's pre-verified credentials as an interim solution. No google oauth 100 user limit applies.
If still in development, you cannot free up slots by removing test users who already authorized.
Error 2
access_denied error: disallowed_useragent Scope not approved for this app.
User Cap Despite Being "Verified"

Your app is in Production but you're still seeing cap-related errors. This happens when you request scopes not included in your original verification approval. The cap applies scope-by-scope.

Fixes
Cross-check your OAuth request scope list against your Google verification approval. Any extra scope triggers the cap.
Submit a new verification request for the additional scopes. Meanwhile, remove unapproved scopes from your OAuth request.
See Gmail API scopes guide for which scopes require which level of approval.
Error 3
access_denied error: access_denied This user is not authorized to access this application.
Test User Cannot Authorize

A user is trying to authorize but gets an access denied error even though the cap isn't fully reached. Usually the user's email isn't in the Test users list, or you've exceeded the 100 test user count.

Fixes
Go to Cloud Console - OAuth consent screen - Audience - confirm the exact email address is in the Test users list.
Email must be the exact Google account email (case-sensitive). Gmail and Google Workspace accounts only.
Check the consent screen setup guide if the Audience tab isn't visible in your Console.
Error 4
invalid_grant Token has been expired or revoked. { "error": "invalid_grant" }
Authorization Expired After 7 Days

Your app was working, and now token refreshes are failing with invalid_grant. This is the 7-day expiration trap for Testing mode apps. The refresh token was revoked automatically by Google after 7 days.

Fixes
The user must re-authorize. Build a re-consent flow in your app that detects invalid_grant and redirects the user.
Long-term: complete Google verification to move to Production, where tokens don't expire after 7 days.
Or use Unipile - no token expiration at all. See full Google OAuth error reference for all error types.
For a complete reference of all Google OAuth errors beyond the user cap - including 401, 403, redirect_uri_mismatch, and scope errors - see the Google OAuth and Gmail API errors guide. For testing your OAuth flow in the browser without code, see the Google OAuth Playground guide.

Google OAuth 100 User Limit - FAQ

Answers to the most common questions about the google oauth user cap, how to add test users to google oauth, and how to scale past the limit.

The Google OAuth 100 user limit is a restriction applied to apps in Testing publishing status on the OAuth consent screen. When your app is in Testing mode, a maximum of 100 users can authorize it. Once that count is reached, new users receive an access_denied error and cannot complete the OAuth flow. This google oauth user cap exists to prevent unreviewed apps from accessing sensitive user data at scale. See our complete Google OAuth guide for the full verification process.

To add test users to Google OAuth: 1) Go to Google Cloud Console. 2) Navigate to APIs & Services then OAuth consent screen. 3) Click the Audience tab. 4) Click Add Users. 5) Enter Google account emails and save. Note: the list max is 100 emails, and the google oauth 100 user limit tracks actual authorizations - not just listed emails. See the consent screen guide for full setup details.

Google automatically invalidates refresh tokens for apps in Testing mode after 7 days. This is a security measure to prevent long-lived access by unverified apps. After 7 days, token refresh calls return invalid_grant, and users must re-authorize. This makes Testing mode completely unsuitable for any production SaaS workflow that requires continuous access. Moving to Production via verification, or using pre-verified provider credentials, resolves this permanently.

Yes, you can increase google oauth user limit by completing Google's verification process and moving to Production status. Once approved, the 100-user cap is lifted for your verified scopes and tokens no longer expire weekly. Alternatively, using Unipile's pre-verified credentials gives you unlimited users immediately with no wait. The google oauth 100 user limit cannot be increased within Testing mode - 100 is an absolute hard cap.

The google oauth user cap is removed after verification for approved scopes only. If your app requests any scope that was not included in the original verification approval, the cap re-applies for those unapproved scopes. This is why some developers see "oauth user cap reached" even after verification - they added a new scope (like a Calendar scope to an app initially verified for Gmail only) without getting the new scope approved. Always match your OAuth request exactly to your approved scope list.

There are 3 ways to remove google oauth user cap: (1) Complete verification - submit your app for Google's review, get approved for Production status (4 weeks to 6 months). (2) Use non-sensitive scopes only - restrict to openid, email, profile (no Gmail/Calendar access, but no cap). (3) Use Unipile's pre-verified credentials - connect Gmail accounts immediately with our CASA Tier 2 certified keys. No cap, no 7-day expiration, full Gmail access from the first API call.

Non-sensitive scopes that require no verification and have no user cap: openid, email, profile. These give you identity information only. Any scope accessing Gmail content (gmail.readonly, gmail.send), Calendar (calendar.events), or Drive is sensitive or restricted and requires verification. See the Gmail API scopes guide for the complete scope sensitivity breakdown. For apps that need email content, there's no way around verification or using a pre-verified provider.

Google OAuth verification timeline depends on scope type: Non-sensitive scopes (email, profile) are auto-approved instantly when you publish the app. Sensitive scopes like Gmail readonly or Calendar events take 4-6 weeks for manual review by Google's team. Restricted scopes like gmail.send or full Gmail access require a CASA Tier 2 security assessment which takes 2-6 months and can cost $0 (self-serve) to $75,000 (third-party assessor). Plan accordingly and use interim credentials while verification runs.

No. The google oauth 100 user limit in testing mode is a hard, absolute cap - it cannot be increased within Testing mode by any means. Google does not offer any exception, upgrade, or workaround for this limit in Testing mode. The only way to exceed 100 authorized users is to move to Production status via verification, or to use pre-verified credentials from a provider like Unipile. There is no paid option or manual override to increase the cap in Testing mode.

The fastest way to connect unlimited Gmail accounts without the google oauth 100 user limit is to use Unipile's Gmail API. Unipile uses pre-verified, CASA Tier 2 certified Google credentials. You make one API call with use_unipile_credentials: true and users can authorize immediately. No 100-user cap, no 7-day token expiration, full Gmail read/send access from the first call. You can switch to your own verified Google credentials later without any user re-authentication. See the full API documentation to get started.

Still have questions about the google oauth 100 user limit? Our team is here to help.

Talk to an expert
en_USEN
fr_FRFR es_ESES de_DEDE it_ITIT pt_BRBR nl_NLNL pl_PLPL tr_TRTR en_USEN