Google Workspace CLI icon

Google Workspace CLI

Verified

Free CLI that auto-generates Workspace API commands from Google Discovery Service with 100+ agent skills and a Gemini CLI extension.

Reviewed by ToolWorthy Editors·updated 2 months ago

Pricing:100% Free
Get Started
Jump to section

Featured alternatives

Coasty icon

Coasty

MakersClaw icon

MakersClaw

BrowserAct icon

BrowserAct

YAGNI icon

YAGNI

Timbal AI icon

Timbal AI

Make.com icon

Make.com

Pros & Cons

Editor-reviewed

Pros

  • Completely free and open source — no vendor lock-in or usage metering
  • Discovery-driven command surface never falls behind the Workspace API
  • 100+ pre-built agent skills remove glue code for common automation patterns
  • Gemini CLI extension enables conversational Workspace access with existing credentials
  • Prompt injection defense via Model Armor is an uncommon safety feature for CLI tools
  • AES-256-GCM credential encryption with OS keyring storage
  • Works in CI/CD pipelines and headless environments with credential export

Cons

  • Still pre-v1.0 (v0.16.0) — breaking changes are expected before stable release
  • Manual OAuth setup has multiple friction points (scope limits, Desktop app type selection, test user requirements)
  • Unverified apps in testing mode are limited to ~25 OAuth scopes, blocking the full "all services" preset
  • Not an officially supported Google product — no SLA or enterprise support channel
  • Requires a GCP project for OAuth credentials, which adds setup complexity for non-GCP users
  • --sanitize requires provisioning a Google Cloud Model Armor template in your own GCP project

Overview

Google Workspace CLI (gws) is an open-source command-line tool that gives developers, AI agents, and automation pipelines unified programmatic access to every Google Workspace API through a single binary. Drive, Gmail, Calendar, Sheets, Docs, Chat, and Admin SDK are all reachable from one consistent interface, with no custom authentication boilerplate, no pagination wiring, and no per-service wrapper maintenance.

Built by Justin Poehnelt, a Senior Developer Relations Engineer at Google, and hosted under the official googleworkspace GitHub organization, gws was designed from the ground up for machine consumption — not human discoverability. Its most technically distinctive feature is dynamic command generation: rather than shipping a static list of commands, gws reads Google's Discovery Service at runtime and automatically builds its entire command surface. When Google adds a new API endpoint, gws picks it up immediately without requiring a CLI update.

With over 20.8k GitHub stars and active development toward v1.0 (currently at v0.16.0), gws has become a reference-level tool for teams building AI workflow automation on top of Google's ecosystem.

Key Features

  • Discovery-Driven Dynamic API Surface — Commands are generated at runtime from Google's Discovery Service, not hand-maintained. New Workspace API endpoints appear as callable commands automatically, and Discovery Documents are cached for 24 hours. Schema introspection via gws schema drive.files.list --resolve-refs exposes full method signatures, parameter types, and required OAuth scopes as machine-readable JSON — a cleaner alternative to embedding static documentation in system prompts.

  • Agent-First Design — The tool ships with 100+ structured SKILL.md files with YAML frontmatter — one per API surface plus higher-level workflow recipes. Skills encode agent guidance not visible in --help: always use --dry-run for mutating operations, always confirm before write/delete commands. Structured JSON is the default output format, making every response directly parseable by any LLM without transformation.

  • Gemini CLI Extension — After authenticating with gws auth setup, install the extension with gemini extensions install https://github.com/googleworkspace/cli. This integrates gws with the Model Context Protocol (MCP) Gemini CLI ecosystem, enabling conversational access to Drive, Gmail, Calendar, and all Workspace APIs using your existing credentials.

  • Prompt Injection Defense — The --sanitize flag pipes API responses through Google Cloud Model Armor before returning them to the caller. This defends against indirect prompt injection embedded in Workspace content (a malicious email body instructing the agent to forward messages, for example). Additional input hardening covers resource-name validation, path-traversal protections on selected helper surfaces, and path-parameter encoding to prevent common agent hallucination patterns.

  • Unified Multi-Service Coverage — Drive, Gmail, Calendar, Sheets, Docs, Chat, Admin, and every other Workspace API respond to the same gws <service> <resource> <method> [flags] pattern. Helper commands prefix with + for common shortcuts: gws gmail +send, gws drive +upload, gws sheets +append. All commands support --format output in JSON, table, YAML, or CSV.

  • Headless & CI/CD Support — For headless environments and CI/CD pipelines, credentials can be exported from an interactive session and consumed via GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE, or a pre-obtained OAuth token supplied through GOOGLE_WORKSPACE_CLI_TOKEN. Credentials are encrypted at rest with AES-256-GCM.

How to Get Started

Prerequisites

  • Node.js (any recent LTS version) for the npm install path
  • gcloud CLI installed and authenticated (gcloud auth login) if you want the automated OAuth setup
# Install globally via npm
npm install -g @googleworkspace/cli

# Run the interactive setup wizard
gws auth setup

gws auth setup walks you through Google Cloud project configuration, enabling the necessary Workspace APIs, and completing OAuth login. Credentials are encrypted at rest with AES-256-GCM.

Verify the installation:

gws drive files list --params '{"pageSize": 5}'

Manual OAuth Setup

If gws auth setup cannot automate project creation due to organization restrictions:

  1. Create a GCP project and navigate to APIs & Services → OAuth consent screen (set type to External; add your email as a test user)
  2. Go to Credentials → Create Credentials → OAuth client ID — choose Desktop app (not Web application)
  3. Download the JSON file, move it to ~/.config/gws/client_secret.json
  4. Run gws auth login and complete the browser OAuth consent flow

Common gotcha: Unverified OAuth apps in testing mode are limited to ~25 OAuth scopes. The "all services" preset uses 85+ scopes and will fail. Authorize only the services you need and add more later with gws auth login.

Gemini CLI Extension

After installing and authenticating gws, add it as a Gemini CLI extension:

gemini extensions install https://github.com/googleworkspace/cli

This enables conversational Workspace access through the Gemini CLI using your existing gws credentials.

Install Agent Skills

# Install all skills
npx skills add https://github.com/googleworkspace/cli

# Or pick specific services
npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-gmail

Community & Ecosystem

gws is written in Rust and distributed as pre-built native binaries via npm (@googleworkspace/cli), Homebrew, and a Nix flake (nix run github:googleworkspace/cli). The project is under active development, and the latest GitHub release is v0.16.0 as of March 13, 2026. The README still warns that breaking changes are expected before v1.0.

The repository had about 20.8k GitHub stars and roughly 965 forks as of mid-March 2026, reflecting strong early developer interest driven by a Hacker News front-page appearance. The author's companion post, "You Need to Rewrite Your CLI for AI Agents," laid out seven design principles for agent-to-agent compatible CLI tools and generated significant discussion among AI infrastructure engineers.

The documented ecosystem currently centers on agent skills, Gemini CLI extension installation, and standard CI/headless credential flows. Contributors work under the googleworkspace GitHub organization; the project carries the standard "not an officially supported Google product" disclaimer.

Pricing & Plans

Google Workspace CLI is fully open source and free to use. There are no paid tiers, usage limits, or premium features.

What you get Cost
Full CLI binary (Drive, Gmail, Calendar, Sheets, Docs, Chat, Admin, all APIs) Free
100+ agent SKILL.md files Free
Gemini CLI extension integration Free
Schema introspection and discovery Free
Google Cloud Model Armor sanitization Free (requires your own GCP project for Model Armor)

You need a Google account and a GCP project for OAuth credentials. All Google Workspace API usage is subject to standard Google API quotas (free tier applies).

Best For

  • Backend developers and data engineers automating Workspace operations in CI/CD pipelines without REST boilerplate
  • AI agent builders who need programmatic access to Gmail, Drive, Calendar, and Sheets via agent skills and Gemini CLI extension
  • Platform teams replacing Google Apps Script with a CLI tool that supports package managers, standard auth, and full CI/CD integration
  • Security-conscious developers who want prompt injection defense built into their Workspace automation layer
  • Open source projects and indie developers who need free, zero-cost programmatic Workspace access

FAQ

What is Google Workspace CLI (gws)?

gws is an open-source command-line tool that provides unified access to every Google Workspace API — Drive, Gmail, Calendar, Sheets, Docs, Chat, Admin, and more — through a single binary. It is written in Rust, distributed via npm, and designed specifically for use by AI agents and automation pipelines with structured JSON output, 100+ agent skills, and a Gemini CLI extension.

Is Google Workspace CLI an official Google product?

No. The project is hosted under the googleworkspace GitHub organization and was created by a Google Developer Relations Engineer, but it carries the standard "not an officially supported Google product" disclaimer. There is no Google SLA or enterprise support channel.

How does it handle authentication?

gws auth setup automates OAuth credential creation via gcloud. For manual setup, you create a GCP project, configure an OAuth consent screen, and generate a Desktop-type OAuth client. Credentials are encrypted at rest with AES-256-GCM and stored in your OS keyring. Multiple accounts are supported with per-account credential files.

How does the Gemini CLI extension work?

After authenticating with gws auth setup, run gemini extensions install https://github.com/googleworkspace/cli to add gws as a Gemini CLI extension. This enables conversational Workspace access within the Gemini CLI using your existing credentials — no separate MCP configuration required. If you're evaluating how MCP compares to the A2A protocol for your agent architecture, the Gemini CLI extension path is the currently documented integration route for gws.

Can I use gws in GitHub Actions or other CI/CD systems?

Yes. Export credentials from an interactive session with gws auth export --unmasked credentials.json, then point GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to the exported file in your CI environment. Alternatively, supply a pre-obtained access token via GOOGLE_WORKSPACE_CLI_TOKEN or point GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE to a service-account JSON key.

What are agent skills in gws?

The repository ships 100+ SKILL.md files — structured Markdown files with YAML frontmatter, one per API surface and workflow recipe. Skills encode operational guidance for agents beyond what --help provides: which flags to always include, when to use --dry-run, how to handle pagination with --page-all. They are installable via npx skills add https://github.com/googleworkspace/cli for use with Claude, Cursor, and Codex-compatible runtimes.

How does prompt injection protection work?

The --sanitize flag routes API responses through Google Cloud Model Armor before returning output. This defends against indirect prompt injection where malicious instructions are embedded in Workspace content — such as an email body instructing an agent to perform unrelated actions. You configure a Model Armor template in your GCP project and reference it either via the flag or the GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE environment variable.

From the blog

View all →

Track Google Workspace CLI in ToolWorthy Weekly

Important tool updates, better alternatives, and selected AI signals in one weekly brief.

Weekly only. Unsubscribe anytime.