google endpoints — Credential management¶
Endpoints to manage Google OAuth credentials used by the invoice service (Gmail & Sheets). These routes handle uploading client JSON, starting OAuth flows, receiving callbacks, refreshing tokens and toggling the active credential.
Environment
INVOICE_GOOGLE_OAUTH_PREFIX: optional env var (default/api/v1/invoice) used as redirect-base when building OAuth redirect URLs. Set this if the service is mounted behind a proxy or uses a non-standard path.
Routes
POST /auth— Start OAuth flow- Form fields:
json_file(file, required): the Google client JSON file uploaded by the user;display_name(string, optional);scopes(repeated string, optional). - Returns:
GoogleAuthStartResponsewithauth_urlandstate. User should visitauth_urland complete authorization in browser. -
Notes: Builds redirect base using the request host +
INVOICE_GOOGLE_OAUTH_PREFIX. -
GET /oauth/callback— OAuth callback - Query params:
code(string),state(string). -
Returns:
GoogleAuthCallbackResponse(stored credential metadata) or 400 on error. -
POST /credentials/{credential_id}/refresh— Refresh token for a credential - Path param:
credential_id(string). - Returns:
TokenRefreshResponsewithmessage,new_expiryorneeds_reauthwhen refresh fails (e.g.,invalid_grant). -
Behavior: uses stored refresh token to refresh credentials and updates DB via CRUD.
-
DELETE /credentials/{credential_id}— Delete credential -
Returns:
CredentialDeleteResponse. -
GET /credentials/— List credentials -
Returns: list of
GoogleCredentialsDB records. -
POST /credentials/{credential_id}/toggle-active— Toggle active credential - Behavior: toggles
activeflag; the implementation ensures only one credential is active at a time. -
Returns:
CredentialToggleResponse(containsactiveboolean). -
POST /credentials/{credential_id}/reauthorize— Re-authorize without re-upload - Path param:
credential_id(string). Uses stored client fields to re-build a client JSON and create an OAuth flow (returnsGoogleAuthStartResponse).
Security & operational notes
- These routes are administrative: ensure they are protected by your service's auth (JWT) and only accessible to authorized operators.
- Token refresh may fail with
invalid_grantif client creds or refresh token are revoked — endpoints surfaceneeds_reauthso callers can trigger re-authorization. - Keep uploaded client JSON files and stored client secrets secure; rotate or remove credentials when no longer needed.
Examples
- Start OAuth (multipart upload):
curl -X POST "http://localhost:8000/api/v1/invoice/auth" \
-F "display_name=invoice-bot" \
-F "json_file=@/path/to/client_secret.json"
- Refresh token:
curl -X POST "http://localhost:8000/api/v1/invoice/credentials/your-credential-id/refresh"