Fixing Google OAuth verification

When Google OAuth is in Testing mode, you can get pretty far with a half-finished setup. The moment you try to publish it for real users, Google starts checking whether your app looks like a real product and not just a callback URL with a logo pasted on top.

The most common failure is simple: your homepage does not clearly explain what the app is, what it does, and why it asks for Google account data. Google is trying to protect users from vague or misleading consent screens.

What Google wants to see

Your public site should make three things obvious:

  1. What your app is
  2. What the Google sign-in button is for
  3. What Google data you use after sign-in

This does not need to be fancy. It just needs to be clear.

The easiest fix

If your main homepage is mostly marketing copy, make a separate public page just for Google verification. Something like /google-oauth is fine.

On that page, include:

  • Your app name exactly as it appears on the OAuth consent screen
  • The same app logo shown on your Google OAuth consent screen, if you uploaded one
  • A plain-language description of what the app does
  • A short explanation of why users can sign in with Google
  • The Google data you request, usually email, profile, and openid
  • A short statement about what you do not access, like Gmail or Google Drive
  • Links to your Privacy Policy and Terms of Use

Think of it like the label on a medicine bottle. Nobody needs poetry here. They need to know what it is and what it's for.

Why the homepage URL matters

In Google Cloud Console, the OAuth consent screen asks for a homepage URL. That's the page Google's reviewers will look at.

If your root homepage is too vague, point that field at the dedicated explainer page instead. You do not have to force your landing page to do two jobs at once.

It also helps to link that page from your site's footer. That makes it easier for both Google reviewers and real users to find the explanation from normal site navigation, right next to things like Privacy Policy and Terms of Use.

If you want to see what that looks like, here's the public example from Gista.js: gistajs.com/google-oauth.

Match the app name exactly

If your consent screen says Gista.js, the public page should also say Gista.js in normal visible text. Not only in a logo image. Not only in browser metadata. Not only inside stylized art where a checker might miss it.

This is one of those boring details that matters more than it should.

A good verification page feels boring

That is actually the goal. Google reviewers are not judging your design taste. They are checking whether a stranger can quickly understand:

  • what the app is
  • why the sign-in exists
  • what data is used

Clear beats clever.