Google Keep connection fails with Error 400 invalid_scope even after custom OAuth and Workspace domain-wide delegation setup

Questions
1

Hello Make Community,

I am trying to connect Google Keep to Make.com using a Google Workspace for Education admin account and a custom Google Cloud OAuth client, but the Google sign-in keeps failing with:

Error 400: invalid_scope

The Google error says:

Some requested scopes cannot be shown:
https://www.googleapis.com/auth/keep.readonly
https://www.googleapis.com/auth/keep

When I click error details, the request shows something like:

access_type=offline
scope=https://www.googleapis.com/auth/userinfo.email https://www.googleapis.com/auth/keep.readonly https://www.googleapis.com/auth/keep openid
response_type=code
redirect_uri=https://www.integromat.com/oauth/cb/google-custom
prompt=consent
flowName=GeneralOAuthFlow
client_id=467514640846-49avmod7gdp161t1fgar5r4gqi2sepd9.apps.googleusercontent.com

Here is what I have already done: (updated)

I tested the same Google Keep API access outside of Make using a Google Cloud service account with domain wide delegation.

Using Python with the service account JSON key, impersonating my Workspace user [email protected], I tested both scopes:

https://www.googleapis.com/auth/keep.readonly

and

https://www.googleapis.com/auth/keep

Both returned:

Status code: 200

So the Google Cloud project, Keep API enablement, service account, domain wide delegation, and Keep scopes are working correctly.

The failure appears to be specifically with Make’s Google Keep connection flow, which is returning:

Error 400: invalid_scope

with:

Some requested scopes cannot be shown

for the Keep scopes.

Can Make’s built in Google Keep connector use service account domain wide delegation, or does it only support the normal user consent OAuth flow?

========original post=======

  1. Created a Google Cloud project for the Google Keep integration.

  2. Enabled the Google Keep API in the Google Cloud project.

  3. Created a Web application OAuth Client ID and Client Secret.

  4. Added the following Authorized redirect URIs in Google Cloud:

https://www.make.com/oauth/cb/google-keep
https://www.integromat.com/oauth/cb/google-keep
https://www.integromat.com/oauth/cb/google-restricted
https://www.integromat.com/oauth/cb/google-custom

  1. Set the Google Cloud OAuth app audience to Internal.

  2. In Google Workspace Admin Console, I went to:

Security → API Controls → App Access Control

Then I configured the custom OAuth client as an internal app and set it to Trusted for the correct organizational unit:

christian.com.ph

  1. In Google Workspace Admin Console, I also went to:

Security → API Controls → Domain-wide Delegation

Then I added the same OAuth Client ID:

467514640846-49avmod7gdp161t1fgar5r4gqi2sepd9.apps.googleusercontent.com

with these scopes:

https://www.googleapis.com/auth/keep
https://www.googleapis.com/auth/keep.readonly

  1. In Make.com, I created a new Google Keep connection using the same custom Client ID and Client Secret.

  2. I first tried adding the Keep scopes under Additional Scopes, but that still failed.

  3. I also tried leaving Advanced settings off, with no additional scopes added manually, but the same Google error still appears.

Based on the Google error details, it looks like Make is using a normal OAuth user consent flow with:

prompt=consent

But Google Keep API appears to require Workspace domain-wide delegation, and Google is refusing to display the Keep scopes on the normal consent screen.

Question/s:

  1. Does Make’s built-in Google Keep connector currently support Google Workspace domain-wide delegation for the Keep API?

  2. If yes, what exact Google Cloud and Google Workspace setup is required? (because I’ve already tried everything, with attention to detail as per the instructions and experts advice)

  3. Should the Google Keep connection work through the normal Sign in with Google button, or does it require a different Make setup?

  4. Is the built-in Google Keep connector currently broken or limited because Google no longer allows these Keep scopes to be shown on the consent screen?

  5. If the built-in connector cannot work this way, is the recommended workaround to use a service account with domain-wide delegation and Make’s HTTP module instead?

I would appreciate specific guidance from anyone who has successfully connected Google Keep to Make.com recently using Google Workspace.

Thank you.

4

Hi @sfcc ,

For Google Keep, first use your web client via the Google Workspace Admin console. Go to the admin console > Security > API Controls > Domain-wide delegation

image
image3456Ă—1984 385 KB

Then you will have to use an HTTP module with an OAuth2 connection and use the Keep API - Google Keep API  |  Google for Developers.

While creating an Oauth2 connection, use these values
Authorise URI: https://accounts.google.com/o/oauth2/v2/auth
Token URI: https://oauth2.googleapis.com/token
Scope: https://www.googleapis.com/auth/keep
Client ID and Secret: You can get it from the developer console
Parameter: access_type=offline

6

Welcome to the Make community!

This is a known issue with Google Keep’s API. The issue is reported on the issue tracker, and Enterprise users have confirmed the issue since 2023[1].

You can even see that the Status of ths issue is set to “Won’t fix (Intended behavior)”.
Screenshot 2026-05-12 211938

The proper “workaround” would be to NOT use Google Keep, as there have been no updates from Google’s end for many years.

— @samliew

  1. Source: Google Issue Tracker ↩︎

7

@samliew Might be issues with some users. But working fine for me. I am on a Business Starter subscription.

image
image1850Ă—1602 275 KB