Google SSO
Sign in with Google works on every thola surface — web, Android, iOS, Windows, Linux.
What we use it for
Two things:
- Authentication — identifying who you are at sign-in
- Email — for invoicing / customer outbound (optional, only if you grant the additional scope)
We do not read your mail, calendar, or drive.
The scopes we request
When you tap "Continue with Google" the first time, Google asks you to grant:
| Scope | What it lets thola do |
|---|---|
openid | Verify your identity |
email | See your verified email |
profile | See your name + picture for the UI |
That is the entire default set.
For workspaces that want to send email from their own Gmail (for invoices and reminders), there's an optional additional grant:
| Scope (optional) | Purpose |
|---|---|
gmail.send | Compose and send emails on your behalf — drafts shown before send |
This is off by default. It's only requested when you tap "Send via my Gmail" in the email channel configuration.
How to disconnect
You can disconnect Google SSO from thola at any time:
- Profile → Login methods → Disconnect Google
- If Google was your only login method, set a password first
You can also revoke from Google's side:
- Go to myaccount.google.com/permissions (opens in a new tab)
- Find thola in the list
- Click Remove access
Either path works. Once revoked, your next sign-in needs an alternative (password or WhatsApp OTP).
For Google Workspace admins
If you run a Google Workspace and want to whitelist thola for your domain:
- thola's OAuth client ID is
thola-prod-XXXX.apps.googleusercontent.com(the production ID is published in your sign-in flow's URL — happy to confirm via support) - thola's verified domain is
thola.ai - thola is third-party-reviewed and OAuth-verified by Google
For organisations that need a custom OAuth domain or app catalog entry, see the Enterprise plan — SSO via SAML and custom OAuth is part of the Enterprise SKU.
Workspace policy
By default, anyone with a Google account can sign up. If you want to restrict signups to your domain only (e.g. only @acme.co.in users can be added to your workspace):
- Settings → Workspace → Sign-in policy
- Add allowed domains
- Save
Members whose Google identity doesn't match an allowed domain are blocked at signup. Existing members keep their access.
Common questions
Will thola show up in my "Apps connected to your Google account" list? Yes. Search for "thola" or look under "Third-party apps with account access."
Can I sign in with Google and then add a password? Yes. Profile → Login methods → Add password. Useful if you might lose access to your Google account.
What happens if Google decides to log me out everywhere? Your thola session continues until its own JWT expires (24 hours). The next sign-in after that requires re-authenticating with whatever method you have.
→ Next: Payments