Hi Google Cloud Community,
I’m seeking help with a stalled OAuth verification process for our application.
Timeline:
-
Jan 27: Initial OAuth verification submitted (included restricted scope gmail.readonly)
-
Feb 8: Received response requiring CASA Tier 2 assessment
-
We removed the gmail.readonly restricted scope since it wasn’t essential, which restarted the verification process
-
Feb 13: Trust & Safety team reviewed and approved Homepage Requirements and Branding Guidelines
-
Feb 13 – present: No further communication. Privacy Policy, App Functionality, Appropriate Data Access, and Request Minimum Scopes remain pending.
Current status: 4 of 6 verification checks are still incomplete. Privacy Policy shows “currently under review.” We have not received any emails requesting action from us.
Our production launch is blocked until verification completes. We’ve confirmed our privacy policy and terms of service pages are live and accessible at the URLs provided in our OAuth consent screen configuration.
Has anyone experienced similar delays at this stage? Is there a way to escalate or get an update from the Trust & Safety team beyond replying to the original email thread?
Thank you for any guidance.
Adjust any details that don’t match your exact situation before posting. Want me to tweak anything?
Opus 4.6
Extended
Hello Mihir,
I definitely feel your frustration. Having a production launch held up by the “Verification Ghost” is a common bottleneck, but there are specific ways to nudge the Trust & Safety team that aren’t always obvious from the dashboard.
Since you’ve already cleared the Homepage and Branding hurdles, you’ve moved past the “low-hanging fruit.” The remaining checks (Privacy Policy, App Functionality, etc.) are more subjective and usually require a human reviewer to manually click through your flow.
Here is how I recommend handling this to get out of “pending” limbo:
1. The “Reply-to-Thread” Strategy
Google’s Trust & Safety team operates primarily via ticketing. Every time you update your OAuth configuration in the console, it can sometimes “reset” your position in the queue or create a disconnected state.
-
The Action: Go back to the very last email you received from api-oauth-dev-verification-noreply@google.com (or the Trust & Safety equivalent).
-
The Content: Reply directly to that thread. Provide a screencast link (YouTube unlisted or Loom) showing your app’s login flow and how you use the data. Explicitly state: “We have removed all restricted scopes (like gmail.readonly) to comply with Tier 2 requirements. Please let us know if there are remaining blockers for our sensitive/non-restricted scopes.”
2. The YouTube Screencast (Non-Negotiable)
Reviews often stall because the reviewer can’t easily replicate your user journey.
-
Ensure your YouTube video shows the OAuth Consent Screen clearly, including the Client ID in the URL bar.
-
If the reviewer can’t see exactly how the data is used in the UI, they will simply leave the ticket open until they have time to ask you—which can take weeks.
3. Escalation Channels
If you have waited more than 10 business days without any human response:
-
Google Cloud Support: If you have a paid GCP support plan (Role-based or Enterprise), open a technical support ticket. While they are a different department than Trust & Safety, they can often “warm transfer” or flag the internal ticket ID for you.
-
The “Appeal” Form: If your console shows a specific rejection or warning, use the OAuth Verification Contact Form to request a status update.
4. Check for “Shadow” Issues
Sometimes the “Pending” status hides a simple fix. Double-check these:
-
Privacy Policy: Ensure it explicitly mentions “Google User Data” and is hosted on the same domain as your authorized redirect URIs.
-
Search Console: Ensure the domain in your authorized redirects is verified in Google Search Console under the same account as the GCP Project owner.
1 Like