I’m seeking help with a stalled OAuth verification process for our application.
Timeline:
Jan 27: Initial OAuth verification submitted (included restricted scope gmail.readonly)
Feb 8: Received response requiring CASA Tier 2 assessment
We removed the gmail.readonly restricted scope since it wasn’t essential, which restarted the verification process
Feb 13: Trust & Safety team reviewed and approved Homepage Requirements and Branding Guidelines
Feb 13 – present: No further communication. Privacy Policy, App Functionality, Appropriate Data Access, and Request Minimum Scopes remain pending.
Current status: 4 of 6 verification checks are still incomplete. Privacy Policy shows “currently under review.” We have not received any emails requesting action from us.
Our production launch is blocked until verification completes. We’ve confirmed our privacy policy and terms of service pages are live and accessible at the URLs provided in our OAuth consent screen configuration.
Has anyone experienced similar delays at this stage? Is there a way to escalate or get an update from the Trust & Safety team beyond replying to the original email thread?
Thank you for any guidance.
Adjust any details that don’t match your exact situation before posting. Want me to tweak anything?
I definitely feel your frustration. Having a production launch held up by the “Verification Ghost” is a common bottleneck, but there are specific ways to nudge the Trust & Safety team that aren’t always obvious from the dashboard.
Since you’ve already cleared the Homepage and Branding hurdles, you’ve moved past the “low-hanging fruit.” The remaining checks (Privacy Policy, App Functionality, etc.) are more subjective and usually require a human reviewer to manually click through your flow.
Here is how I recommend handling this to get out of “pending” limbo:
1. The “Reply-to-Thread” Strategy
Google’s Trust & Safety team operates primarily via ticketing. Every time you update your OAuth configuration in the console, it can sometimes “reset” your position in the queue or create a disconnected state.
The Action: Go back to the very last email you received from api-oauth-dev-verification-noreply@google.com (or the Trust & Safety equivalent).
The Content: Reply directly to that thread. Provide a screencast link (YouTube unlisted or Loom) showing your app’s login flow and how you use the data. Explicitly state: “We have removed all restricted scopes (like gmail.readonly) to comply with Tier 2 requirements. Please let us know if there are remaining blockers for our sensitive/non-restricted scopes.”
2. The YouTube Screencast (Non-Negotiable)
Reviews often stall because the reviewer can’t easily replicate your user journey.
Ensure your YouTube video shows the OAuth Consent Screen clearly, including the Client ID in the URL bar.
If the reviewer can’t see exactly how the data is used in the UI, they will simply leave the ticket open until they have time to ask you—which can take weeks.
3. Escalation Channels
If you have waited more than 10 business days without any human response:
Google Cloud Support: If you have a paid GCP support plan (Role-based or Enterprise), open a technical support ticket. While they are a different department than Trust & Safety, they can often “warm transfer” or flag the internal ticket ID for you.
The “Appeal” Form: If your console shows a specific rejection or warning, use the OAuth Verification Contact Form to request a status update.
4. Check for “Shadow” Issues
Sometimes the “Pending” status hides a simple fix. Double-check these:
Privacy Policy: Ensure it explicitly mentions “Google User Data” and is hosted on the same domain as your authorized redirect URIs.
Search Console: Ensure the domain in your authorized redirects is verified in Google Search Console under the same account as the GCP Project owner.
Same IAM lockout issue on 90-day free trial.
Creator of org (PII Removed by Staff) but no permissions at organization level.
gcloud get-iam-policy gives “does not have permission” error.
Can’t grant myself Organization Administrator role.
Billing chat says no live support during trial.
Screenshot attached. Anyone from Google staff able to help assign the role?
Hi Rodrigo, I’m currently stuck on the homepage requirements, citing we do not own the property, I believe this to be bug as the domain property IS verified on our Search Console under the same acocount.
I’m not seeing a contact form on the link you have sent, can you provide another link please? Thanks in advance!
The Trust & Safety contact form is typically dynamic and only appears inside the Google Cloud Console once specific conditions are cleared.
The reason you’re hitting a wall with the domain ownership requirement—even though it’s verified in Search Console under the same account—is usually due to a missing step inside the OAuth Consent Screen configuration itself, or a precise formatting mismatch.
Before trying to force a contact form, try these three troubleshooting steps:
Verify Project Ownership Permissions: Ensure that the specific Google account you are using is explicitly listed as a Project Owner in the GCP IAM permissions panel. Being an owner of the Search Console property alone isn’t enough; the system requires cross-authorization.
Check for WWW vs. Non-WWW Mismatch: Look closely at your exact homepage URL configuration in the Branding section. If your Search Console property is verified as https://example.com but your OAuth homepage URI or authorized domain is set to https://www.example.com (or vice versa), the Trust & Safety validation engine will flags it as unverified. It must be an exact character match.
The ‘Back to Testing’ Reset Trick: If everything looks correct, the UI might just be stuck. Go to your OAuth Consent Screen dashboard, click “Back to testing” under the publishing status, and then click “Publish” again. This often forces the validation engine to re-scan your Search Console properties, clears the bug, and will properly display the “The Trust and Safety team has received your form” confirmation window or populate the direct support submission link if further details are needed.