Jump to Content
Product Announcements

New OAuth protections to reduce risk from malicious apps

June 4, 2018
Luke Camery

Associate Product Manager, OAuth Security

Try Google Workspace at No Cost

Get a business email, all the storage you need, video conferencing, and more.


As part of our constant efforts to improve Google’s OAuth application ecosystem, we are launching additional protections that can limit the spread of malicious applications. Applications requiring OAuth will be subject to a daily total new user cap and a new user acquisition rate limit. The first restricts the total number of new users that can authorize your application, while the second limits how rapidly your application can acquire new users.

Every application will have its own quotas depending on its history, developer reputation, and risk profile; for more details, see User Limits for Applications using OAuth.

These quotas will be initially set to match your application’s status and current usage so the majority of developers will see no impact. However, if you have received a quota warning about your application, or if you anticipate your application may exceed its quota (due to, for example, a high profile launch), you can take action to improve your application's adoption:

  1. If your application has reached its total new user cap, submit the OAuth Developer Verification Form to request OAuth verification. Once granted, verification removes the new user cap. 
  2. If your application is running into the new user authorization rate limit, you can request a rate limit quota increase for the application. 
We will actively monitor every application’s quota usage and take proactive steps to contact any developer whose application is approaching its quota. This should help prevent interruption due to these quotas for non-malicious developers on our platform.

These enhanced protections will help protect our users and create an OAuth ecosystem where developers can continue to grow and thrive in a safer environment.

Posted in