← CalendarMCP
Unique to CalendarMCP

Google Advanced Protection and AI Agents

Google Advanced Protection blocks most OAuth apps from accessing your calendar. CalendarMCP is the only AI calendar integration with a working solution.

The error you are probably seeing

Error 400: policy_enforced
Access blocked: This app's request is not allowed for your account.
If you think this should work, contact the app developer.

This means Google Advanced Protection is blocking the OAuth flow. No amount of reconfiguring the OAuth app will fix this. You need a different authentication approach.

What is Google Advanced Protection?

Google Advanced Protection (GAP) is a high-security program for accounts that face elevated risk of targeted attacks. It is used by journalists, activists, executives, politicians, and others.

When GAP is enabled, Google enforces strict restrictions on which apps can access your data. Third-party OAuth apps are blocked by default. Even apps that have gone through Google's standard verification process are rejected.

What GAP blocks:

  • All standard OAuth app authorization flows
  • Third-party access to Gmail, Drive, Calendar via OAuth
  • nspady/google-calendar-mcp and all similar self-hosted solutions
  • Any hosted MCP server that uses OAuth (all competitors)

The Solution: Service Accounts

Service accounts are a different Google authentication mechanism. Instead of asking you to authorize an app via OAuth, you share your calendar directly with a service account identity.

This sidesteps GAP entirely. GAP can block OAuth app authorization. It cannot block you from sharing your own calendar with another Google identity.

OAuth (blocked by GAP)

App requests permission via browser redirect. GAP blocks this at the authorization screen. You cannot proceed.

Service account (works with GAP)

You share your calendar with a specific email address. No OAuth involved. GAP has no mechanism to block calendar sharing.

Setup: Step by Step

1

Go to the service account setup page

Instead of clicking "Connect via Google OAuth" on the homepage, click "Using Google Advanced Protection? Set up via service account".

2

Get the service account email

The setup page shows you the CalendarMCP service account email address. It looks like calendarmcp@chromosome-474619.iam.gserviceaccount.com. Copy it.

3

Share your calendar

In Google Calendar:

  1. Find your calendar in the left sidebar, click the three dots
  2. Click "Settings and sharing"
  3. Scroll to "Share with specific people or groups"
  4. Add the service account email
  5. Set permission to "Make changes to events"
  6. Click Send
4

Complete verification

Back on the setup page, enter your Google Calendar ID (your Google email address). CalendarMCP will verify it can access your calendar. If verification passes, you get an API key.

5

Add to your agent

Use the API key exactly like any other CalendarMCP key:

claude mcp add calendar https://calendarmcp.ai/api/mcp --header "Authorization: Bearer cal_your_api_key"

Limitations to Know

  • !Attendee invitations work differently with service accounts. Google may not send invite emails on behalf of the service account the same way it would for your own account.
  • !You must share each calendar you want the agent to access. If you have multiple calendars, share each one separately.
  • !The service account has no "primary" calendar. Always use your Google email address as the calendar ID, not "primary".
  • !Service account access is for your Google Calendar only, not Gmail or Drive.

Set up via service account

Works with Google Advanced Protection. Takes about 5 minutes.

Start Service Account Setup

Further reading