One CLI for all of Google Workspace — built for humans and AI agents.
Drive, Gmail, Calendar, and every Workspace API. Zero boilerplate. Structured JSON output. 40+ agent skills included.
Note
This is not an officially supported Google product.
npm version license CI status install size
npm install -g @googleworkspace/cli
gws doesn't ship a static list of commands. It reads Google's own Discovery Service at runtime and builds its entire command surface dynamically. When Google Workspace adds an API endpoint or method, gws picks it up automatically.
Important
This project is under active development. Expect breaking changes as we march toward v1.0.
- Prerequisites
- Installation
- Quick Start
- Why gws?
- Authentication
- AI Agent Skills
- Advanced Usage
- Environment Variables
- Exit Codes
- Architecture
- Troubleshooting
- Development
- Node.js 18+ — for
npm install(or download a pre-built binary from GitHub Releases) - A Google Cloud project — required for OAuth credentials. You can create one via the Google Cloud Console or with the
gcloudCLI or with thegws auth setupcommand. - A Google account with access to Google Workspace
npm install -g @googleworkspace/cli
The npm package bundles pre-built native binaries for your OS and architecture. No Rust toolchain required.
Pre-built binaries are also available on the GitHub Releases page.
Or build from source:
cargo install --git https://github.com/googleworkspace/cli --locked
A Nix flake is also available at github:googleworkspace/cli
nix run github:googleworkspace/cli
On macOS and Linux, you can also install via Homebrew:
brew install googleworkspace-cli
gws auth login # opens browser → Google consent → done gws drive files list --params '{"pageSize": 5}'
For humans — stop writing curl calls against REST docs. gws gives you --help on every resource, --dry-run to preview requests, and auto‐pagination.
For AI agents — every response is structured JSON. Pair it with the included agent skills and your LLM can manage Workspace without custom tooling.
# List the 10 most recent files gws drive files list --params '{"pageSize": 10}' # Create a spreadsheet gws sheets spreadsheets create --json '{"properties": {"title": "Q1 Budget"}}' # Send a Chat message gws chat spaces messages create \ --params '{"parent": "spaces/xyz"}' \ --json '{"text": "Deploy complete."}' \ --dry-run # Introspect any method's request/response schema gws schema drive.files.list # Stream paginated results as NDJSON gws drive files list --params '{"pageSize": 100}' --page-all | jq -r '.files[].name'
gws auth login # opens browser → Google consent → doneNo GCP project, no client secret, no gcloud needed. The CLI uses a Cloud Function proxy (same as gemini-cli-extensions/workspace) to handle OAuth token exchange server-side. Tokens are refreshed automatically through the same proxy.
Credentials are encrypted at rest (AES-256-GCM) with the key stored in your OS keyring. Use gws auth status to check the current auth state.
- Complete interactive auth on a machine with a browser.
- Export credentials:
gws auth export --unmasked > credentials.json
- On the headless machine:
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json gws drive files list # just works
Useful when another tool (e.g. gcloud) already mints tokens for your environment.
export GOOGLE_WORKSPACE_CLI_TOKEN=$(gcloud auth print-access-token)
| Priority | Source | Set via |
|---|---|---|
| 1 | Access token | GOOGLE_WORKSPACE_CLI_TOKEN |
| 2 | Credentials file | GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE |
| 3 | Encrypted credentials | gws auth login |
| 4 | Plaintext credentials | ~/.config/gws/credentials.json |
| 5 | Application Default Credentials | GOOGLE_APPLICATION_CREDENTIALS or gcloud auth application-default login |
Environment variables can also live in a .env file.
The repo ships 100+ Agent Skills (SKILL.md files) — one for every supported API, plus higher-level helpers for common workflows and 50 curated recipes for Gmail, Drive, Docs, Calendar, and Sheets. See the full Skills Index for the complete list.
# Install all skills at once npx skills add https://github.com/googleworkspace/cli # Or pick only what you need npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-drive npx skills add https://github.com/googleworkspace/cli/tree/main/skills/gws-gmail
OpenClaw setup
# Symlink all skills (stays in sync with repo) ln -s $(pwd)/skills/gws-* ~/.openclaw/skills/ # Or copy specific skills cp -r skills/gws-drive skills/gws-gmail ~/.openclaw/skills/
The gws-shared skill includes an install block so OpenClaw auto-installs the CLI via npm if gws isn't on PATH.
-
Authenticate the CLI first:
gws auth setup
-
Install the extension into the Gemini CLI:
gemini extensions install https://github.com/googleworkspace/cli
Installing this extension gives your Gemini CLI agent direct access to all gws commands and Google Workspace agent skills. Because gws handles its own authentication securely, you simply need to authenticate your terminal once prior to using the agent, and the extension will automatically inherit your credentials.
gws drive files create --json '{"name": "report.pdf"}' --upload ./report.pdf| Flag | Description | Default |
|---|---|---|
--page-all |
Auto-paginate, one JSON line per page (NDJSON) | off |
--page-limit <N> |
Max pages to fetch | 10 |
--page-delay <MS> |
Delay between pages | 100 ms |
Sheets ranges use ! which bash interprets as history expansion. Always wrap values in single quotes:
# Read cells A1:C10 from "Sheet1" gws sheets spreadsheets values get \ --params '{"spreadsheetId": "SPREADSHEET_ID", "range": "Sheet1!A1:C10"}' # Append rows gws sheets spreadsheets values append \ --params '{"spreadsheetId": "ID", "range": "Sheet1!A1", "valueInputOption": "USER_ENTERED"}' \ --json '{"values": [["Name", "Score"], ["Alice", 95]]}'
Some services ship hand-crafted helper commands alongside the auto-generated Discovery surface. Helper commands are prefixed with + so they are visually distinct and never collide with Discovery-generated method names.
Time-aware helpers (+agenda, +standup-report, +weekly-digest, +meeting-prep) automatically use your Google account timezone (fetched from Calendar Settings API and cached for 24 hours). Override with --timezone/--tz on +agenda, or set the --timezone flag for explicit control.
Run gws <service> --help to see both Discovery methods and helper commands together.
gws gmail --help # shows +send, +reply, +reply-all, +forward, +triage, +watch ... gws calendar --help # shows +insert, +agenda ... gws drive --help # shows +upload ...
Full helper reference:
| Service | Command | Description |
|---|---|---|
gmail |
+send |
Send an email |
gmail |
+reply |
Reply to a message (handles threading automatically) |
gmail |
+reply-all |
Reply-all to a message |
gmail |
+forward |
Forward a message to new recipients |
gmail |
+triage |
Show unread inbox summary (sender, subject, date) |
gmail |
+watch |
Watch for new emails and stream them as NDJSON |
sheets |
+append |
Append a row to a spreadsheet |
sheets |
+read |
Read values from a spreadsheet |
docs |
+write |
Append text to a document |
chat |
+send |
Send a message to a space |
drive |
+upload |
Upload a file with automatic metadata |
calendar |
+insert |
Create a new event |
calendar |
+agenda |
Show upcoming events (uses Google account timezone; override with --timezone) |
script |
+push |
Replace all files in an Apps Script project with local files |
workflow |
+standup-report |
Today's meetings + open tasks as a standup summary |
workflow |
+meeting-prep |
Prepare for your next meeting: agenda, attendees, and linked docs |
workflow |
+email-to-task |
Convert a Gmail message into a Google Tasks entry |
workflow |
+weekly-digest |
Weekly summary: this week's meetings + unread email count |
workflow |
+file-announce |
Announce a Drive file in a Chat space |
events |
+subscribe |
Subscribe to Workspace events and stream them as NDJSON |
events |
+renew |
Renew/reactivate Workspace Events subscriptions |
modelarmor |
+sanitize-prompt |
Sanitize a user prompt through a Model Armor template |
modelarmor |
+sanitize-response |
Sanitize a model response through a Model Armor template |
modelarmor |
+create-template |
Create a new Model Armor template |
Examples:
# Send an email gws gmail +send --to alice@example.com --subject "Hello" --body "Hi there" # Reply to a message gws gmail +reply --message-id MESSAGE_ID --body "Thanks!" # Append a row to a spreadsheet gws sheets +append --spreadsheet SPREADSHEET_ID --values "Alice,95" # Show today's calendar agenda gws calendar +agenda # Upload a file to Drive gws drive +upload ./report.pdf --name "Q1 Report" # Morning standup summary gws workflow +standup-report # Show today's agenda in a specific timezone gws calendar +agenda --today --timezone America/New_York
Integrate Google Cloud Model Armor to scan API responses for prompt injection before they reach your agent.
gws gmail users messages get --params '...' \ --sanitize "projects/P/locations/L/templates/T"
| Variable | Description |
|---|---|
GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE |
Default Model Armor template |
GOOGLE_WORKSPACE_CLI_SANITIZE_MODE |
warn (default) or block |
All variables are optional. See .env.example for a copy-paste template.
| Variable | Description |
|---|---|
GOOGLE_WORKSPACE_CLI_TOKEN |
Pre-obtained OAuth2 access token (highest priority) |
GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE |
Path to OAuth credentials JSON (user or service account) |
GOOGLE_WORKSPACE_CLI_CONFIG_DIR |
Override config directory (default: ~/.config/gws) |
GOOGLE_WORKSPACE_CLI_SANITIZE_TEMPLATE |
Default Model Armor template |
GOOGLE_WORKSPACE_CLI_SANITIZE_MODE |
warn (default) or block |
GOOGLE_WORKSPACE_CLI_LOG |
Log level for stderr (e.g., gws=debug). Off by default. |
GOOGLE_WORKSPACE_CLI_LOG_FILE |
Directory for JSON log files with daily rotation. Off by default. |
GOOGLE_WORKSPACE_PROJECT_ID |
GCP project ID override for quota/billing and fallback for helper commands |
Environment variables can also be set in a .env file (loaded via dotenvy).
gws uses structured exit codes so scripts can branch on the failure type without parsing error output.
| Code | Meaning | Example cause |
|---|---|---|
0 |
Success | Command completed normally |
1 |
API error | Google returned a 4xx/5xx response |
2 |
Auth error | Credentials missing, expired, or invalid |
3 |
Validation error | Bad arguments, unknown service, invalid flag |
4 |
Discovery error | Could not fetch the API schema document |
5 |
Internal error | Unexpected failure |
gws drive files list --params '{"fileId": "bad"}' echo $? # 1 — API error gws unknown-service files list echo $? # 3 — validation error (unknown service)
gws uses a two-phase parsing strategy:
- Read
argv[1]to identify the service (e.g.drive) - Fetch the service's Discovery Document (cached 24 h)
- Build a
clap::Commandtree from the document's resources and methods - Re-parse the remaining arguments
- Authenticate, build the HTTP request, execute
All output — success, errors, download metadata — is structured JSON.
If a required Google API is not enabled for your GCP project, you will see a
403 error with reason accessNotConfigured:
{
"error": {
"code": 403,
"message": "Gmail API has not been used in project 549352339482 ...",
"reason": "accessNotConfigured",
"enable_url": "https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482"
}
}gws also prints an actionable hint to stderr:
💡 API not enabled for your GCP project.
Enable it at: https://console.developers.google.com/apis/api/gmail.googleapis.com/overview?project=549352339482
After enabling, wait a few seconds and retry your command.
Steps to fix:
- Click the
enable_urllink (or copy it from theenable_urlJSON field). - In the GCP Console, click Enable.
- Wait ~10 seconds, then retry your
gwscommand.
cargo build # dev build cargo clippy -- -D warnings # lint cargo test # unit tests ./scripts/coverage.sh # HTML coverage report → target/llvm-cov/html/
Apache-2.0
Caution
This is not an officially supported Google product.