Author: By Raj
Part of our Apps Script Web Apps guides. Need this built for your team? Hire a Google Apps Script developer.
Estimated reading time: 10 minutes
User Authentication in Apps Script Web Apps (Google SSO + Domain Lock)
Apps Script web apps can restrict access to users signed into Google and further limit to your Workspace domain using deployment Who has access settings plus Session.getActiveUser().getEmail().
Execute as User accessing web app ensures the script acts with that user's Sheet permissions, ideal for CRUD tools. Execute as Me uses the deployer's rights, simpler but broader.
Pair domain checks in doGet with Google Groups allowlists stored in a Config sheet for fine-grained authorization.
Session.getActiveUser
Returns empty string for anonymous users on public deployments, treat as unauthenticated. Compare email domain to @company.com suffix.
Log access attempts to Audit sheet with timestamp for security reviews.
Deployment ACL matrix
Anyone within domain is the sweet spot for intranet tools. Anyone on the web requires extra CSRF and auth checks beyond Google login.
Document in security questionnaire which OAuth scopes the web app consumes.
Email allowlists
Maintain Admins sheet column A with approved emails. doGet checks list before HtmlService output.
For role-based access, map groups to roles via Directory API advanced service if licensed.
API tokens vs Google SSO
Machine-to-machine callers cannot use Google SSO, issue HMAC API keys validated in doPost separate from human doGet flows.
Rotate keys in Script Properties menu.
Example code
function assertDomainUser() {
const email = Session.getActiveUser().getEmail();
if (!email || !email.endsWith('@company.com')) {
throw new Error('Unauthorized: domain users only');
}
return email;
}
function doGet() {
assertDomainUser();
return HtmlService.createHtmlOutput('<p>Welcome ' + Session.getActiveUser().getEmail() + '</p>');
}| Approach | Best for | Tradeoff |
|---|---|---|
| Apps Script native | Google Workspace-centric workflows | 6-min limit, quotas |
| Zapier / Make | No-code, many connectors | Per-task cost, vendor lock-in |
| Python + Cloud | Heavy data / ML | Hosting cost, separate auth |
| Apps Script web app development | Production custom logic | Build cost, you own code |
FAQ
Why is getActiveUser empty in testing?
Preview deployments sometimes lack identity until published with correct access settings.
Can I use Google Identity Services OAuth?
Usually unnecessary when web app already requires Google account, add GIS only for hybrid external users.
LDAP integration?
Workspace is source of truth, sync LDAP to Google Directory, then Apps Script reads Google session.
Does Viewer role on Sheet block web app?
Execute as User needs appropriate Sheet role, often Editor for CRUD tools.
2FA requirements?
Enforce at Workspace admin level, Apps Script inherits org 2FA policies.
Need this done for you? I handle this as part of my consulting work, fixed-price quote within 24 hours.
Book a call with Raj →Get the full User Authentication in Apps Script Web Apps (Google SSO + Domain Lock) script template
I'll email you a production-ready, commented version you can deploy in 10 minutes.
Continue reading
Web Apps & Internal Tools
Google Apps Script Web App Development: Use Google Sheets as a Backend
Web Apps & Internal Tools
Build a Custom CRM in Google Sheets with Apps Script
Web Apps & Internal Tools
Build Your First Google Apps Script Web App: Step-by-Step Guide
From another topic
How to Automate Google Sheets with Apps Script (Beginner Guide) →Need help with this? I handle this as part of my Apps Script Web Apps service.
Internal tools, CRUD apps, HtmlService UIs, and Google SSO.
See how it works →