Sheet2Classroom All posts
Back to blog
· 6 min read·privacysecurityoauth-scopes

Why Sheet2Classroom doesn't request the Google Drive scope

Most grade-import tools ask for drive.readonly or drive.file. We don't. Here's the full scope list we request, why sheets.readonly is different, and what the admin view looks like.

When a school's IT admin reviews a third-party Google Classroom integration, the first thing they look at isn't the UI. It's the OAuth consent screen — specifically, which scopes the app asks for. Most sheet-to-Classroom tools ask for Drive. Sheet2Classroom doesn't. This post explains what that difference actually means and why it matters for a Workspace-for-Education domain.

The scope nobody reads

A typical grade-import tool asks for one of these Drive scopes during sign-in:

  • https://www.googleapis.com/auth/drive.readonly — read every file in your Drive, including files shared with you.
  • https://www.googleapis.com/auth/drive.file — only files the user explicitly opens with the app (better, but still broader than needed).
  • https://www.googleapis.com/auth/drive — full read/write to everything in Drive.

Teachers click through the consent screen in three seconds because they're trying to grade 47 midterms before bed. But the scope stays granted until it's manually revoked. drive.readonlyisn't "so the app can read your gradebook" — it's "so the app can read the 2019 budget your principal shared with you, the PDF your lawyer uploaded last month, and the private folder your spouse gave you access to for family photos." Schools that audit third-party apps against FERPA or their local equivalent flag this scope as high-risk for a reason.

What Sheet2Classroom actually requests

The full scope list we ask for on the consent screen:

  • classroom.courses.readonly — list your courses so you can pick one in the wizard.
  • classroom.coursework.students — create the assignment and write grades to it.
  • classroom.rosters.readonly — read student names and IDs so we can match them to your sheet rows.
  • classroom.profile.emails — read student Workspace emails (blank for personal-Gmail students; see our post on hidden emails).
  • spreadsheets.readonly— read the specific Google Sheet you pasted the URL for. Nothing else. No "all spreadsheets," no "all files," no Drive access.
  • userinfo.email + userinfo.profile — the standard OpenID scopes that let us show your name on the dashboard.

That's it. No Drive. No Calendar. No Gmail. No contacts.

Why sheets.readonly is different from drive.readonly

spreadsheets.readonly is a spreadsheet-scoped permission. It lets the app call the Sheets API (sheets.spreadsheets.values.get, sheets.spreadsheets.get) against a spreadsheet you explicitly gave it. The app still has to know the sheet ID — which it gets from the URL the teacher pastes. It can't enumerate your sheets, can't search for them by name, can't list what else you own. It reads what you tell it to read.

drive.readonly is file-system-scoped. It reads everything. The difference is the same as SSH-ing into one directory versus the whole disk.

Why other tools ask for drive.readonly anyway

Three reasons, in decreasing order of legitimacy:

  1. They want a file picker.If the tool wants to show you a dropdown of "all your spreadsheets" instead of asking you to paste a URL, it has to list your Drive. That's a UX preference — not a requirement. Sheet2Classroom ships with a paste-URL input because keeping the scope surface small is worth one extra cmd+L, cmd+C, cmd+V.
  2. They're copying a scaffolded example.Most Google Workspace tutorials start with Drive scope because it's the catch-all. Nobody bothered to narrow it down.
  3. They plan to use it later."We might want to export reports to your Drive someday, so let's ask for it now." This is the Google API equivalent of the web app that asks for your phone number at signup. Just-in-case permissions are not permissions a school should consent to.

The admin view

If you're an IT admin considering Sheet2Classroom for your Workspace for Education domain, here's what you'll see in the Google Admin Console > Security > API Controls > App Access Control:

  • Scope surface:7 scopes, zero restricted scopes (Drive and Gmail are considered "restricted" by Google; Classroom scopes are not).
  • Data stored server-side:only OAuth refresh tokens (so the teacher doesn't have to re-auth every session) and 30-day grade backups (so they can undo a mistaken push). No sheet contents, no rosters, no historical pushes.
  • Data transmitted:only what flows between Classroom, Sheets, and the teacher's browser during an active push operation.
  • Subprocessors: Vercel (hosting), Upstash (Redis for backups), Google (APIs). No analytics beacons on the app side, no third-party ads.

What this costs us

Skipping Drive scope means we can't offer a native sheet picker, we can't auto-find "the sheet you usually push grades from," and we can't export restoration snapshots back to your Drive. All of those would be nice. None are worth asking for blanket file access for.

Try it — or don't

If you're an admin, the fastest way to verify the claim is to grant Sheet2Classroom access on a test teacher account and check the consent screen + the Admin Console listing. Both will match this post. If you're a teacher, paste a sheet URL and see how far the wizard gets with a minimal permission set.

Read next

All posts