First, it was Craigslist, next it's Zapier

[kamerontanseli]

Hi, the author here,

That's the read-only scope that's required to query a single spreadsheet on the user's account. The API doesn't allow listing queries unless you also ask for drive permissions (which I don't).

See more info here: https://developers.google.com/sheets/api/guides/authorizing

[benatkin]

I'm famiilar with the Google Sheets API. The way to get fine-grained access to the Google Sheets API is by asking for a specific permission within Google Drive. While it involves two APIs, it's less permissions than giving access to all the spreadsheets in a google sheets account.

Another way to go is to use a service account, and have the user share their sheet with your service account's email address.

[slouch]

Hi, I'm not OP, but have built a similar thing. Are you suggesting to use https://www.googleapis.com/auth/drive.file instead of https://www.googleapis.com/auth/spreadsheets?

[benatkin]

Yeah. It gives read/write access to one file. The ideal for this use case would be read only access for one file. I think read/write access for one file follows the principle of least privilege better than read access for all files. https://developers.google.com/drive/api/v2/about-auth https://en.wikipedia.org/wiki/Principle_of_least_privilege

[slouch]

I've found that drive.file doesn't work so well with existing Sheets https://stackoverflow.com/questions/61778469/append-rows-to-...