Where is the list of which Google OAuth2 scopes are considered "sensitive"?

Question

I understand that Google OAuth2 scopes broadly fit into three buckets, ordered from most difficult to be approved to use, to least:

• Restricted Scopes
• Sensitive Scopes
• everything else

I found a list of Restricted Scopes, here: https://support.google.com/cloud/answer/9110914?hl=en

I am unable to find a list of Sensitive Scopes. All of the Google pages i've seen simply explain what happens if you request a sensitive scope, or how to go about review if you are using a sensitive scope. Fine, but what are the sensitive scopes?

Why I want to know: I wish to avoid the hassle of review by avoiding sensitive scopes. I'm having to refactor a lot of my app to avoid using a restricted scope (I only just became aware of this issue yesterday when Google emailed me a warning). In this process, I do not wish to inadvertently start using a sensitive scope for the first time when I do not need to.

Answer 1

If you click on 'Add scope' in the 'OAuth Consent Screen' configuration UI [1] and register all the scopes you are using in your application, in the process of selecting scopes, a 'lock icon' appears next to ones that will be considered sensitive. Hovering over the lock icon tells you that 'sensitive scopes require verification'.

Note that in order to register your scopes, you should have enabled the APIs you intend to use first [2].

It is always recommended in the Google API Data Usage Policy [3] that you only request the data you need. If that means you may need access to certain sensitive data, it is recommended to get your app verified. App verification allows your users to have more confidence when using your app, so this is a benefit to you too.

[1] https://console.developers.google.com/apis/credentials/consent

[2] https://cloud.google.com/apis/docs/enable-disable-apis

[3] https://developers.google.com/terms/api-services-user-data-policy#request-relevant-permissions