Does ModelPiper see my Google account data?

No. The OAuth handshake goes browser → Google → ToolPiper on your Mac. ModelPiper's servers are not in that path. The access token lives in your macOS Keychain, scoped to ToolPiper. Tool calls (like gsc_analytics) hit Google directly from your Mac with that token.

Why is Google the only OAuth provider right now?

Each provider needs both the OAuth integration and the corresponding MCP tools. Google was first because Search Console covers a high-intent use case (SEO and content analytics) with clear ROI. Gmail, Drive, and Calendar are planned, but adding a provider without shipping tools for it doesn't help anyone. Bring-your-own provider support is available in the OAuth pane for advanced users who want to wire up other services manually.

What scopes does ToolPiper request from Google?

The minimal scopes needed for the tools that exist. For Search Console: https://www.googleapis.com/auth/webmasters.readonly. Read-only access to the properties you own. ToolPiper doesn't request write access or any other Google scopes today. Future services will request their own minimum scopes when they ship.

Can I bring my own OAuth provider?

Yes. The OAuth pane has an "Add Provider" option for custom OAuth registrations. You provide your client ID, your scopes, and the provider's auth/token URLs. ToolPiper handles the handshake using the same pattern as the built-in Google client. This is the path for niche services we haven't shipped first-party support for.

What happens if my OAuth token expires?

ToolPiper refreshes it automatically using the refresh token stored alongside the access token. If the refresh fails (most often because Google's policies require re-consent), the next tool call returns an error and ToolPiper's OAuth pane shows the provider as needing re-authentication. Click Connect again to re-grant.

Connect ToolPiper to Your Cloud Accounts via OAuth on Mac

Local AI is privacy by default. The trade-off is that your AI doesn't know anything about your cloud accounts. Your AI can summarize a document on disk, but it can't tell you which blog posts dropped impressions in Search Console last week. OAuth fixes that, without putting our servers in the middle.

How does OAuth work in ToolPiper?

ToolPiper bundles its own OAuth client. When you connect, ToolPiper opens your default browser to the provider's consent screen. You sign in to the provider directly. The access token lands back in ToolPiper through a localhost callback. We don't intermediate the exchange and we don't store the token outside your Mac.

Three properties of the flow worth naming:

The handshake is local. ToolPiper opens your browser, the provider's consent page appears, the token comes back to a localhost listener on your Mac. ModelPiper's servers are not involved.
The token never leaves your machine. ToolPiper stores OAuth tokens in your macOS Keychain, scoped to the ToolPiper app. We don't have access to them and we don't sync them anywhere.
Tool calls run on demand. The token sits idle until an MCP tool fires. gsc_analytics uses it. chat against a local model doesn't. Nothing leaves your Mac except the specific API request the tool needs to make.

Which providers does ToolPiper support today?

Google is the only built-in OAuth provider at launch. Search Console is the first Google service with shipped MCP tools. More Google services (Gmail, Drive, Calendar) are planned but not shipped yet.

The reason for Google-first: it covers the use cases that move the needle for our user base. Search Console for SEO. Gmail for inbox automation. Drive for document RAG. Calendar for scheduling. Once one Google service ships end-to-end (auth + scope + tools), adding the next is mostly tool implementation and scope expansion. The OAuth plumbing stays the same.

The OAuth pane also supports bring-your-own providers. If you have your own OAuth app registered with another service, you can paste its client ID and configure the scopes manually. This is the path for advanced users who want to integrate niche services we haven't shipped first-party support for.

How do I connect Google to ToolPiper?

Open ToolPiper, navigate to the OAuth pane (Settings -> OAuth), click Connect on the Google row. Your default browser opens Google's consent screen. Sign in, grant the scopes ToolPiper requests, the OAuth pane in ToolPiper updates to show "Connected". The Search Console tools are now callable from any MCP client.

What you'll see at each step:

Click Connect. ToolPiper generates a one-time state token and opens your browser at Google's accounts.google.com/o/oauth2/auth URL.
Sign in to Google. Use the account that owns the Search Console properties you want ToolPiper to read.
Grant scopes. Google shows the scopes ToolPiper requests. For Search Console, that's webmasters.readonly. You can revoke any time from your Google Account settings or from ToolPiper's OAuth pane.
Redirect. Google redirects to a localhost URL ToolPiper is listening on. The access token lands in ToolPiper's Keychain. The browser tab closes itself.
Done. The OAuth pane updates. Search Console tools are available to MCP clients.

What can I do with Google Search Console connected?

Four MCP tools become available to any AI editor connected to ToolPiper. gsc_site_list enumerates properties. gsc_analytics queries performance data (impressions, clicks, CTR, position) with date ranges and filters. gsc_inspect runs URL inspection. gsc_sitemap_list lists submitted sitemaps and their status.

Concrete prompts an AI editor can answer once Search Console is connected:

"Which pages on modelpiper.com dropped impressions in the last 7 days?"
"Is the new blog post at /blog/connect-toolpiper indexed?"
"What's my top-ranking page for 'local AI mac' and what position is it in?"
"List all my submitted sitemaps and their last processed date."

For the full breakdown of each tool, the scopes it requires, and the kinds of analysis it enables, see Google Search Console MCP Setup.

How do I disconnect or revoke OAuth tokens?

Two ways. From ToolPiper's OAuth pane, click Disconnect on the provider row. The token is removed from your Keychain and ToolPiper stops issuing requests with it. From your Google Account settings, navigate to Third-party apps and revoke ToolPiper. Google invalidates the token server-side.

Use the OAuth pane for clean local cleanup. Use the Google account settings if you want server-side revocation that takes effect even if ToolPiper hasn't cleaned up properly. Doing both is fine.

What if connection fails?

Three failure modes account for almost every OAuth failure. The browser blocked the localhost redirect, the consent flow timed out, or the scope grant failed. ToolPiper's OAuth pane surfaces the specific error message in each case.

Localhost redirect blocked. Some browser extensions block requests to localhost URLs. Try a different browser or disable the offending extension. The redirect target ToolPiper expects is http://127.0.0.1:<port>/callback.
Consent flow timed out. ToolPiper's callback listener has a 120-second timeout. If the consent screen sits open longer than that, the flow expires. Re-click Connect.
Scope grant failed. Some Google Workspace admin policies restrict third-party app access. If you're on a managed account, your admin may need to approve ToolPiper. Try a personal Google account first to confirm the rest of the setup works.

For setup details on specific OAuth-backed integrations, see the linked spokes below.

	ToolPiper OAuth	Cloud-hosted MCP servers	Custom OAuth proxy
Where the token lives	Your macOS Keychain	Vendor's database	Your server
Who sees the request payload	Just you and the provider	Vendor	You (operator)
Token rotation	Automatic, in ToolPiper	Vendor-managed	You implement
Network path	Browser → provider → localhost	Browser → vendor → provider	Browser → your server → provider
Setup cost	Click Connect	Account signup, billing	Build and host the proxy
Trust surface	ToolPiper app only	Vendor + provider	Your infrastructure + provider

Connect ToolPiper to Your Cloud Accounts via OAuth on Mac

How does OAuth work in ToolPiper?

Which providers does ToolPiper support today?

How do I connect Google to ToolPiper?

What can I do with Google Search Console connected?

How do I disconnect or revoke OAuth tokens?

What if connection fails?

ToolPiper OAuth vs cloud-hosted alternatives

Frequently Asked Questions

Related

AI Providers