--- title: "Connect ToolPiper to Your Cloud Accounts via OAuth on Mac" description: "ToolPiper bundles a Google OAuth client. Connect once, and Search Console tools answer SEO questions from your AI editor. More services rolling out." date: 2026-05-12 author: "Ben Racicot" tags: ["OAuth", "Google", "Search Console", "Integrations", "Privacy", "macOS", "Developer Tools"] type: "article" canonical: "https://modelpiper.com/blog/connect-toolpiper-oauth/" --- # Connect ToolPiper to Your Cloud Accounts via OAuth on Mac > ToolPiper bundles a Google OAuth client. Connect once, and Search Console tools answer SEO questions from your AI editor. More services rolling out. ## TL;DR ToolPiper connects to your cloud accounts through OAuth. The handshake runs through your browser and your Mac, with no relay in the middle. Google Search Console is shipped today, with four MCP tools any AI editor can call. More Google services are rolling out. Local AI is privacy by default. The trade-off is that your AI doesn't know anything about your cloud accounts. Your AI can summarize a document on disk, but it can't tell you which blog posts dropped impressions in Search Console last week. OAuth fixes that, without putting our servers in the middle. ## How does OAuth work in ToolPiper? ToolPiper bundles its own OAuth client. When you connect, ToolPiper opens your default browser to the provider's consent screen. You sign in to the provider directly. The access token lands back in ToolPiper through a localhost callback. We don't intermediate the exchange and we don't store the token outside your Mac. Three properties of the flow worth naming: - **The handshake is local.** ToolPiper opens your browser, the provider's consent page appears, the token comes back to a localhost listener on your Mac. ModelPiper's servers are not involved. - **The token never leaves your machine.** ToolPiper stores OAuth tokens in your macOS Keychain, scoped to the ToolPiper app. We don't have access to them and we don't sync them anywhere. - **Tool calls run on demand.** The token sits idle until an MCP tool fires. `gsc_analytics` uses it. `chat` against a local model doesn't. Nothing leaves your Mac except the specific API request the tool needs to make. ## Which providers does ToolPiper support today? Google is the only built-in OAuth provider at launch. Search Console is the first Google service with shipped MCP tools. More Google services (Gmail, Drive, Calendar) are planned but not shipped yet. The reason for Google-first: it covers the use cases that move the needle for our user base. Search Console for SEO. Gmail for inbox automation. Drive for document RAG. Calendar for scheduling. Once one Google service ships end-to-end (auth + scope + tools), adding the next is mostly tool implementation and scope expansion. The OAuth plumbing stays the same. The OAuth pane also supports bring-your-own providers. If you have your own OAuth app registered with another service, you can paste its client ID and configure the scopes manually. This is the path for advanced users who want to integrate niche services we haven't shipped first-party support for. ## How do I connect Google to ToolPiper? Open ToolPiper, navigate to the OAuth pane (Settings -> OAuth), click Connect on the Google row. Your default browser opens Google's consent screen. Sign in, grant the scopes ToolPiper requests, the OAuth pane in ToolPiper updates to show "Connected". The Search Console tools are now callable from any MCP client. What you'll see at each step: 1. Click Connect. ToolPiper generates a one-time state token and opens your browser at Google's `accounts.google.com/o/oauth2/auth` URL. 2. Sign in to Google. Use the account that owns the Search Console properties you want ToolPiper to read. 3. Grant scopes. Google shows the scopes ToolPiper requests. For Search Console, that's `webmasters.readonly`. You can revoke any time from your Google Account settings or from ToolPiper's OAuth pane. 4. Redirect. Google redirects to a localhost URL ToolPiper is listening on. The access token lands in ToolPiper's Keychain. The browser tab closes itself. 5. Done. The OAuth pane updates. Search Console tools are available to MCP clients. ## What can I do with Google Search Console connected? Four MCP tools become available to any AI editor connected to ToolPiper. `gsc_site_list` enumerates properties. `gsc_analytics` queries performance data (impressions, clicks, CTR, position) with date ranges and filters. `gsc_inspect` runs URL inspection. `gsc_sitemap_list` lists submitted sitemaps and their status. Concrete prompts an AI editor can answer once Search Console is connected: - _"Which pages on modelpiper.com dropped impressions in the last 7 days?"_ - _"Is the new blog post at /blog/connect-toolpiper indexed?"_ - _"What's my top-ranking page for 'local AI mac' and what position is it in?"_ - _"List all my submitted sitemaps and their last processed date."_ For the full breakdown of each tool, the scopes it requires, and the kinds of analysis it enables, see [Google Search Console MCP Setup](/blog/gsc-search-console-mcp-toolpiper). ## How do I disconnect or revoke OAuth tokens? Two ways. From ToolPiper's OAuth pane, click Disconnect on the provider row. The token is removed from your Keychain and ToolPiper stops issuing requests with it. From your Google Account settings, navigate to Third-party apps and revoke ToolPiper. Google invalidates the token server-side. Use the OAuth pane for clean local cleanup. Use the Google account settings if you want server-side revocation that takes effect even if ToolPiper hasn't cleaned up properly. Doing both is fine. ## What if connection fails? Three failure modes account for almost every OAuth failure. The browser blocked the localhost redirect, the consent flow timed out, or the scope grant failed. ToolPiper's OAuth pane surfaces the specific error message in each case. 1. Localhost redirect blocked. Some browser extensions block requests to localhost URLs. Try a different browser or disable the offending extension. The redirect target ToolPiper expects is `http://127.0.0.1:/callback`. 2. Consent flow timed out. ToolPiper's callback listener has a 120-second timeout. If the consent screen sits open longer than that, the flow expires. Re-click Connect. 3. Scope grant failed. Some Google Workspace admin policies restrict third-party app access. If you're on a managed account, your admin may need to approve ToolPiper. Try a personal Google account first to confirm the rest of the setup works. For setup details on specific OAuth-backed integrations, see the linked spokes below. ## FAQ ### Does ModelPiper see my Google account data? No. The OAuth handshake goes browser → Google → ToolPiper on your Mac. ModelPiper's servers are not in that path. The access token lives in your macOS Keychain, scoped to ToolPiper. Tool calls (like `gsc_analytics`) hit Google directly from your Mac with that token. ### Why is Google the only OAuth provider right now? Each provider needs both the OAuth integration and the corresponding MCP tools. Google was first because Search Console covers a high-intent use case (SEO and content analytics) with clear ROI. Gmail, Drive, and Calendar are planned, but adding a provider without shipping tools for it doesn't help anyone. Bring-your-own provider support is available in the OAuth pane for advanced users who want to wire up other services manually. ### What scopes does ToolPiper request from Google? The minimal scopes needed for the tools that exist. For Search Console: `https://www.googleapis.com/auth/webmasters.readonly`. Read-only access to the properties you own. ToolPiper doesn't request write access or any other Google scopes today. Future services will request their own minimum scopes when they ship. ### Can I bring my own OAuth provider? Yes. The OAuth pane has an "Add Provider" option for custom OAuth registrations. You provide your client ID, your scopes, and the provider's auth/token URLs. ToolPiper handles the handshake using the same pattern as the built-in Google client. This is the path for niche services we haven't shipped first-party support for. ### What happens if my OAuth token expires? ToolPiper refreshes it automatically using the refresh token stored alongside the access token. If the refresh fails (most often because Google's policies require re-consent), the next tool call returns an error and ToolPiper's OAuth pane shows the provider as needing re-authentication. Click Connect again to re-grant.