How can end users recover their own Google Workspace data through Google OAuth Login?

CubeBackup administrators/operators can backup or restore data for any users in the Google Workspace domain. However, it is often advantageous, especially in large organizations, to allow end users to individually find and recover Google Workspace files or emails by themselves.

Enable self-service recovery for Google Workspace with Google OAuth Login

Please follow the instructions below to enable Google OAuth login for all users in your Google Workspace domain, so that end users can restore their Google Workspace data without asking for the administrator:

Step 1. Assign a domain name to the CubeBackup server

Accessing the CubeBackup console via a domain name (not the IP address) is required for Google OAuth login. In most cases, you can assign a subdomain name for the CubeBackup server/VM (e.g.

To point a domain name (e.g. to your CubeBackup server, you need to add an “A” record in the DNS provider’s console to connect the domain name to the IP address of your CubeBackup server.


  • You can find more information about “A” records at

  • To change the DNS settings of your domain, you need to sign into the console of your DNS service provider, such as GoDaddy, Namecheap, or Google Domains. If you do not know the DNS service provider of your domain, or if you do not have credentials/permissions to log into the DNS console, please consult your network administrator.

Step 2. Enable HTTPS/SSL for the CubeBackup web console

After assigning a domain name for the IP address of the CubeBackup server, please enable HTTPS/SSL for your CubeBackup web console.

HTTPS/SSL is natively supported in CubeBackup and is easy to activate for the web console. You can visit How to enable HTTPS for CubeBackup for detailed instructions.

Step 3. Create OAuth client ID

Log in to Google Cloud Platform using the same Google account which was used to create the Google Service account in the initial configuration.

  • Make sure that the project created for the Google Service account is the active project in the Google Cloud Platform.

Active Project

  • From the navigation menu, select APIs & Services > Credentials.
  • In the Credentials page, click +CREATE CREDENTIALS > OAuth client ID.
  • Select Web application from the Application type dropbox, then enter a name (e.g. CubeBackupClient) in the Name text box.
  • Click +ADD URI in the Authorized JavaScript origins section, and input the domain URI of the CubeBackup server, such as
  • Add the same URI in the Authorized redirect URIs section.
  • Click CREATE.
  • In the OAuth client created dialog that pops up, copy the value of Your Client ID and keep it for the next step.

Tip: If you closed dialog pop-up without copying the OAuth client ID, don’t worry, the OAuth client ID can always be found on the APIs & Services > Credentials page.

create oauth client

After the OAuth Client has been created, you should see at least one “OAuth 2.0 Client ID” and one “Service Account” in the Credentials page.

Google credentials

Step 4. Add the created OAuth Client ID to the CubeBackup configuration file

  • Log (or SSH) into your backup server.
  • Open the configuration file config.toml using a text editor.

    Starting with version 4.7, the configuration file is located at <installation directory>/etc/config.toml for fresh installations of CubeBackup. For installations upgraded through the console, or versions prior to 4.7, the configuration file is still located at <installation directory>/bin/config.toml.
         On Windows, the default installation directory is located at c:\Program Files\CubeBackup4.
         On Linux, the default installation directory is located at /opt/cubebackup.

  • Find the [Web] section and add the following line:

    GoogleOAuthClientId = "Your OAuth Client ID"

    Here is an example of the [Web] section in the configuration file:

    Bind = ":80"
    HTTPSEnabled = true
    GoogleOAuthClientId = ""
  • Restart the CubeBackup service so the changes will take effect.

    On Linux:

    sudo /opt/cubebackup/bin/cbsrv restart

    On Windows:
    Enter services.msc in the command line, then in the Services list that pops up, right-click the CubeBackup Service entry, and select Restart.

    On Docker:

    sudo docker restart <container-name>

Step 5. Share the domain URL of the CubeBackup server to others

Now you can let everyone know the domain URL of the CubeBackup server, so that end users can use their own Google accounts to login to the CubeBackup web dashboard, where they can view their backup files and emails, or even perform a self-service recovery on their Google Workspace data if necessary.

Tip: Please complete the first few backup cycles of your Google Workspace domain before notifying all users of the domain address of the CubeBackup server. Otherwise, there will be no backup data for the users to see.