Try our plataform
Authorize Kondado for organizations with session duration control

If your company has implemented a re-authentication policy for apps in your Google account, it will be necessary for a Google account administrator to release Kondado from this policy by setting our Google application as trusted by following the steps below (after all, integrations will need to run autonomously without re-authentication every 24 hours).

If you are following these steps to solve BigQuery connection problems, we recommend using the BigQuery destination with the BigQuery Service Account, which uses a different authentication method and does not require the steps below.

If you already use BigQuery with normal authentication and want to replace it with the BigQuery Service Account without recreating tables and in a massive way, contact us through the chat referencing this tutorial and we will help you in this process.

  1. An administrator of your Google workspace account must access the account management page at https://admin.google.com/
  2. In the side menu (accessed by the 3 horizontal bars at the top left) go to Security > Access and data control > API controls
  3. On the App access control page, select MANAGE THIRD-PARTY APP ACCESS
  4. In the list, look for the option "Add app" > "Oauth App Name Or Client ID"
  5. In the search bar, type "kondado" and click on "SEARCH", then select the option with App name "Kondado" (and only this option)

    6. Make sure you choose the Kondado option and not Kondado SSO

  6. In the next step, authorize all listed Client IDs and then click on "SELECT"
  7. In the next step, select the option "Trusted: Can access all Google services" and then click on "CONFIGURE"
  8. Now that Kondado is set up as a trusted app, if your organization has not yet done so, it will be necessary to exempt trusted apps from requiring re-authentication. To do this, access the left sidebar again by the 3 horizontal lines at the top left > Security > Access and data control > Google Cloud session control
  9. Check the "Exempt Trusted apps" option and then just save

The changes made may take up to 24 hours to be implemented by Google.

Authorize Kondado as a trusted Google Workspace app

Configure your Google Workspace administrator settings to exempt Kondado from session duration re-authentication policies, enabling autonomous data pipeline execution.

1
Access Google Admin console

A Google Workspace administrator must log in to https://admin.google.com/ to begin configuring third-party app permissions for your organization's security policies.

2
Navigate to API controls

Open the side menu (three horizontal bars at top left) and go to Security > Access and data control > API controls to manage third-party application access.

3
Add Kondado as a third-party app

On the App access control page, select MANAGE THIRD-PARTY APP ACCESS, then click "Add app" > "OAuth App Name Or Client ID" and search for "kondado".

4
Select the correct Kondado app

From the search results, select only the app named "Kondado" — do not select "Kondado SSO". This ensures proper authentication for your data integrations.

5
Authorize all Client IDs

In the next step, authorize all listed Client IDs for the Kondado app, then click "SELECT" to proceed to trust configuration.

6
Set Kondado as trusted

Select "Trusted: Can access all Google services" and click "CONFIGURE" to grant Kondado the necessary permissions to run pipelines without interruption.

7
Exempt trusted apps from re-authentication

Return to Security > Access and data control > Google Cloud session control, check "Exempt Trusted apps", and save. Changes may take up to 24 hours to propagate across Google services.

Frequently asked questions

Why do I need to authorize Kondado as a trusted app in Google Workspace?
Organizations with session duration control policies require users to re-authenticate apps periodically. Since Kondado data integrations need to run autonomously without manual re-authentication every 24 hours, your Google Workspace administrator must set Kondado as a trusted app to exempt it from these re-authentication requirements.
Can I avoid this process if I use BigQuery as my destination?
Yes. If you are setting this up for BigQuery connections, we recommend using the BigQuery destination with the BigQuery Service Account instead, which employs a different authentication method and does not require these Google Workspace trust configuration steps. See our destinations page for more options.
What if I already use BigQuery with normal authentication and want to switch to Service Account?
If you want to replace normal BigQuery authentication with the BigQuery Service Account without recreating tables and in bulk, contact us through the chat referencing this tutorial and our team will assist you with the migration process.
How long does it take for the trust configuration changes to take effect?
The changes made in your Google Workspace admin console may take up to 24 hours to be fully implemented and propagated across Google's services. Your Kondado integrations will not be able to bypass re-authentication until this propagation is complete.
What happens if I accidentally select "Kondado SSO" instead of "Kondado"?
You must select only the app named "Kondado" — not "Kondado SSO". Selecting the wrong option will not properly authorize the application for your data pipeline connections, and your integrations may continue to fail due to re-authentication requirements.
Written by·Published 2023-08-03·Updated 2026-04-25