Hugging Face's logo

Spaces:
pgits
/
voiceCal-ai-v3
Build error

App Files Community
voiceCal-ai-v3 / OAUTH_SUBMISSION_CHECKLIST.md
pgits's picture
pgits
FEAT: Add privacy policy and terms of service for Google OAuth verification
aca490b
preview code
|
raw
history blame contribute delete
9.71 kB

Google OAuth Verification Submission Checklist

Goal: Move VoiceCal.ai OAuth app from Testing to Production mode to eliminate 7-day token expiration.

βœ… Pre-Submission Checklist

Documentation (COMPLETED βœ…)

  • GOOGLE_OAUTH_VERIFICATION.md - Comprehensive verification documentation
  • PRIVACY_POLICY.md - Privacy policy compliant with GDPR, CCPA
  • TERMS_OF_SERVICE.md - Terms of service with acceptable use policy
  • API routes added to serve /privacy and /terms endpoints
  • Markdown package added to requirements.txt

Website Requirements (TODO πŸ“)

Google Cloud Console Setup (TODO πŸ“)

  • OAuth consent screen configured
  • Privacy policy URL added to consent screen
  • Terms of service URL added to consent screen
  • Application logo uploaded (optional but recommended)
  • Support email configured
  • Authorized domains verified

πŸ“‹ Step-by-Step Submission Process

Step 1: Deploy Updated Code to HuggingFace 

# Commit the new files
git add GOOGLE_OAUTH_VERIFICATION.md PRIVACY_POLICY.md TERMS_OF_SERVICE.md
git add OAUTH_SUBMISSION_CHECKLIST.md
git add app/api/main.py requirements.txt

# Update semantic version
# Edit pyproject.toml and version.txt to increment version

git commit -m "FEAT: Add privacy policy and terms of service for OAuth verification"
git push origin main

# Push to HuggingFace
git push hf main

Wait for deployment to complete (check https://pgits-voicecal-ai-v3.hf.space)

Step 2: Verify Privacy/Terms Pages

Visit these URLs and ensure they load correctly:

If they don't work, check:

  • Files are in the correct location (root directory)
  • HuggingFace deployment completed successfully
  • No errors in application logs

Step 3: Configure Google Cloud Console

  1. Go to Google Cloud Console: https://console.cloud.google.com/

  2. Navigate to OAuth Consent Screen:

    • APIs & Services β†’ OAuth consent screen

  3. Complete ALL required fields:

    App Information:

    • App name: VoiceCal.ai
    • User support email: pgits.job@gmail.com
    • App logo: Upload a logo (PNG/JPG, 120x120px minimum)

    App Domain:

    • Application homepage: https://pgits-voicecal-ai-v3.hf.space
    • Privacy policy: https://pgits-voicecal-ai-v3.hf.space/privacy
    • Terms of service: https://pgits-voicecal-ai-v3.hf.space/terms

    Authorized Domains:

    • hf.space

    Developer Contact:

    • Email addresses: pgits.job@gmail.com

    Scopes:

    • https://www.googleapis.com/auth/calendar
    • https://www.googleapis.com/auth/calendar.events

  4. Add Scope Justification:

    When adding scopes, provide this justification:

    VoiceCal.ai is a personal scheduling assistant that helps visitors
book meetings with the calendar owner (Peter Michael Gits).

Calendar scope is required to:
1. Check availability in Peter's calendar
2. Create meeting events with Google Meet links
3. Cancel meetings when requested

Only the calendar owner authenticates - NOT end users. The app
accesses only one calendar for scheduling purposes.

  5. Save and Continue

Step 4: Submit for Verification

  1. Review OAuth Consent Screen:

    • Ensure all fields are complete
    • Check that privacy/terms URLs are accessible
    • Verify scopes are correctly listed

  2. Click "PUBLISH APP" or "Submit for Verification":

    • Google may require additional verification depending on scopes
    • Follow any additional prompts

  3. Prepare Verification Documentation:

    Google may ask for additional information. Be ready with:

    • YouTube Video (Optional): Short demo showing:

      • User booking a meeting via the chat interface
      • Calendar event being created
      • Confirmation email received

    • Written Explanation: Use GOOGLE_OAUTH_VERIFICATION.md

    • Proof of Domain Ownership: HuggingFace Spaces URL is sufficient

    • Screenshots:

      • Homepage showing booking interface
      • Privacy policy page
      • Terms of service page
      • Example calendar event created

Step 5: Wait for Review

Timeline: 1-7 business days (typically)

Status: Check in Google Cloud Console β†’ OAuth consent screen

Possible Outcomes:

  1. Approved βœ…

    • App moved to Production mode
    • Refresh tokens no longer expire after 7 days
    • Re-authenticate once to get non-expiring refresh token

  2. Needs More Information ℹ️

    • Google requests additional documentation
    • Respond promptly with requested info
    • Use GOOGLE_OAUTH_VERIFICATION.md as reference

  3. Rejected ❌

    • Review rejection reason carefully
    • Address specific concerns
    • Resubmit with corrections

🚨 Common Rejection Reasons & Solutions

1. "Privacy policy is insufficient"

Solution:

  • Ensure /privacy URL is publicly accessible
  • Privacy policy must explain:
    • What data is collected
    • How data is used
    • How data is protected
    • User rights (access, deletion, etc.)

Status: βœ… ADDRESSED in PRIVACY_POLICY.md

2. "Use case is unclear"

Solution:

  • Clearly explain on homepage what app does
  • Add scope justification in OAuth consent screen
  • Provide screenshots or video demo

Status: βœ… ADDRESSED in GOOGLE_OAUTH_VERIFICATION.md

3. "Requested scopes are excessive"

Solution:

  • Only request minimum necessary scopes
  • Provide clear justification for each scope
  • Show exactly how each scope is used

Status: βœ… ADDRESSED - Only requesting calendar scopes

4. "Terms of service missing or incomplete"

Solution:

  • Ensure /terms URL is publicly accessible
  • Terms must include:
    • Service description
    • Acceptable use policy
    • Liability disclaimers
    • Contact information

Status: βœ… ADDRESSED in TERMS_OF_SERVICE.md

5. "Unverified domain"

Solution:

  • Use a trusted hosting provider (HuggingFace Spaces βœ…)
  • Ensure HTTPS is enabled (HuggingFace provides this βœ…)
  • Add domain to authorized domains list

Status: βœ… HuggingFace Spaces is trusted

πŸ“§ If Google Requests More Information

Response Template 

Subject: Re: OAuth Verification for VoiceCal.ai

Dear Google OAuth Review Team,

Thank you for reviewing VoiceCal.ai. Please find the requested information below:

[Address specific questions here]

Additional documentation is available at:
- Verification Documentation: [Link to GOOGLE_OAUTH_VERIFICATION.md on GitHub if public]
- Privacy Policy: https://pgits-voicecal-ai-v3.hf.space/privacy
- Terms of Service: https://pgits-voicecal-ai-v3.hf.space/terms

VoiceCal.ai is a personal scheduling assistant that helps visitors book
meetings with one individual (Peter Michael Gits). Only the calendar owner
authenticates with Google - end users do NOT authenticate.

Calendar API access is required solely for:
1. Checking availability in the owner's calendar
2. Creating meeting events with proper details
3. Managing cancellations when requested

The application follows Google's API Services User Data Policy and implements
industry-standard security practices including OAuth 2.0, HTTPS encryption,
and secure token storage.

Please let me know if you need any additional information.

Best regards,
Peter Michael Gits
pgits.job@gmail.com

βœ… Post-Approval Steps

Once approved:

  1. Re-authenticate to get non-expiring refresh token:

    # Start local server
uvicorn app.api.main:app --reload --port 8080

# Visit in browser
http://localhost:8080/auth/login

# Complete OAuth flow - new refresh token will be saved

  2. Verify token no longer expires after 7 days:

    • Check .env file for GOOGLE_TOKEN_EXPIRY
    • Cron job will continue refreshing access token daily
    • Refresh token itself will NOT expire

  3. Update documentation:

    • Note that app is in Production mode
    • Update SETUP_GUIDE.md if needed

  4. Monitor for issues:

    • Check cron logs regularly: tail -f logs/cron.log
    • Ensure HuggingFace secrets are updated automatically

πŸ†˜ Troubleshooting

Problem: Privacy/Terms pages not loading

Solution:

# Test locally first
uvicorn app.api.main:app --reload --port 8080

# Visit in browser:
# http://localhost:8080/privacy
# http://localhost:8080/terms

# If working locally but not on HuggingFace:
# - Check HuggingFace deployment logs
# - Ensure files are committed to repository
# - Try factory rebuild in HuggingFace settings

Problem: Google says domain is unverified

Solution:

  • Add hf.space to authorized domains in Google Cloud Console
  • Ensure Privacy/Terms URLs use https://
  • Wait a few hours for DNS propagation

Problem: Verification takes too long

Solution:

  • Check status in Google Cloud Console
  • Look for notification emails from Google
  • If > 7 days, contact Google support with application details

πŸ“ Notes

  • Keep GOOGLE_OAUTH_VERIFICATION.md as reference for future verifications
  • Save any communication with Google OAuth team
  • Document any additional requirements they request
  • Consider making a private GitHub repo with all documentation as backup

Last Updated: November 5, 2025 Status: Ready for submission Next Action: Deploy to HuggingFace, then submit for verification