Google Workspace Admin Skill: AI-Powered User and Group Management via Maton OAuth
14,873+ downloads and 16 stars on ClawHub. The google-workspace-admin skill by @byungkyu gives OpenClaw agents full access to the Google Workspace Admin SDK through Maton's managed OAuth gateway. Create and manage users, control group memberships, adjust organizational units, and automate IT workflows — without handling OAuth tokens directly.
The Problem It Solves
Google Workspace Admin SDK is powerful but OAuth-gated. Every developer who's tried to automate user provisioning knows the setup overhead: service accounts, domain-wide delegation, JSON key files, scope configuration. For AI agents that need to perform admin tasks as part of a workflow, that's a significant barrier.
The google-workspace-admin skill removes that barrier. One MATON_API_KEY, one browser-based auth flow, and your agent has full Admin SDK access through Maton's secure OAuth gateway.
How the Gateway Pattern Works
Agent → gateway.maton.ai/google-workspace-admin/{path} → admin.googleapis.com
↑ injects OAuth token automatically
The gateway proxies requests to Google's Admin SDK and automatically injects the authorized OAuth token. Your agent never sees raw credentials.
Quick Start
export MATON_API_KEY="your-maton-key"
# List users in your domain
python <<'EOF'
import urllib.request, os, json
req = urllib.request.Request(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users?customer=my_customer&maxResults=10'
)
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOFFirst-Time Setup: Authorize Your Google Workspace Account
python <<'EOF'
import urllib.request, os, json
data = json.dumps({'app': 'google-workspace-admin'}).encode()
req = urllib.request.Request('https://ctrl.maton.ai/connections', data=data, method='POST')
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
result = json.load(urllib.request.urlopen(req))
print(result['connection']['url']) # Open in browser to complete admin OAuth
EOFThe returned URL opens Google's OAuth consent screen — authorize with your Workspace admin account.
Core Operations
User Management
# List all users in domain
GET /google-workspace-admin/admin/directory/v1/users?customer=my_customer&maxResults=100
# Get a specific user
GET /google-workspace-admin/admin/directory/v1/users/user@yourdomain.com
# Create a new user
POST /google-workspace-admin/admin/directory/v1/users
{
"primaryEmail": "newuser@yourdomain.com",
"name": { "givenName": "New", "familyName": "User" },
"password": "TempPassword123!",
"changePasswordAtNextLogin": true,
"orgUnitPath": "/Engineering"
}Creating a new employee account as part of an onboarding workflow:
python <<'EOF'
import urllib.request, os, json
new_user = {
"primaryEmail": "jane.smith@company.com",
"name": {"givenName": "Jane", "familyName": "Smith"},
"password": "TempPassword2026!",
"changePasswordAtNextLogin": True,
"orgUnitPath": "/Engineering/Backend"
}
data = json.dumps(new_user).encode()
req = urllib.request.Request(
'https://gateway.maton.ai/google-workspace-admin/admin/directory/v1/users',
data=data, method='POST'
)
req.add_header('Authorization', f'Bearer {os.environ["MATON_API_KEY"]}')
req.add_header('Content-Type', 'application/json')
print(json.dumps(json.load(urllib.request.urlopen(req)), indent=2))
EOFSuspend and Unsuspend Users
Essential for offboarding workflows:
# Suspend a user (e.g., employee departure)
PUT /google-workspace-admin/admin/directory/v1/users/{userKey}
{ "suspended": true }
# Reinstate a user
PUT /google-workspace-admin/admin/directory/v1/users/{userKey}
{ "suspended": false }Group Management
# List groups in the domain
GET /google-workspace-admin/admin/directory/v1/groups?customer=my_customer
# Get group members
GET /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members
# Add a user to a group
POST /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members
{ "email": "user@yourdomain.com", "role": "MEMBER" }
# Remove a user from a group
DELETE /google-workspace-admin/admin/directory/v1/groups/{groupKey}/members/{memberKey}Organizational Unit Management
Move users between org units to update their access permissions and policy assignments:
# List org units
GET /google-workspace-admin/admin/directory/v1/customer/my_customer/orgunits
# Move user to a different OU
PATCH /google-workspace-admin/admin/directory/v1/users/{userKey}
{ "orgUnitPath": "/Engineering/Senior" }Multi-Domain Support
For organizations with multiple Google Workspace instances, use the Maton-Connection header to target a specific account:
req.add_header('Maton-Connection', 'connection-id-for-subsidiary')List your connections at https://ctrl.maton.ai.
AI Agent Use Cases
Employee onboarding: When HR submits a new hire form, an agent creates the Google Workspace account, adds the user to the correct department groups, sets the org unit, and sends a welcome Slack message — all without IT intervention.
Offboarding workflow: When an employee departs, an agent suspends the account immediately, removes the user from all groups, transfers Drive files to their manager, and logs the action for audit.
Bulk user audit: An agent queries all users, filters by suspended: false and lastLoginTime < 90 days ago, and generates a report of potentially stale accounts for IT review.
Access management automation: As users change roles, an agent moves them between org units (which changes their applied policies) and updates group memberships to match their new access profile.
Compliance reporting: Generate a full user roster with admin roles, suspension status, and last login times — filtered by domain — for regulatory audits.
How It Compares to the Service Account Approach
The alternative — building directly on Google Admin SDK — requires:
| Step | DIY Service Account | Maton OAuth Gateway |
|---|---|---|
| Create GCP project | Required | Not needed |
| Enable Admin SDK API | Required | Not needed |
| Configure domain-wide delegation | Required | Not needed |
| Store JSON key securely | Required | Not needed |
| Handle token refresh | Required | Automatic |
| Multi-tenant support | Complex | Connection IDs |
For IT teams building internal automation, the service account approach offers more granular scope control. For AI agents in OpenClaw workflows, the Maton gateway is significantly faster to set up.
Considerations
- Admin account required: The OAuth authorization must be completed by a Google Workspace super admin. Non-admin accounts don't have access to the directory API.
- OAuth user scope vs. service account scope: The Maton OAuth approach grants access as the authorizing user. Some Admin SDK features (like full audit log access) require service account + domain-wide delegation, which this skill doesn't provide.
- Rate limits: Google Admin SDK has per-user rate limits. High-volume operations (100+ user creations) should be paced to avoid quota errors.
- Data residency: All requests route through Maton's gateway infrastructure. Organizations with strict data residency requirements should verify Maton's data handling policies before use.
The Bigger Picture
Google launched Workspace Studio in December 2025 — a no-code platform for building AI agents that automate Workspace tasks in plain English. This signals Google's bet that natural-language-driven admin automation is the direction for 2026.
The google-workspace-admin skill is a code-first equivalent: instead of building in Workspace Studio's proprietary environment, your OpenClaw agent can trigger the same Admin SDK operations as part of broader workflows that span multiple tools — HR systems, Slack, Jira, and more.
View the skill on ClawHub: google-workspace-admin