Google AI releases a CLI tool (gws) for the Workspace API: providing a unified interface for humans and AI agents

Integrating Google Workspace APIs – like Drive, Gmail, Calendar, and Sheets – into applications and data pipelines typically requires writing boilerplate code to handle REST endpoints, pagination, and OAuth 2.0 flows. The Google AI team has just released a CLI tool (gws) for Google Workspace. open source googleworkspace/cli (invoked via gws command) provides a unified, dynamic command-line interface to manage these services.

Designed for both human developers and AI agents, gws Eliminates the need for custom wrapper scripts by providing structured JSON output, native Model Reference Protocol (MCP) support, and automated validation workflows.

Dynamic API Discovery Architecture

Unlike traditional CLI tools, which compile a static list of commands, gws Creates its command surface dynamically at runtime.

When executed, gws Uses a two-stage parsing strategy:

1. It reads the first argument to identify the target service (for example, drive).
2. This gets the Google Discovery document (cached for 24 hours) of that service.
3. It creates a command tree from the resources and methods of the document.
4. It parses the remaining arguments, authenticates, and executes the HTTP request.

Because of this architecture, gws Automatically supports new Google Workspace API endpoints as they are added to the Discovery Service.

Key Features for Software Engineers and Data Scientists

The CLI can be installed via npm (npm install -g @googleworkspace/cli) or created from source (cargo install --path .). Once installed, it provides several built-in utilities for data extraction and automation:

• Introspection and Preview: Each resource includes --help Documents generated from Discovery API. You can view the schema of any method (for example, gws schema drive.files.list) or use --dry-run Flag to preview the exact HTTP request before execution.
• Structured Data Extraction: By default, every response—including errors and metadata—is returned as structured JSON.
• Auto Pagination: For developers pulling large datasets, --page-all The flag automatically handles API cursors. It streams the paginated results as NDJSON (Newline Delimited JSON), which can be piped directly into a command-line JSON processor: Bashgws drive files list --params '{"pageSize": 100}' --page-all | jq -r '.files().name'

Integration with AI agents and MCP

A primary use case for gws Serving as a tool-calling backend for large language models (LLMs).

• Model Reference Protocol (MCP) Server: by driving gws mcp -s drive,gmail,calendarCLI starts an MCP server stdio. It exposes the Workspace API as structured tools that any MCP-compliant client (like Cloud Desktop or VS Code) can call natively.
• Pre-built Agent Skills: The repository contains over 100 agent skills covering all supported APIs and common workflows. AI engineers can install these directly into the agent environment npx skills add github:googleworkspace/cli.
• Gemini CLI Extension: Developers using Gemini CLI can install it gws Expansion (gemini extensions install https://github.com/googleworkspace/cli), allows the local Gemini agent to receive legacy gws Manage credentials and workspace resources seamlessly.
• Model Armor (Reaction Sanitation): To reduce instant injection risks when feeding API data to LLM, gws Google Cloud supports Model Armor. passing --sanitize Flag scans API responses for malicious payloads before the data reaches your agent.

authentication workflow

The CLI securely handles authentication in a variety of environments, replacing the need for manual token management in custom scripts. Clear tokens are given priority, followed by credential files and finally local keyring storage.

• Local Desktop: run gws auth setup Google Cloud launches an interactive flow to configure the project, enable required APIs, and handle OAuth logins. Credentials are encrypted using AES-256-GCM and stored in the OS keyring.
• Headless/CI/CD: For server environments, developers can complete interactive auth locally and export plaintext credentials: bashgws auth export --unmasked > credentials.json On a headless machine, point the CLI to this file using environment variables: export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json.
• Service Accounts: gws Natively supports server-to-server service account key files and domain-wide delegation GOOGLE_WORKSPACE_CLI_IMPERSONATED_USER Variable.

check it out repo here. Also, feel free to follow us Twitter And don’t forget to join us 120k+ ml subreddit and subscribe our newsletter. wait! Are you on Telegram? Now you can also connect with us on Telegram.