gws-exempt-trusted-apps

# Fix gws CLI RAPT Token Expiry ## Problem Google Workspace accounts with session control policies cause `invalid_rapt` errors on the `gws` CLI. Tokens expire and require repeated browser re-auth. ## Solution Mark the `gws` OAuth app as a trusted app and enable "exempt trusted apps" in the Google Admin Console. This bypasses RAPT re-auth for the CLI while keeping session control tight for everything else. ### Steps 1. Go to **Google Admin Console** → **Security** → **API controls** → **App access control** (`https://admin.google.com/ac/owl`) 2. Find or add the OAuth app by client ID: `230935770416-8017lm1c47hf6jocnj1sa4m7b3p6n9g0.apps.googleusercontent.com` 3. Mark it as **Trusted** 4. Go to **Security** → **Google Cloud session control** (`https://admin.google.com/ac/security/sessioncontrol`) 5. Enable **Exempt trusted apps** 6. Save ### Notes - The OAuth client ID is the same across all workspaces (shared GCP project: `gws-cli-489919`) - Apply to each Workspace admin console separately (Madali, MNXVentures, etc.) - The change can unblock already-expired tokens without needing a fresh browser re-auth - Personal and Optimified accounts were not affected (no restrictive session policies) ## Applied To - **Madali** — 2026-03-17 - **MNXVentures** — 2026-03-17