Google AI Releases gws CLI for Unified Workspace API Management

Google AI Releases a CLI Tool (gws) for Workspace APIs: Providing a Unified Interface for Humans and AI Agents

Google AI recently released gws, an open-source command-line interface designed to streamline interactions with Google Workspace APIs. The tool dynamically builds its command surface by fetching Google Discovery Documents, ensuring immediate support for new API endpoints. This release marks a significant shift toward making cloud productivity suites natively accessible to both human developers and autonomous AI agents.

Why This Matters

Integrating Workspace APIs typically requires extensive boilerplate code for OAuth 2.0 flows, pagination, and REST endpoints, creating significant friction for developers and AI agents. This manual overhead often leads to brittle integrations and security risks when handling sensitive user tokens in custom scripts.

By providing structured JSON outputs and native Model Context Protocol (MCP) support, gws transforms these complex APIs into accessible tools for LLMs and automated pipelines. The inclusion of response sanitization via Model Armor addresses the technical reality of prompt injection risks, ensuring that data retrieved from APIs does not compromise the security of the calling agent.

Key Insights

• Dynamic API Discovery: gws builds its command tree at runtime by fetching cached Discovery Documents, ensuring zero-day support for new Google API features.
• Auto-Pagination: The —page-all flag handles API cursors automatically and streams results as NDJSON for easy processing with tools like jq.
• Model Context Protocol (MCP): The command ‘gws mcp -s drive,gmail,calendar’ starts an MCP server, exposing Workspace resources as tools for clients like Claude Desktop.
• Security and Sanitization: Support for Google Cloud Model Armor via the —sanitize flag helps mitigate prompt injection risks when feeding API data to LLMs.
• Flexible Authentication: The tool supports local OS keyring storage with AES-256-GCM encryption and headless CI/CD exports via environment variables.

Working Examples

Installation of the gws CLI via npm.

npm install -g @googleworkspace/cli

Example of listing Drive files with auto-pagination and piping output to jq for extraction.

gws drive files list --params '{"pageSize": 100}' --page-all | jq -r '.files[].name'

Exporting credentials for use in headless or CI/CD environments.

gws auth export --unmasked > credentials.json
export GOOGLE_WORKSPACE_CLI_CREDENTIALS_FILE=/path/to/credentials.json

Practical Applications

• AI Tool Calling: Developers using the Gemini CLI extension can install gws to allow local agents to manage Workspace resources natively through inherited credentials.
• Data Pipeline Streaming: Large-scale data extraction using NDJSON streaming allows developers to pipe paginated file lists directly into command-line JSON processors without manual cursor handling.
• Secure Agentic Workflows: Using the —sanitize flag allows AI engineers to scan API responses for malicious payloads before the data reaches the LLM, reducing injection vulnerabilities.
• CI/CD Automation: Headless server environments can execute Workspace tasks using Service Account key files and Domain-Wide Delegation via the GOOGLE_WORKSPACE_CLI_IMPERSONATED_USER variable.

References:

• https://www.marktechpost.com/2026/03/05/google-ai-releases-a-cli-tool-gws-for-workspace-apis-providing-a-unified-interface-for-humans-and-ai-agents/