Security & Privacy
OAuth & Permissions
Understanding Google OAuth and Synoveo's permissions
Synoveo uses Google OAuth to securely access your Google Business Profile.
OAuth Flow
When you connect your Google account:
- You're redirected to Google
- Google shows requested permissions
- You approve or deny
- Google sends tokens to Synoveo
- Synoveo uses tokens to access your GBP
Permissions Requested
Synoveo requests minimal permissions:
| Scope | Purpose |
|---|---|
business.manage | Read and update your GBP |
userinfo.profile | Identify your account |
What We CAN Do
- Read your business profiles
- Update profile information
- Create and manage posts
- Reply to reviews
- Upload photos
What We CAN'T Do
- Access your Gmail
- Access Google Drive
- Access other Google services
- Change your Google password
- Access your Google Ads
Token Management
Access Tokens
- Short-lived (1 hour)
- Used for API calls
- Automatically refreshed
Refresh Tokens
- Long-lived (6 months)
- Used to get new access tokens
- Encrypted at rest
Token Refresh
- Automatic before expiration
- Background refresh (no interruption)
- Re-auth prompt if refresh fails
Revoking Access
You can revoke Synoveo's access anytime:
In Synoveo
- Go to Settings → Connected Accounts
- Click "Disconnect Google"
- Confirm disconnection
In Google
- Go to Google Security Settings
- Find "Third-party apps with account access"
- Remove Synoveo
Cross-Account Protection
Synoveo supports Google's Cross-Account Protection:
- Security events from Google
- Automatic token invalidation if suspicious activity
- Re-authentication required after security events
Security Best Practices
- Connect only needed accounts - Don't connect personal accounts
- Review permissions - Understand what you're granting
- Monitor activity - Check sync history regularly
- Disconnect if unused - Remove access when not needed