Back to Dashboard
GMBMantra Documentation Icon

GMBMantra

Documentation

Authentication

GMBMantra uses Google OAuth as the only sign-in path. There is no email-and-password option, no separate GMBMantra password to remember. The reason is simple: every useful thing the app does — reading your reviews, posting updates, pulling impressions and calls — is an action against Google's Business Profile API on your behalf, and that API only accepts a Google identity. Tying your GMBMantra account to your Google account means access here exactly mirrors access there.

If you have manager or owner access to a Google Business Profile location, GMBMantra can see it. If you lose that access in Google, you lose it here too — there's no parallel permission system to keep in sync.

How Sign-In Works

  1. 1

    You click Sign in with Google

    From the home page or /auth/signin, clicking Sign in with Google redirects you to Google's standard OAuth consent screen on accounts.google.com. Your Google password is entered on Google's domain — GMBMantra never sees it.

  2. 2

    You approve the requested scopes

    Google shows you exactly what GMBMantra is asking for: openid, email, profile, and the single Google Business Profile scope https://www.googleapis.com/auth/business.manage. Each scope has its own checkbox — tick all of them. Unchecking the GBP scope means we can't see any of your locations.

  3. 3

    Google redirects back with a code

    Google sends the browser back to GMBMantra with a one-time authorization code. Our backend exchanges that code (along with our client secret) for an access token and a refresh token, then encrypts both before storing them in the database.

  4. 4

    We sync your business data

    Using the access token, the onboarding flow pulls your locations, reviews, performance metrics, and recent posts from Google (~15-20 seconds). After that you pick which locations to manage and you're in.

  5. 5

    Tokens refresh automatically

    Google access tokens expire roughly every hour. GMBMantra refreshes them in the background using your stored refresh token — you don't need to re-sign-in each time. If a refresh ever fails (revoked, expired, scope removed), we flag your account and ask you to sign in again.

Key Concepts

The business.manage scope

This is the single Google Business Profile scope GMBMantra requests. It's broad on purpose — Google bundles every GBP capability under it:

  • Read business info (name, address, hours, attributes, categories)
  • Read and reply to customer reviews
  • Read and create posts (offers, events, updates)
  • Read performance analytics (impressions, calls, direction requests, search queries)
  • Read the list of locations your account manages

We do not request Gmail, Drive, Calendar, Contacts, Analytics, or anything else. The full scope list we send to Google is: openid email profile https://www.googleapis.com/auth/business.manage.

Token refresh

When you first sign in, Google issues an access token (short-lived, ~1 hour) and a refresh token (long-lived). The access token is what we send with each API call; the refresh token is what we use to get a new access token when the old one expires.

Refresh happens automatically in the background. You'll never see a "your token expired" dialog during normal use. The two cases where refresh fails:

  • You revoked access at myaccount.google.com. The refresh token is invalidated immediately, and the next sync will fail with invalid_grant. We'll flag your account and ask you to re-authenticate.
  • 6 months of inactivity. Google expires refresh tokens after 6 months of no use. If GMBMantra hasn't pulled data for your account in that window, the next attempt will fail and we'll prompt you to sign in again.

When that happens, signing in again from /auth/signin issues a fresh refresh token and resumes normal operation. Your data, settings, and credit balance are unaffected.

Permission checkboxes on Google's consent screen

Google's consent screen shows each scope as an individual checkbox you can uncheck. This is the most common cause of "I signed up but see 0 locations" — the user unticked the Google Business Profile box without realizing it. If that happens, sign out from GMBMantra, sign in again, and tick every box on the Google screen.

Pro Tip

If you manage multiple businesses, sign in with the Google account that actually has GBP manager access — not a personal account that's just a viewer. The app shows exactly the locations Google says that account can manage; nothing more.

Frequently Asked

Related

Quick Setup

Five-minute setup walkthrough — sign in, sync, and reply to your first review.

New User Guide

The full new-user FAQ — every question we hear in the first week.

Business Locations

Add, remove, and manage which GBP locations are active in GMBMantra.