Moving to Google "Production"

Required for durable refresh tokens (Auth0 Token Vault).

Why it matters: in Google Testing publishing status, refresh tokens expire after 7 days. Token Vault would go stale weekly. Non-expiring refresh tokens require Production (verified) status.

Scope tiers & what verification costs

Tier	Examples	Verification
non-sensitive	openid, email, profile	Light — branding + consent screen
sensitive	Calendar, Sheets	Standard review — verified brand, privacy policy, homepage, domain ownership, justification, maybe demo video
restricted	Gmail-read, full Drive	Off-limits — adds a paid third-party security assessment. Blocked by this gateway.

Checklist

Consent-screen branding matches the a0.gg brand (name, logo, support email).
Homepage on a0.gg describing the service.
Privacy policy on a0.gg with a Google API Services Limited Use disclosure.
Verified domain ownership for a0.gg.
Scope justification for each sensitive scope.
Keep to non-sensitive + sensitive scopes; never request restricted.

The backing a0.gg website is a separate project; build prompt in the repo under docs/prompts/.