
Google Tasks MCP
โ 1from ebmurha
Manage Google Tasks from your AI assistant using natural language.
Google Tasks MCP Server
Connect an MCP-compatible client to Google Tasks through a private server you run yourself. The server exposes compact tools for reading, searching, summarizing, creating, completing, updating, deleting, and moving Google Tasks.
This project is for self-hosted use. You provide your own Google Cloud OAuth credentials, connect your own Google account, and keep tokens in your own SQLite database.
What You Get
- 19 MCP tools for Google Tasks.
- Local stdio mode for desktop/client-launched setups.
- Streamable HTTP mode for local HTTP or VPS hosting.
- Bearer-token HTTP auth, plus optional OAuth 2.0 gateway mode for MCP clients that support OAuth.
- Compact responses designed for low-context assistant workflows.
- Optional operator-managed multi-account bearer-token routing, for familiar setups such as one personal account and one work account.
Choose A Transport
| Use case | Transport | Auth |
|---|---|---|
| MCP client starts the process directly | stdio | No MCP_BEARER_TOKEN needed |
| Local HTTP server | Streamable HTTP at http://127.0.0.1:8787/mcp | Bearer token |
| VPS or other host | Streamable HTTP at https://your-domain.example/mcp | Bearer token or OAuth gateway |
For deeper hosting and distribution guidance, see MCP_SERVER_GUIDE.md and DISTRIBUTION.md.
Bootstrap Google OAuth
Run this once per Google account you want the server to access:
google-tasks-mcp-bootstrapOpen the printed URL, approve access, and paste the authorization code back into the terminal.
For multiple trusted accounts on one HTTP server, create one stored bearer token per account and bootstrap each account separately:
google-tasks-mcp-create-bearer-token --account-id personal --label "Personal account"
google-tasks-mcp-bootstrap --account-id personal
google-tasks-mcp-create-bearer-token --account-id work --label "Work account"
google-tasks-mcp-bootstrap --account-id workUse each printed bearer token only in the matching account's MCP client. The server stores only bearer-token hashes.
Start The Server
HTTP mode:
python -m google_tasks_mcp --transport httpHealth check:
curl http://127.0.0.1:8787/healthzExpected response:
{"ok": true}Stdio mode:
python -m google_tasks_mcp --transport stdioConfiguration check:
python -m google_tasks_mcp --checkConnect An MCP Client
Remote or local HTTP:
URL: http://127.0.0.1:8787/mcp
Auth: Bearer <MCP_BEARER_TOKEN>For a VPS, replace the URL with your HTTPS endpoint:
URL: https://your-domain.example/mcp
Auth: Bearer <MCP_BEARER_TOKEN>Local stdio:
{
"command": "/path/to/google-tasks-mcp/.venv/bin/python",
"args": ["-m", "google_tasks_mcp", "--transport", "stdio"]
}MCP_BEARER_TOKEN is not required for stdio because the MCP client launches the process locally.
Authentication Modes
Bearer-token mode is the default HTTP mode. /mcp requires Authorization: Bearer <token>.
MCP_BEARER_TOKENroutes to accountdefault.- Tokens created with
google-tasks-mcp-create-bearer-tokencan route different clients to differentaccount_idvalues. - Bearer tokens are displayed once and stored only as hashes.
OAuth 2.0 gateway mode is optional. Enable it when your HTTP MCP client supports OAuth authorization metadata and token refresh.
- Set
MCP_OAUTH_ISSUER,MCP_OAUTH_CLIENT_ID,MCP_OAUTH_CLIENT_SECRET, andMCP_OAUTH_SIGNING_SECRET. - Set
MCP_OAUTH_REDIRECT_URISto the callback URI values accepted by your MCP client. /mcpaccepts OAuth-issued access tokens and the legacy bearer token.- OAuth gateway refresh tokens are stored by hash and rotate on use, so clients can reconnect after server restart.
Leave MCP_OAUTH_REDIRECT_URIS empty to keep OAuth gateway mode disabled.
Tools
The same 19 tools are available over stdio, bearer-token HTTP, and OAuth gateway HTTP modes. Tools expose standard MCP titles, descriptions, and safety hints where the client supports them.
| Group | Tools | Notes |
|---|---|---|
| Tasklists | list_tasklists, create_tasklist, get_tasklist, update_tasklist, delete_tasklist | Tasklist delete requires confirm: true; non-empty lists require force: true. |
| Task reads | list_tasks, get_task | Read from one tasklist. If tasklist is omitted, uses DEFAULT_TASKLIST or Google's first list. |
| Task summaries | today, overdue, upcoming, search, digest | If tasklist is omitted, reads all tasklists and includes tasklist context. |
| Task mutations | clear_completed, add, complete, update, uncomplete, delete, move | Mutate one tasklist/task at a time. clear_completed requires confirm: true. |
All tasklist arguments accept a tasklist ID or exact title. Task title lookup is exact after trimming whitespace and ignores case.
For today, overdue, upcoming, search, and digest, omitting tasklist reads every tasklist. Returned task objects include tasklist_id and tasklist_title; digest labels items with tasklist context.
For list_tasks, clear_completed, single-task tools, and write tools, omitting tasklist uses DEFAULT_TASKLIST, or the first list returned by Google. This prevents unqualified writes from touching every list.
Docker And VPS
Docker:
docker compose up --buildKeep .env, OAuth JSON files, and SQLite databases outside images and public bundles.
VPS/systemd/Caddy templates are in deploy/:
Replace every placeholder domain, path, and user before deploying.
More Docs
- MCP_SERVER_GUIDE.md explains hosting models, credential boundaries, and public project vs public service choices.
- DISTRIBUTION.md explains registry, bundle, and directory publishing.
- .env.example lists every supported environment variable.
- google-tasks-mcp-specifications.md is the behavioral source of truth.
Tests
pytestgit clone https://github.com/ebmurha/google-tasks-mcp.git
cd google-tasks-mcp
python3.11 -m venv .venv
. .venv/bin/activate
pip install -e .
cp .env.example .envBefore it works, you'll need: MCP_BEARER_TOKENMCP_BEARER_TOKENGOOGLE_CLIENT_SECRETGOOGLE_OAUTH_KEYS_PATHGOOGLE_CLIENT_SECRET
Install
git clone https://github.com/ebmurha/google-tasks-mcp.git
cd google-tasks-mcp
python3.11 -m venv .venv
. .venv/bin/activate
pip install -e .
cp .env.example .envGenerate a bearer token if you will run HTTP mode:
python -c "import secrets; print(secrets.token_urlsafe(48))"Put the generated value in .env as MCP_BEARER_TOKEN. Do not commit .env.
Google Cloud Setup
- Create or open a Google Cloud project.
- Enable the Google Tasks API.
- Configure the OAuth consent screen.
- Create an OAuth 2.0 Client ID.
Recommended for local HTTP, VPS, Docker, and other server-style installs:
- Application type: Web application
- Local redirect URI:
http://127.0.0.1:8787/callback - Hosted redirect URI:
https://your-domain.example/callback .env: setGOOGLE_CLIENT_ID,GOOGLE_CLIENT_SECRET, andGOOGLE_REDIRECT_URI
Local-only alternative:
- Application type: Desktop app
- Download the OAuth client JSON outside this repo.
- Set
GOOGLE_OAUTH_KEYS_PATHto that file path. - Leave
GOOGLE_CLIENT_IDandGOOGLE_CLIENT_SECRETempty unless you want env vars to override the JSON file.
Example .env for a local web OAuth client:
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com
GOOGLE_CLIENT_SECRET=your-client-secret
GOOGLE_REDIRECT_URI=http://127.0.0.1:8787/callback
MCP_BEARER_TOKEN=your-generated-token
DB_PATH=./google-tasks.db
BIND_HOST=127.0.0.1
BIND_PORT=8787If the Google OAuth app is in Testing mode, add every Google account you bootstrap as a test user, such as both personal and work accounts.
GOOGLE_CLIENT_ID / GOOGLE_CLIENT_SECRET / GOOGLE_OAUTH_KEYS_PATH identify the Google Cloud OAuth app, not the Google Tasks user account. One OAuth client JSON can be reused for several Google users. Each bootstrap run stores a separate refresh token for the Google account you authorize in the browser.
Limitations
These are Google Tasks REST API limits:
- Due dates are date-only. Google drops time-of-day values on task due dates.
- Recurring tasks cannot be created or read through the Google Tasks REST API.
clear_completedhides completed tasks; it does not permanently delete them.
Troubleshooting
Missing bearer token:
- HTTP
/mcprequiresAuthorization: Bearer <token>unless OAuth gateway mode is handling the client. - Stdio mode does not use
MCP_BEARER_TOKEN.
Google OAuth app is in Testing mode:
- Add every bootstrapped Google user as a test user.
- Testing-mode refresh tokens can expire after 7 days.
Callback URI mismatch:
GOOGLE_REDIRECT_URImust exactly match an Authorized redirect URI in Google Cloud.- For local web OAuth, use
http://127.0.0.1:8787/callbackconsistently.
Expired or revoked Google refresh token:
- Run
google-tasks-mcp-bootstrapagain for the affected account. - For multi-account mode, include the same
--account-idyou used before.
OAuth MCP client keeps re-authorizing:
- Ensure the server is running a version with persisted MCP OAuth refresh tokens.
- Check that
DB_PATHpoints to persistent storage and survives restarts. - Verify
MCP_OAUTH_ISSUERis the public HTTPS base URL with no trailing slash.
Licensed under Apache-2.0โ you can use, modify, and redistribute it under that license's terms.
View the full license file on GitHub โ