Problem
Google OAuth verification was rejected twice due to two issues:
-
The Vercel subdomain (form-builder-three-gules.vercel.app)
was flagged as dangerous by Google Safe Browsing. This is
a false positive common with vercel.app subdomains since
they are frequently abused by bad actors.
-
Google requires a "top private domain" for OAuth
verification — meaning a domain you personally own and
can verify in Google Search Console. Shared subdomains
from hosting platforms (vercel.app, github.io) do not
qualify as top private domains.
What was tried
- vercel.app subdomain → rejected (flagged as dangerous)
- github.io via GitHub Pages → rejected (public suffix,
not a top private domain)
- is-a.dev → public suffix, same issue
- js.org → GitHub Pages only, not compatible with Vercel
Root cause
Google OAuth verification requires:
- A domain you own
- Verified via Google Search Console
- Not a shared public suffix (vercel.app, github.io etc.)
Impact
- Cannot submit app for Google OAuth verification
- Cannot publish on Google Play Store via TWA without
verified OAuth
- App currently runs in "Testing" mode — only manually
added test users can sign in without the unverified
app warning
Steps to fix
-
Purchase a custom domain (recommended: .xyz on
Namecheap or Porkbun, ~$1-3/year)
-
Connect domain to Vercel:
- Vercel dashboard → project → Settings → Domains
- Add your custom domain
- Copy the DNS records Vercel provides
- Add them in your domain registrar's DNS settings
- Wait 10-30 mins for propagation
-
Verify domain in Google Search Console:
- Go to search.google.com/search-console
- Add your custom domain as a property
- Verify ownership via DNS TXT record
- This links the domain to your Google account
-
Update Google Cloud Console:
- Branding → Authorized domains → replace
form-builder-three-gules.vercel.app with new domain
- Branding → update homepage, privacy policy,
and terms of service URLs to new domain
- Clients → update Authorized JavaScript origins
to new domain
-
Update privacy.html and index.html:
- Update any hardcoded Vercel URLs to new domain
- Push to repo and redeploy
-
Resubmit OAuth verification:
- Verification centre → Submit for verification
- Include Google Safe Browsing confirmation link
- Include scope justifications
- Include demo video link
-
Once OAuth verified, proceed with Play Store via TWA:
- Install Android Studio
- Use Bubblewrap CLI to generate TWA project
- Add assetlinks.json to domain
- Build AAB and submit to Play Store
Notes
- The app itself is clean — Google Safe Browsing confirmed
the URL is safe when checked manually
- Privacy policy is already written and deployed
- Demo video already recorded
- All 4 OAuth scopes already configured correctly
- This is purely a domain ownership issue
Problem
Google OAuth verification was rejected twice due to two issues:
The Vercel subdomain (form-builder-three-gules.vercel.app)
was flagged as dangerous by Google Safe Browsing. This is
a false positive common with vercel.app subdomains since
they are frequently abused by bad actors.
Google requires a "top private domain" for OAuth
verification — meaning a domain you personally own and
can verify in Google Search Console. Shared subdomains
from hosting platforms (vercel.app, github.io) do not
qualify as top private domains.
What was tried
not a top private domain)
Root cause
Google OAuth verification requires:
Impact
verified OAuth
added test users can sign in without the unverified
app warning
Steps to fix
Purchase a custom domain (recommended: .xyz on
Namecheap or Porkbun, ~$1-3/year)
Connect domain to Vercel:
Verify domain in Google Search Console:
Update Google Cloud Console:
form-builder-three-gules.vercel.app with new domain
and terms of service URLs to new domain
to new domain
Update privacy.html and index.html:
Resubmit OAuth verification:
Once OAuth verified, proceed with Play Store via TWA:
Notes
the URL is safe when checked manually