Google Business Profile integration for review automation

Connecting Taqymat to your Google Business Profile requires OAuth authorization — and the scope of that authorization matters. Here is exactly what Taqymat reads, what it writes, and what it never touches.

Connecting a review management tool to Google Business Profile is a trust decision. The tool is asking for access to your public-facing business identity — and some tools ask for far more than they need. Understanding exactly what OAuth scope means, what Taqymat requests, and what the access controls look like is the starting point for making that decision with confidence. The integration is also where the technical plumbing becomes visible: how does a review that posts at 2am in Riyadh end up in your Taqymat dashboard within minutes, and how does an approved reply get posted back to Google without you touching the GBP interface?

What GBP integration actually does

Taqymat's GBP integration operates on the Google Business Profile API using OAuth 2.0 authorization. The integration enables two data flows: inbound (reviews and Q&A arriving from Google to Taqymat) and outbound (approved replies sent from Taqymat back to Google).

The inbound flow uses webhook subscriptions and polling. When a new review is posted to your GBP location, Google notifies Taqymat via a registered webhook endpoint. Taqymat receives the notification, fetches the review content using the reviews.list API call, and stores it in your account's review queue. This happens within minutes of the review appearing on Google Maps. Q&A items are similarly fetched on a regular polling interval.

The outbound flow is gated by your approval. When you approve a reply — either manually or through auto-reply after the safety-hold window — Taqymat calls the replies.upsert endpoint in the GBP API to post the reply text to your review. The reply appears on Google Maps exactly as if you had typed it directly in the GBP dashboard. Taqymat's name does not appear anywhere on the public reply.

Each GBP location is authorized independently. A chain with five branches has five separate OAuth tokens — one per location. This means access can be revoked per location without affecting others, and a branch manager can be given access to their location's Taqymat dashboard without being able to interact with other branches' GBP tokens.

For how multi-location access control works on top of this GBP integration foundation, see multi-location Google review management for GCC chains.

When GBP integration is right (and when it's not)

GBP integration is the prerequisite for every other Taqymat feature. Without it, you have a dashboard with no reviews and a reply tool with nowhere to post. The question is not whether to integrate — it is when and at what pace to connect your locations.

The integration works best when your GBP profile is actively managed — a verified profile with accurate hours, recent photos, and a complete business description. A well-maintained profile gets more reviews, and more reviews means more value from the integration. If your GBP profile is claimed but outdated, the highest-ROI step before connecting Taqymat is spending 30 minutes updating the profile information, hours, and photos.

GBP integration is also most effective when you use it as part of a consistent review response strategy, not as a one-time setup. The Google Maps algorithm weights recency of responses — a consistent 24-hour response rate is more valuable than a burst of replies followed by silence. The integration is the infrastructure that makes consistency possible.

Where GBP integration creates complexity is when your business has multiple GBP listings for the same location — for example, a hotel that has a main listing and separate listings for its restaurant and spa. Each listing is a separate GBP profile and requires separate authorization. Taqymat handles multiple listings per physical location, but the authorization and persona configuration for each needs to be done explicitly.

For the effect of consistent reply rates on your Maps ranking, see how replying to reviews improves your Google Maps ranking and how response time impacts Google reviews.

How it works under the hood

The GBP OAuth flow follows the standard OAuth 2.0 authorization code grant. When you begin authorizing a location in Taqymat, you are redirected to Google's consent screen. The screen shows the scopes being requested — specifically the reviews.readonly and replies.write scopes — along with the Google account and business profile being authorized. You grant consent and are redirected back to Taqymat with an authorization code.

Taqymat exchanges the authorization code for an access token and a refresh token. The access token is short-lived (typically one hour) and is used to make API calls. The refresh token is long-lived and is stored encrypted in our token store. When the access token expires, Taqymat uses the refresh token to request a new one from Google — this happens automatically in the background, so the integration does not require periodic re-authorization as long as the refresh token remains valid.

Refresh tokens remain valid until explicitly revoked, until the user changes their Google account password, or until a long period of inactivity triggers Google's automatic revocation. Taqymat monitors token health and alerts you in the dashboard if a token needs re-authorization.

Token security: refresh tokens are stored encrypted at rest using AES-256 encryption. They are never logged, never transmitted to third parties, and are only decrypted in memory at the time of use. Access to the token store is restricted to the backend services that make GBP API calls — no human at Taqymat can view your refresh token.

Per-location isolation: each location's token is stored separately. A security event affecting one token does not compromise other locations' tokens. Revoking one location's access leaves all other locations unaffected.

The API calls Taqymat makes on your behalf are limited to the authorized scopes. Every API call is logged internally with the location identifier, the endpoint called, and the timestamp. This log is used for debugging and rate limit management, not for any analysis of your business data.

What to do next

To connect your first GBP location, start your onboarding. You will be prompted to sign in with the Google account that has Owner or Manager access to the GBP location you want to connect. If you have multiple locations, you can connect them one at a time during onboarding or add additional locations later from the location settings screen.

If you want to verify your GBP profile is ready before connecting — accurate hours, verified status, recent photos — do that first in the Google Business Profile dashboard at business.google.com. A well-maintained profile will generate more reviews and make the Taqymat integration more valuable from day one.

For the broader picture of what you can do with reviews once the integration is active, see auto-reply for Google reviews and the reply generator.

What permissions does the GBP OAuth ask for?

Taqymat requests two scopes during GBP OAuth authorization. The first is read access to your reviews and Q&A — this allows us to receive new reviews as they arrive and display them in your dashboard. The second is write access to review replies only — this allows us to post replies on your behalf when you approve or auto-reply is activated. We do not request and do not have access to edit your business name, categories, description, hours, photos, posts, or any other business information fields. If a future feature required additional scope, you would be prompted to re-authorize with the new scope explicitly described.

Can I revoke access at any time?

Yes. GBP OAuth access can be revoked at any time from your Google Account settings under Security → Third-party apps with account access. Revoking access immediately disconnects Taqymat from that Google Business Profile location — no further reviews will be received and no replies will be posted. Your review history and draft history inside Taqymat are retained and remain accessible, but the live connection to GBP is severed. You can reconnect at any time by re-authorizing through the Taqymat dashboard.

Do you ever write to anything other than review replies?

No. The write scope we hold is limited to review replies (replies.write in the Google Business Profile API). We do not write to your business information, your Q&A answers, your Google Posts, your photos, or any other field on your GBP profile. This is enforced at the API scope level — even if someone at Taqymat wanted to edit your business information, the OAuth token we hold does not have the permission to do so. The narrow scope is a deliberate architectural choice, not a policy that could change without your re-authorization.