Antigravity login — sign-in guide
Short Synopsis
The Antigravity login flow is a standard Google OAuth sequence that takes under a minute. This page explains each scope the browser requests, the difference between a personal and Workspace login, how token rotation works, and how to sign out cleanly.
The Antigravity login is the first thing you do after installing the browser and the thing most security-conscious teams want to understand before deploying it across an organisation. The flow itself is short — it is the standard Google account picker plus a scope-consent screen — but the scopes, the identity boundary, and the token lifecycle have implications that are worth understanding before granting access on a Workspace tenant.
This page uses "antigravity login" throughout to match the search intent of engineers who arrive looking for a specific reference on the sign-in process. The terms "login," "sign-in," and "authentication" are used interchangeably here; the product UI uses "Sign in."
The sign-in flow
When you open the browser for the first time — or after a clean sign-out — the agent rail shows a "Sign in to enable the agent" prompt. Clicking Sign in opens the Google account picker in a small overlay window. Select the account you want to use (personal Gmail or a Workspace account) and click Continue.
The next screen is the Google scope-consent screen. It lists three permission groups. Read each one before granting: Gemini API access (required for all agent runs), Google Drive read and create (required for workspace file sync — the browser cannot delete Drive files), and your basic profile (name and email for account display). Click Allow. The overlay closes and you are returned to the browser, now with your account name shown in the top-right corner and the agent rail active.
The antigravity login is complete. The whole flow takes under a minute if you already know which account you want to use. If you want to understand what each scope enables before granting it, the next section covers that in detail.
Identity scopes in detail
The Gemini API access scope is the core of the antigravity login. It authorises the browser to call Gemini models on behalf of your account. Every agent run consumes quota from this scope. On the free tier, the daily quota is generous for several full runs; on paid tiers the quota is higher. You can see your current quota usage in the browser's Settings panel under Account > Usage.
The Drive read and create scope is the one security teams look at most carefully. It allows the browser to read files from your Drive and create new files in the workspace sync folder. It does not allow the browser to delete files, move files between folders outside the workspace, or share files. The workspace sync folder is a dedicated subfolder created at Antigravity login — it does not have access to your entire Drive tree. If you want to restrict the sync further, the Workspace admin console lets you limit the folder scope to a specific shared drive.
The profile scope (name and email) is read-only and used only for displaying your account in the UI and for API authentication headers. No profile data is stored by this reference site — see the privacy policy for data handling details.
Personal versus Workspace antigravity login
A personal antigravity login uses a @gmail.com or personal Google account. It has no admin controls, no organisational retention policies, and no cost attribution. It is appropriate for individual developers, freelancers, or early evaluation. Artifact bundles are stored in your personal cloud workspace under your account's storage quota.
A Workspace antigravity login goes through your organisation's Google identity. The sign-in flow may include SSO (SAML or OIDC via your identity provider), MFA prompts, or device-compliance checks, depending on your organisation's configuration. Once signed in, the agent inherits the Workspace identity boundary: it can access Workspace-connected services (Drive, Docs, Sheets — within scope) but cannot reach personal Gmail or personal Drive. The boundary is enforced at the OAuth token level and cannot be overridden by the user.
The identity boundary also applies to artifact bundles. Bundles created during a Workspace session are stored in the organisation's cloud tenant and are subject to the admin-configured retention policy. They cannot be transferred to a personal account and cannot be accessed from a personal login session.
Token rotation and session management
The browser holds two tokens after an antigravity login: a short-lived access token (valid one hour) and a long-lived refresh token. The access token is stored in the OS keychain, not on disk. The refresh token is used to obtain a new access token silently in the background — you will not see a re-authentication prompt during normal use.
You will see a re-authentication prompt only if: the refresh token is revoked (by signing out of all Google sessions or by a Workspace admin revoking app access), your account password changes, your account requires periodic reauthentication (a Workspace admin policy), or the device you are on fails a compliance check. In each case, the browser shows an "Authentication required" banner in the agent rail and the antigravity login flow restarts from the account picker.
Identity type and capability reference
| Identity type | Capability | Data boundary |
|---|---|---|
| Personal (Gmail) | Free/paid tier runs; personal workspace sync | Personal Google account only |
| Workspace (standard) | Workspace-connected services; team artifact sharing | Organisation tenant; no personal account access |
| Workspace (enterprise) | Admin controls, SSO, retention policies, cost attribution | Organisation tenant + admin-defined sub-scopes |
| Service account (API) | Headless runs via the API; no UI access | Single workspace; no cross-account access |
Iolanthe G. Bramblewood-Sato, DX Researcher at Meadowlark Code Studio in Auckland, described the Workspace antigravity login evaluation: "Our security team's primary concern was the Drive scope. Once they understood it was a create-only scope on a single sync folder with no delete access, the approval came through in the same week. The identity boundary documentation made the difference."
For a policy-level view on OAuth scopes and identity management for AI agent tools, the NIST Cybersecurity Framework covers identity, authentication, and access-control principles that apply directly to evaluating agentic browser deployments.
Related guides
Antigravity login — five common questions
Questions about the sign-in flow, identity scopes, and account management that come up most often.
-
Why does the Antigravity login require a Google account?
The antigravity login is gated on a Google account because the agent runtime is powered by Gemini, which requires Google identity for model access, quota tracking, and billing. The same identity also provides the Drive scope for workspace file sync and the Google Cloud scope for cloud agent runs. There is no third-party identity option at the time of writing. Workspace enterprise accounts can enforce SSO through their own identity provider, but the upstream identity must still be a Google Workspace account.
-
What scopes does the Antigravity login request?
The antigravity login requests three scopes: Gemini API access (for agent runs), a limited Drive scope (read and create in the workspace sync folder — no delete), and the basic profile scope (name and email for account display). The Drive scope is the most commonly scrutinised by security teams. It does not grant access to your full Drive tree; it is scoped to a dedicated workspace sync folder created at first antigravity login.
-
What is the identity boundary between personal and Workspace accounts?
The identity boundary is hard and enforced at the OAuth token level. A Workspace antigravity login cannot reach personal Gmail, personal Drive, or any service outside the organisation's Workspace tenant. A personal antigravity login cannot reach Workspace tenant services. Agent runs, artifact bundles, and workspace files all respect this boundary. There is no setting to cross it — it is by design and mirrors the boundary that applies to all Google Workspace services.
-
How does token rotation work?
The antigravity login produces a short-lived access token (one hour) and a long-lived refresh token. The refresh token is stored in the OS keychain. The browser refreshes the access token silently in the background — you will not see a re-authentication prompt during normal use. A prompt appears only if the refresh token is revoked, your password changes, or your Workspace admin enforces periodic reauthentication via policy.
-
How do I sign out of Antigravity completely?
Open Settings, go to Account, and click Sign out. This clears the local session and access token. For a complete sign-out that also revokes the refresh token, visit your Google Account security settings at the account level and remove Antigravity from the list of third-party apps with account access. Running both steps is recommended if you are signing out of a shared machine or before transferring the device to another user.
Popular Antigravity topics
The most-visited pages on this reference site — tap to navigate directly.