Waukee APEX · Google SSO & Drive

How it works — from start to saved artifact

Russ registers the app

One-time setup in Google Cloud Console — generates a Client ID for dwtapex.com

→

IT approves it

IT adds the Client ID to the approved list in Google Admin Console — takes about 10 minutes

→

Student clicks "Sign in"

Google handles authentication. No new account. No password to create or forget.

→

Evidence saves to Drive

Uploaded files land in a dedicated APEX folder in the student's own Google Drive

The IT Conversation

What IT needs to know — and what they actually do

This is the part that requires someone outside of APEX. Here's the plain-English version.

Why IT's involvement is required

Waukee uses Google Workspace for Education, which gives IT administrative control over which apps are allowed to access student Google accounts. This is a good thing — it means no outside service can access student data without IT's explicit approval. The APEX portfolio needs that approval because it runs on dwtapex.com, which is separate from the waukeeschools.org Google environment.

Russ sends IT a Client ID

After registering the portfolio as an app in Google Cloud Console, Russ gets a Client ID — a long string that uniquely identifies dwtapex.com as a trusted application. This is what IT needs.

The Client ID looks like: 742819635047-abc123xyz.apps.googleusercontent.com

IT opens Google Admin Console

In Admin Console, IT navigates to Security → API Controls → App Access Control. This is where the district manages which third-party apps can interact with Waukee Google accounts.

IT adds the app as trusted

IT clicks "Add App," searches for it by the Client ID Russ provided, and marks it as trusted for the student OU (Organizational Unit). This tells Google Workspace: "This app is allowed to authenticate with Waukee accounts."

Total time: about 10 minutes. This is a one-time step — it does not need to be repeated.

What it does — and does not — give the app access to

The portfolio app will request two specific permissions: the student's name and email (for login), and access to their own Google Drive (for saving evidence). It cannot read email, access other apps, or touch any other student data. Students will see a Google-issued consent screen listing exactly what's being requested before they log in.

Student Experience

What it looks like for students

One button. The account they already use every day.

🔑

Students hit one button on the portfolio landing page. Google takes over from there — the same flow they see when logging into any other school app. After authentication, they're dropped directly into their portfolio with their name in the nav.

Handled entirely by Google

📁

APEX Evidence Folder

On first login, the portfolio creates an "APEX Portfolio Evidence" folder in the student's own Google Drive. All uploaded artifacts go there. Students can see, share, and manage files in Drive directly — it's their folder, not ours.

Created once on first login

📎

Upload from artifact cards

On any artifact card, a student can click "Upload Evidence," pick a file from their device, and it uploads directly to their APEX folder. The Drive link is saved automatically in the artifact card's link field.

Replaces manual link entry

🔒

Waukee accounts only

Because the app is registered as an Internal app in Google Cloud, only accounts with a @waukeeschools.org email can sign in. No outside accounts. No student can accidentally access another student's portfolio.

@waukeeschools.org only

💾

Portfolio state still in localStorage

Reflections, card titles, and progress remain stored in the browser's localStorage — same as today. Google login adds identity and Drive access on top of that, without changing what already works.

Backwards compatible

🚪

Session persists per device

Once signed in, the student stays signed in on that device until they explicitly sign out or the token expires (typically 1 hour of inactivity, then silent re-auth). No repeated logins during a class period.

Why it's worth building

What this actually solves

Evidence has a home

Right now, artifact cards have a link field — but students have to find, host, and paste links manually. With Drive integration, upload happens from inside the portfolio. The evidence and the reflection live together.

No new passwords for students

Any friction at login is friction that prevents students from getting to their work. Using the account they already open 30 times a day removes that friction entirely.

No vendor risk

This isn't a third-party auth service that charges per seat, has terms that change, or could go offline. It's Google's own infrastructure — the same system that authenticates every other Waukee app students use.

IT already has the controls

IT doesn't have to trust a black box. They approve a specific app ID, they control which student OUs it applies to, and they can revoke it at any time from the same Admin Console they use for everything else.

Technology

What it's built on

Authentication

Google Identity

Google's OAuth 2.0 / Sign In With Google. Handles the entire login flow.

Free

File Storage

Google Drive API

Stores evidence in each student's own Drive. No central storage to manage.

Free

App Registration

Google Cloud Console

Where the app is registered and Client ID is generated. Free tier easily covers this.

Free tier

Hosting

dwtapex.com

No changes to the server. Auth is entirely client-side JavaScript — no backend needed.

Already have it

Student Login & Evidence Storage with Google