Google Calendar
Sign-in Permissions
When you create or sign into your Multical account with Google, we request:
Scope | Name | Why we need it |
openid | OpenID Connect | Verifies your identity |
Email address | Creates and links your account | |
profile | Basic profile | Stores your display name |
Calendar Connection Permissions
When you connect a Google calendar for syncing, we request:
Scope | Name | Why we need it |
googleapis.com/auth/calendar.events | Read & write calendar events | Read events to detect conflicts; create and delete blocking events |
googleapis.com/auth/userinfo.email | Email address | Identifies which Google account is being connected |
Multical also requests offline access so Google issues a refresh token, allowing continuous background syncing without requiring you to re-authenticate.
Microsoft / Outlook Calendar
Sign-in Permissions
When you create or sign into your Multical account with Microsoft, we request:
Scope | Name | Why we need it |
openid | OpenID Connect | Verifies your identity |
Email address | Creates and links your account | |
profile | Basic profile | Stores your display name |
Read user profile | Reads your name and email from Microsoft Graph |
Calendar Connection Permissions
When you connect a Microsoft calendar for syncing, we request:
Scope | Name | Why we need it |
Calendars.ReadWrite | Read & write calendars | Read events to detect conflicts; create and delete blocking events |
Read user profile | Identifies which Microsoft account is being connected | |
offline_access | Offline / refresh token | Issues a refresh token for continuous background syncing |
Apple Calendar (iCloud)
Apple Calendar does not use OAuth. Instead, Multical supports two connection methods depending on whether you need read-only or read-write access.
Method 1: CalDAV with App-Specific Password (Read-Write)
This method gives Multical full read-write access to your iCloud calendars, allowing it to both read your events and create blocking events directly in Apple Calendar.
What you provide | Protocol | Why we need it |
Apple ID email address | CalDAV over HTTPS | Identifies your iCloud account |
App-specific password | CalDAV over HTTPS | Authenticates with iCloud without using your main Apple ID password |
App-specific passwords: Apple requires apps to use a dedicated app-specific password rather than your main Apple ID password. This is generated in your Apple ID account settings (appleid.apple.com) and can be revoked at any time without changing your main password. Multical never sees or stores your Apple ID password.
Credential storage: Your Apple ID email and app-specific password are encrypted using AES-256-GCM before being stored — the same encryption used for Google and Microsoft tokens. They are stored together with the CalDAV server URL (caldav.icloud.com).
No webhooks: Apple’s CalDAV does not support real-time webhook notifications. Multical syncs Apple calendars via a scheduled polling job that runs every 15–30 minutes to check for new or changed events.
Method 2: iCal URL (Read-Only)
This method connects a calendar via a shareable iCal (.ics) URL. It is read-only — Multical can read events from the calendar but cannot create blocking events in it. You can use this as a source calendar in a sync rule.
What you provide | Protocol | Why we need it |
iCal URL (webcal:// or https://) | iCal / ICS over HTTPS | Fetches calendar event data from the URL |
Optional calendar label | — | Identifies the calendar in your Multical dashboard |
Read-only: Multical cannot create, edit, or delete events on an iCal URL calendar. Blocking events will only be created on other connected calendars, not this one.
URL storage: The iCal URL is encrypted using AES-256-GCM before being stored in the database, with a flag marking it as read-only.
What Multical Does with Apple Calendar Access
Reads your calendar events to detect scheduling conflicts
Creates blocking events in your Apple Calendar (CalDAV method only) using the iCalendar (ICS) format
Blocking events are marked CLASS:PRIVATE in the ICS data, signalling to calendar apps that the event is private
Blocking events include the X-MULTICAL-BLOCK:TRUE property so Multical can identify and manage events it created
Location and video links are only included in blocking events if you have enabled those options in your sync rule
Apple CalDAV calendars are polled on a schedule rather than receiving real-time updates. There may be up to a 15–30 minute delay before changes on your Apple Calendar are reflected in Multical.
What Multical Accesses (All providers)
We access
• Calendar event titles, times, locations, and descriptions
• Attendee lists and video conference links
• Calendar names, colors, and timezones
• Your email address and display name (from your calendar provider)
We do NOT access
• Your email messages or inbox
• Your files or documents (Google Drive, OneDrive, SharePoint, etc.)
• Your contacts
• Any other data in your Google or Microsoft account
We do not permanently store the full content of your calendar events. We only store the minimum metadata needed to create and manage blocking events (event IDs and timestamps).