In the Two-legged OAuth access control section, uncheck Allow access to all APIs.
Note your OAuth consumer key shown on this page.
In the Google Apps control panel, go to Advanced Tools tab > Authentication section,
and click Manage third party OAuth Client access.
In the Client Name field, enter the OAuth consumer key for your primary domain.
Click Save changes.
In the One or More API Scopes field, enter the following comma-separated list of URLs:
https://apps-apis.google.com/a/feeds/emailsettings/2.0/, https://apps-apis.google.com/a/feeds/migration/, https://www.google.com/calendar/feeds/, https://www.google.com/m8/feeds/, https://apps-apis.google.com/a/feeds/user/#readonly
If you entered the scopes correctly, you’ll see the API’s name and description (in English) before the URL. Here’s how the scopes should appear:
Here’s an example of a misconfigured scope, which doesn’t have an API name and description:
Google Apps Migration for Microsoft
Exchange Administration Guide