diff --git a/public/app.js b/public/app.js
index 1b341b9..7e1d3c5 100644
--- a/public/app.js
+++ b/public/app.js
@@ -1,16 +1,58 @@
 'use strict';
 
+// https://developers.google.com/sheets/api/guides/authorizing
+// https://www.googleapis.com/auth/spreadsheets.readonly
+
+// Scope names
+// https://developers.google.com/drive/api/v3/about-auth
+
+// Google Sheets API
+// https://developers.google.com/sheets/api/guides/migration#list_spreadsheets_for_the_authenticated_user
+
 function onSignIn(googleUser) {
-	var profile = googleUser.getBasicProfile();
-	console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
-	console.log('Name: ' + profile.getName());
-	console.log('Image URL: ' + profile.getImageUrl());
-	console.log('Email: ' + profile.getEmail()); // This is null if the 'email' scope is not present.
+  var profile = googleUser.getBasicProfile();
+
+  var id_token = googleUser.getAuthResponse().id_token;
+  var access_token = googleUser.getAuthResponse();
+  console.log('ID: ' + profile.getId()); // Do not send to your backend! Use an ID token instead.
+  console.log('Name: ' + profile.getName());
+  console.log('Image URL: ' + profile.getImageUrl());
+  console.log('Email: ' + profile.getEmail()); // This is null if the 'email' scope is not present.
+  console.log('access_token', access_token);
+  console.log('id_token', id_token);
+  window
+    .fetch('https://oauth2.googleapis.com/tokeninfo?id_token=' + id_token)
+    .then(function(resp) {
+      return resp.json().then(function(data) {
+        console.log(data);
+      });
+    });
+  window
+    .fetch(
+      "https://www.googleapis.com/drive/v3/files?q=mimeType%3D'application%2Fvnd.google-apps.spreadsheet'",
+      {
+        headers: {Authorization: 'Bearer ' + access_token.access_token},
+      },
+    )
+    .then(function(resp) {
+      return resp.json().then(function(data) {
+        console.log(data);
+      });
+    });
+  window
+    .fetch('https://spreadsheets.google.com/feeds/spreadsheets/private/full', {
+      headers: {Authorization: 'Bearer ' + access_token.access_token},
+    })
+    .then(function(resp) {
+      return resp.json().then(function(data) {
+        console.log(data);
+      });
+    });
 }
 
-  function signOut() {
-    var auth2 = gapi.auth2.getAuthInstance();
-    auth2.signOut().then(function () {
-      console.log('User signed out.');
-    });
-  }
+function signOut() {
+  var auth2 = gapi.auth2.getAuthInstance();
+  auth2.signOut().then(function() {
+    console.log('User signed out.');
+  });
+}
diff --git a/public/index.html b/public/index.html
index 8143a57..de733a3 100644
--- a/public/index.html
+++ b/public/index.html
@@ -1,3 +1,11 @@
+<meta
+  name="google-signin-client_id"
+  content="128764648444-nk2ss16gmals7rhsk2kj0i0ove0v0tnk.apps.googleusercontent.com"
+/>
+<!-- https://developers.google.com/identity/sign-in/web/sign-in -->
+<!-- https://developers.google.com/identity/sign-in/web/quick-migration-guide -->
+<!-- Note: You can also specify your app's client ID with the client_id parameter of the gapi.auth2.init() method. -->
+
 <pre><code>
 <h1>Tokens for Testing</h1>
 Compatible with
@@ -85,6 +93,10 @@ You shouldn't use it for automated testing, because it will change, but it looks
 </code></pre>
 
 <script src="https://apis.google.com/js/platform.js" async defer></script>
-<div class="g-signin2" data-onsuccess="onSignIn"></div>
+<div
+  class="g-signin2"
+  data-onsuccess="onSignIn"
+  data-scope="profile email https://www.googleapis.com/auth/spreadsheets.readonly https://www.googleapis.com/auth/drive.readonly"
+></div>
 <a href="#" onclick="signOut();">Sign out</a>
 <script src="app.js"></script>