I built something almost identical for a client portal last year. Skip the direct API calls from your web app - use Google Apps Script as a bridge between your public interface and Drive instead. Here’s what worked: I set up different service account permissions for uploads vs downloads. For uploads, I made a specific folder with write-only permissions through a service account. Apps Script then moves files to the right spots after processing. For downloads, I kept a separate folder structure with publicly accessible files. Authentication gets way simpler this way. Your Apps Script runs with your credentials but deploys as executable by anyone. Just watch your input validation since it’s basically a public endpoint. Way more reliable than managing OAuth flows for anonymous users, and you get better control over what’s exposed.