diff --git a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
index b837b4f19df9e..9ec7341ba540e 100644
--- a/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
+++ b/std-bits/google-api/src/main/java/org/enso/google/GoogleOAuthSecretReader.java
@@ -1,20 +1,58 @@
 package org.enso.google;
 
+import com.google.auth.oauth2.AccessToken;
 import com.google.auth.oauth2.GoogleCredentials;
+import com.google.auth.oauth2.UserCredentials;
 import org.enso.base.enso_cloud.ExternalLibrarySecretHelper;
 import org.enso.base.enso_cloud.HideableValue;
 
 import java.io.ByteArrayInputStream;
 import java.io.IOException;
+import java.util.List;
+import java.util.Map;
 
 public class GoogleOAuthSecretReader {
   public static GoogleCredentials createCredentialFromSecretValue(HideableValue secretValue) {
     String payload = ExternalLibrarySecretHelper.resolveValue(secretValue);
     ByteArrayInputStream stream = new ByteArrayInputStream(payload.getBytes());
     try {
-      return GoogleCredentials.fromStream(stream);
+      var loadedCredentials = UserCredentials.fromStream(stream);
+      return new CloudRenewableGoogleCredentials(loadedCredentials);
     } catch (IOException e) {
       throw new RuntimeException(e);
     }
   }
+
+  private static class CloudRenewableGoogleCredentials extends GoogleCredentials {
+    private final UserCredentials underlying;
+    private AccessToken token = null;
+
+    public CloudRenewableGoogleCredentials(UserCredentials underlying) {
+      super();
+      this.underlying = underlying;
+    }
+
+    @Override
+    public void refresh() throws IOException {
+      System.err.println("Refreshing credentials: here we could query the Enso Cloud instead");
+      token = underlying.refreshAccessToken();
+    }
+
+    @Override
+    public AccessToken refreshAccessToken() throws IOException {
+      refresh();
+      return token;
+    }
+
+    @Override
+    public Map<String, List<String>> getRequestMetadata() throws IOException {
+      if (token == null) {
+        refresh();
+      }
+
+      return Map.of(
+          "Authorization", List.of("Bearer "+token.getTokenValue())
+      );
+    }
+  }
 }