Updated June 4, 2021
First, let’s just clear the air: the details of the Google OAuth requirements can feel a little dry and confusing at times, but getting into the weeds is incredibly useful for anyone building products that access Google user data. Here, we’ve distilled the details for you.
When Google announced they were making sweeping changes to the way third-party apps can access Google user data, Google users and security proponents celebrated the enhanced security measures that protect user data — but developers were initially left with little detail about how to continue providing their services to Gmail users in compliance with the new regulations.
Today, we have much more detailed information about Google’s OAuth updates – everything from the third-party app verification process to the security assessment, costs, and timelines.
Let’s dive in.
For third-party applications that access certain types of Google user data (Sensitive and Restricted Scopes) it’s recommended and sometimes required to undergo app verification.
If your app uses “sensitive scopes” it’s considered a best practice to undergo app verification.
If your app uses “restricted scopes”, you’ll need to undergo app verification and a security assessment. Currently, Google lists restricted scopes as:
If your app only uses “sensitive scopes” (as defined by Google — essentially, any data that is not a restricted scope is considered a sensitive scope), you’ll need to undergo app verification only (no security assessment needed).
Sensitive scopes include, but are not limited to:
If your application has fewer than 100 users, you will not need to undergo app verification until that threshold is hit. However we recommend initiating the process well before you reach 100 users to ensure all users are able to access the integration.
Additional exemptions apply if your application:
Third-party apps (any web/desktop/mobile app) and APIs (like Nylas) that integrate with Gmail data to better serve their customers must undergo a four-step process to ensure their user’s data continues to sync smoothly:
To get your app verified, log in to the Google Developer Console. Enter your project name, organization, and parent organization:
Once you’ve created a project, submit your application for review on the GCP (Google Cloud Platform) Console OAuth consent screen here. It’ll look like this:
This verification process can take just a few days or as long as several weeks end-to-end. By clearly demonstrating the scopes you need access to and how you use them, you can drastically reduce the timeline. If Google has clarification questions based on your original submission, you’ll need to address those questions and resubmit your app, which could delay the review process.
As mentioned above, the review process becomes quicker with Nylas. We’ve created a handy and comprehensive guide for Nylas customers on how to create a Google project here.
What happens if I want to add new sensitive or restricted scopes after my app is approved?
When adding new sensitive scopes, you simply need to undergo app re-verification, complete all the steps for your new scope and re-submit for verification at no cost. This typically takes 2-4 weeks and for Nylas customers, your Customer Service Manager can assist you through the process.
When adding new restricted scopes to your Google project, it’s recommended you follow these steps (note that if you are an existing Nylas customer, we will help expedite the resubmission process):
To start, how do you know if you need to undergo a security assessment in addition to app verification?
It’s pretty straightforward – if your app uses restricted scopes, you’ll need to undergo a security assessment. The same exemptions apply here as for app verification.
Timeline
The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of the application. If your application requires remediation testing (i.e. if you don’t pass the initial security assessment), the process can take longer, but these timelines are largely dependent on your company’s existing security policies and the complexity of your application.
At Nylas, it took us just two weeks to complete the security assessment, but we were already SOC 2, Type II certified, which helped reduce the timeline.
Costs vary depending on the complexity of your implementation and the state of security processes that already exist. The process can take anywhere from a few weeks to (more commonly) multiple months, depending on the complexity of your application. Google references a range from $15,000-$75,000.
Nylas has partnered with Google-approved firms Bishop Fox and Leviathan Security Group to offer the Nylas Express Security Review. This ensures Nylas customers receive expert services at the lowest applicable rates as well as priority, white-glove customer service for applications subject to Google’s OAuth mandatory verification process and security assessment. Services include end-to-end security evaluations and high-end penetration tests that mimic the work of sophisticated attackers to ensure applications that integrate with Gmail data are fully-compliant with Google’s security policies. As a communications API leader, we knew it was our responsibility to make this process seamless for developers.
Nylas has already assisted with the approval of hundreds of Google applications. As an API provider, we’ve worked directly with 500+ customers to get their Google integration up and running in a fraction of the time. Through this new partnership, our customers benefit from the experience of Bishop Fox and Leviathan Security Group and are guaranteed the lowest applicable rate for their application review – starting at just $15,000.
If you’d like to learn more, contact a Nylas Platform Specialist.
If you’re a current Nylas customer and would like more information about the Google OAuth or the Nylas Express Security Review, please contact your customer success representative or reach out to us at [email protected].
For more information on Google OAuth, visit their support page here.
Building security by design is crucial, especially for startups and small businesses, where resources are…
In a time where cyber threats are increasingly sophisticated and frequent, fostering a security-first culture…
At Nylas, our information security team took action to investigate the Log4j vulnerability and found that our codebases were not impacted. As the incident unfolds, see how Nylas responded to identify the impact and protect customer data.
Tasia is the Director of Product Marketing at Nylas. She's passionate about communications and helping connect the world through APIs. In her free time, she writes and produces music.
Email API
Calendar API
Scheduler
Contacts API
ExtractAI
Salesforce email integration
Google email & calendar integration
Outlook email & calendar integration
IMAP integration
Calendar management
Embedded contextual email
Scheduling automation
Automated outreach
Intelligent data extraction
Ecommerce
Telehealth
Real estate
Financial technology
Educational technology
Expense management
Customer relationship management
Applicant tracking system
Communications platform
Marketplaces
Document management
Docs
SDKs
Tutorials
API status
Changelog
Support
Blog
Events
Guides
Inspiration gallery
Partners
Build vs. buy
Customer stories
Security & Compliance
Why Nylas
Newsroom