This guide has been deprecated and replaced with a newer version, which you can find HERE.
IMPORTANT NOTE:
Google OAuth
Verification Guide
Nylas’ comprehensive collection of tips, best practices, and necessary steps designed to maximize your odds for successful verification with Google’s OAuth team
Note: For use with Nylas API v2.7 and under.
For the Nylas API v3 verification guide click here
2
Table of Contents
01
02
03
04
05
06
07
Overview // Introduction // Recommendations
Sensitive vs. Restricted Scopes
Checklist before Verification Submission
Whitelisting and Security Reviews
3
Overview & Introduction
Helpful details re: Google’s OAuth Verification Process
1
4
Overview
Please note: This process is mandated and administered by Google, rather than by Nylas. We know the process is cumbersome; it’s unfortunately outside of our control!
In 2019, Google introduced its new OAuth Verification process, wherein third-party applications are required to submit an application to Google to verify your use of Google user data.
Depending on what data you use within your application, you might have to undergo Google’s app verification process, application whitelisting, and/or a security assessment.
This playbook focuses primarily on the steps you’ll need to take for Google’s verification process, which will allow you to leverage Google’s APIs in your application through Nylas.
We are not experts in building and configuring Google Projects, but we are here to help guide you as best we can through Google’s ever-changing landscape.
Our advice here stems from our experience assisting other Nylas clients with the verification process, and is designed to help ensure things go as smoothly as possible while requiring minimal back-and-forth with Google.
5
Introduction
In order to successfully undergo the verification process, you must first ensure that the following steps are complete:
Please be sure to thoroughly review this slide in particular prior to submission, to check for things that are often missed or misunderstood.
Note: After verification is submitted, it can take 2-8 weeks (or longer), depending on Google's submission queue and any remediation rounds required of you.
Please take care to complete all steps specific to your project in order to stay as close as possible to this projected timeline for approval.
6
Scopes
Available scopes, their purpose, and how to select the right ones for your project
2
7
Scopes
Before you create your Google Project, you’ll need to determine which Google scopes your app will use. Each scope grants you permission to access a specific piece/category of user data.
There are two types of scopes relevant to the Google OAuth Verification process: sensitive and restricted, the latter of which contains data requiring more stringent security controls.
The following four slides outline the potential sensitive and/or restricted scopes you may plan to use for your Nylas implementation
8
Scope | Functionality within Application | Requires Whitelist or Security Assessment? |
gmail.readonly | App can read all resources and their metadata—no write operations. | Yes (Restricted Scope) |
gmail.modify | App can have all read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash. | Yes (Restricted Scope) |
gmail.compose | App can create, read, update, and delete drafts. Send messages and drafts. | Yes (Restricted Scope) |
gmail.metadata | App can read resources metadata including labels, history records, and email message headers, but not the message body or attachments. | Yes (Restricted Scope) |
gmail.labels | App can create, read, update, and delete labels only. | Given freely (neither sensitive or restricted) |
gmail.send | App can send messages only. No read or modify privileges on mailbox. | No (Sensitive Scope) |
calendar | App can see, edit, share, and permanently delete all the calendars you can access using Google Calendar. | No (Sensitive Scope) |
calendar.readonly | App can see and download any calendar you can access using your Google Calendar. | No (Sensitive Scope) |
contacts | App can see, edit, download, and permanently delete your contacts. | No (Sensitive Scope) |
contacts.readonly | App can see and download your contacts. | No (Sensitive Scope) |
Below is a narrowed list of Google scopes that Nylas projects utilize. You will need to select and add the appropriate combination to your Google Project based on:
1) Which APIs you’ve purchased from Nylas, and 2) Your specific use case.� �Choose only those that apply to your specific use case - ask your CSM if you’re not sure which are relevant for your project.��Link to help about scopes from Google’s help center.
Matching Google Scopes to Nylas Scopes
Both Nylas and Google present an array of scopes to correspond with specific use cases.
On the previous slide, we outlined Google’s scopes (selected via GCP) that are leveraged by - and relevant to - Nylas projects.
The next slide will detail the equivalent Nylas scopes that should be correctly matched to their Google equivalents. While many share similar or near-identical names, others are slightly more nuanced or differentiated; please pay special attention to these mappings.
These are the scopes that you’ll request via Nylas’ authentication APIs, which will in turn inform Google of what data you’re requesting. Google will cross-reference this against the Google scopes you request via GCP; they must match to avoid being served an error or having your verification request denied.
10
Nylas Scope | Google Scope |
email.modify �(if using gmail.modify for use cases that allow sending, you also need to request email.send from Nylas) | gmail.modify �(includes sending, labels, metadata, etc. - this scope should not be paired with gmail.send, gmail.labels, etc. and is a standalone parent scope) |
email.read_only | gmail.readonly |
email.send | gmail.send |
email.folders_and_labels | gmail.labels |
email.metadata | gmail.metadata |
email.drafts + email.send | gmail.compose |
calendar | calendar |
calendar.read_only | calendar.readonly |
room_resources.read_only | N/A |
contacts | contacts |
contacts.read_only | contacts.read_only |
Not all Nylas scopes you’ll use in your integration match 1:1 with Google’s scopes and naming conventions.
Take a close look at the table below for details on which Nylas and Google scopes correspond with one another.��It’s important to confirm that the Nylas scopes you pass through in your code also correspond to the correct Google scopes below.��Link to Nylas Scopes
Parent Scope | Child Scope |
email.readonly | email.metadata |
email.modify | email.drafts, email.readonly, email.metadata, email.folders_and_labels |
calendar | all calendar scopes (calendar.readonly), room_resources.readonly |
contacts | all contacts scopes (contacts.readonly) |
Always choose the most granular scopes needed in your Google Project or Google will deny or delay your verification. ��You need to ensure that your scope requests correspond to your app’s functionality in the most granular manner possible. When applicable, you will only want to request the parent scopes for specific functionality.
Below are all of the Nylas scopes that have ‘child scopes’ underneath them. For example, if you ask for email.readonly in Nylas, this encompasses email.metadata. When selecting the needed scopes in your Google Project you’ll only need to add email.readonly as it will include email.metadata by default.
Scopes
Take care to ensure the scopes you enter in the GCP console (see slides in Section 3: “Create your Google Project” for guidance on how to add those scopes) and the Nylas Scopes you are using in the Nylas Hosted Auth or Native Auth calls ALL match for your use case.
�Scopes: �Nylas Auth Call scopes
vs
Scopes added to Google GCP
vs
Application use case
Note:
13
Create your Google Project
Step-by-step instructions & screenshots for configuring GCP
3
14
Create Your Google Project
Step 1 -> Create your Google project:
Example GCP name: CompanyName Nylas Prod
Note: This walkthrough is designed to help with items that:
Please keep in mind that there may be other items that need to be addressed in your Google Project that are unrelated to Nylas and thus are not covered in this playbook.
15
Navigation Menu -> APIs & Services -> ‘Credentials’:
In your Nylas Dashboard, Select your Application from the dropdown in the upper left navigation bar.
App Settings -> Authentication -> ‘Google Auth’:
Navigation Menu -> APIs & Services -> Library:
Search for and enable all API Libraries that you will need: Gmail API, Google Calendar API and/or People API.
Note: You will only be enabling APIs that correspond to the scopes that your app will utilize.��
Search for the set of scopes needed in your application and enable
Navigation Menu -> APIs & Services -> Dashboard:
This is where you can check and verify the full list of APIs you have enabled within your Google Project
Navigation Menu -> IAM & Admin -> IAM:
Next, add Nylas as a Project Owner through the entire duration of the Verification Process.
Steps:
Why this is important:
**please note that this is required process for hosted authentication, if you are using native authentication, please work with your CSM directly
Navigation Menu -> APIs & Services -> OAuth Consent Screen:
During implementation you may keep your Google Project in a few different states.
Click here to learn more about the Publishing Status
Click here to learn more about User Types
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App ->
OAuth consent screen section -> App Information:
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App ->
OAuth consent screen section -> App Domain:
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App ->
OAuth consent screen section -> Authorized Domains:
Action items during the Verification process will appear here:�
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App ->
OAuth consent screen section -> Developer Contact Information:
Select the ‘Add scope’ button to access the menu.
Add required non-sensitive scopes:
Disclaimer - You may or may not need other scopes for your native integration that don’t apply to your Nylas integration.
Please refer to the following slides A, B, & C to confirm which scopes you need.
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App -> Scopes section -> ‘Your non-sensitive scopes’:
Select the ‘Add scope’ button to access the menu.
Your scopes will vary depending on your application’s needs. To see a list of Sensitive scopes see slide
For sending emails only:
For read only access these are the corresponding scopes to choose from:
For access to do more than the Parent scopes are needed:
Example: full bi-directional CRUD operations for both Calendar and Contacts:
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App ->
Scopes section -> ‘Your Sensitive scopes’:
List of Sensitive Scopes and their functionality:
Disclaimer: You may or may not need additional scopes for your native integration that don’t apply to your Nylas integration
If Applicable for your application and you are using Restricted Email scopes, please reference slides 8, 9, & 10:
Select the ‘Add scope’ button to access the menu.
Disclaimer: You may or may not need additional scopes for your native integration that don’t apply to your Nylas integration. If your application requires restricted scopes (meaning you need any scopes other than the sensitive scope ‘gmail.send’) you will need to go check out Section 6 of this playbook ‘Whitelisting and Security Reviews’
List of Restricted Scopes and their functionality:
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App -> Scopes section -> ‘Your Sensitive scopes’:
REMEMBER: Be sure to ask for parent scopes related to only the scopes you need — if you request ones that are not utilized in practice within your app, it will result in your application being returned by Google for your review.
If you are confused about which scopes your app utilizes, reach out to your Customer Success Manager for help or reference the help guide from Google.
Link to help about scopes from Google’s help center.
29
Once the finalized demo video is created and a Google Project is completed, you are ready to submit for Verification after these steps:
Navigation Menu -> APIs & Services -> OAuth Consent Screen -> Edit App -> Scopes section -> ‘How will the scopes be used’:
Create your Demo Video
Create and host a demo video that adheres to Google’s requirements
4
31
Verification video explainer
Timestamps:
00:00 Introduction
00:30 GCP App setup
01:07 GCP App scopes
02:23 How to demo scopes
02:47 Removing existing app access
03:10 How to approach your video
03:53 Highlighting the clientID
04:28 Calendar scope justification
06:29 Sample verification video
Note: You only need to submit your own video in the style of our sample - you don’t need to cover the GCP App set up
Video link: https://www.youtube.com/watch?v=oNIKp5SkHDE
32
Demo Video
You will also need to submit a video demonstrating your app’s functionality in order to verify your app with Google. This must be uploaded as an ‘Unlisted’ Youtube video in order to submit for verification. Only one video link is allowed.
Before you create the video, confirm that:
33
Official Google Sign-in button
The official Google sign in button must appear somewhere within your OAuth flow (and demo video) as the call to action to connect a Google user’s account. Link to Google’s Sign-In Branding�� OR�
Using Nylas Native Auth?
Note: You’re free to incorporate multiple provider-specific login buttons, as in the example below.
Using Nylas Hosted Auth?
Related Slide: “During Verification Process: Google Request for test account”
34
Official Google Sign-in button
Using Nylas Hosted Auth?
A few different scenarios dictate the required course of action for hosted auth flows:
Related Slide: “During Verification Process: Google Request for test account”
35
Demo Video
We highly recommend that you do a voice over, explaining what you’re doing during each step of your video demonstration to help make it as clear as possible to Google what is being shown on screen.
Please ensure you cover:
Authentication:
Functionality:
36
Demo Video
Once you’ve created your video demo and have confirmed it meets all criteria listed in the prior slide, please send the YouTube video URL to your Customer Success Manager, who will help review. Then, you can submit your app for verification.
The final video must be added to your Google Project as an ‘unlisted’ YouTube video link.
After submission, it can take 2-8 weeks depending on Google's submission queue and the amount of remediation rounds they require you to undergo.
37
Google’s First Reply Upon Submission for Verification
Upon first submission to Google Verification, Google now sends this standardized questionnaire.
Please respond to each question thoroughly as this is the pre-cursor to beginning with the verification process.
If you fall into any of the categories described, your app does not require completion of the Verification process.��Learn More here from Google under:
“Exceptions to verification requirements” drop down
38
Checklist for Verification Submission
A handy list of items to double and triple-check before submitting to Google for verification. Please review carefully.
5
39
Verification Checklist
Project Owner (slide):
OAuth Consent Screen Section (slide):
CONTINUED ON NEXT SLIDE
Google Project Checklist:
40
Verification Checklist
OAuth Consent Screen [CONTINUED]:
Authorized Domains (slide):
Developer contact information (slide):
Scopes Section:
41
Verification Checklist
After submitting for verification, Google may ask to test your app’s functionality and you will receive an email asking:
“If your app requires registration or features a local login:
Verification Demo Video Checklist:
42
Verification Checklist
Your Terms & Conditions:
43
FYI: Annual Reverification
Google’s verification process is largely a one-time lift until you make any additional changes to your application and GCP project after initial verification, e.g. adding or removing scopes (which do require that you undergo verification once again and justify any changes you’ve made).�
However, it’s worth noting that in some cases, particularly when leveraging restricted scopes, Google may require you to make some small updates to your verified project on an annual basis, e.g. adding brief disclosure verbiage or other similar changes. This typically requires very minimal additional lift and is vastly quicker than the initial verification process, but is worth looking out for. �
These requirements are typically communicated via the developer email that you input in the OAuth consent screen section, so take care to ensure that this is up to date!
44
Whitelisting & Security Review
If you’re using restricted scopes, there’s still more to be done. Here’s a quick primer of what to expect next.
6
45
Google �Annual Security Assessment
To help keep user data safe, every app that requests access to restricted scope Google user’s data is required to go through a security assessment. This assessment helps keep Google users’ data safe by verifying that all apps that access Google user data demonstrate capability in handling data securely and deleting user data upon user request. The assessment process is described in detail on the CASA (Cloud Application Security Assessment) site.
CASA assessment can take up to 6 weeks depending on how engaged and responsive you are in the whole process. We strongly suggest you get started with the assessment as soon as possible.��Google will categorize your App as either Tier 2 or Tier 3:
Google Security Assessment Information �(**scroll down to the Security Assessment FAQs for more detailed info)
Useful resources:
Refer to the following documentation for more information:
46
Yearly Security Re-assessment
Apps accessing restricted scopes are required to reverify their app for compliance and complete a security assessment every 12 months to keep access to any verified restricted scopes.
If at any point you add a new restricted scope that wasn’t previously assessed and approved, your app may need to be reassessed at that time.
The Google review team will reach out to you via email once it’s time for your app to recertify. Keeping your Project Owner and Project Editor information up-to-date in your Cloud Console will ensure the right members of your team are notified of this annual enforcement.
Google FAQ: How long is the security assessment valid for?
47
Whitelisting
If you would like an alternative to the verification & security review processes, you may also opt to have your application whitelisted. If you meet a very specific set of criteria, this would allow you to bypass the verification and security review process. Though most use cases do NOT meet this criteria, we’ve outlined the requirements here so you can determine whether it might be a fit for your application.
Requirements:
Please consult this whitelisting guide for additional details, and contact your Customer Success Manager if you have further questions.
48
Helpful Tips & FAQs
A few helpful points that customers sometimes miss or ask us about. We’ll add to this section over time.
7
49
Helpful tips often forgotten
In order to reduce the likelihood of Google returning your app for re-submission, make sure your app adheres to the following guidelines:
50
Helpful tips often forgotten
Google Test Account:
����
��
(*provided email address may vary)
Using Nylas Native Auth?
Using Nylas Hosted Auth?
Related to Slide: “Demo Video: Official Google Sign-In Button Recommendations”
51
Making Changes to your Project
If at any time after your initial verification you choose to add or change any of your previously-verified scopes or try authenticating with unverified scopes, this will immediately trigger a re-verification requirement from Google. As part of this process, you’ll need to re-record your demo video to reflect your app’s new functionality, along with all existing functionality as you did previously.
During this process, users who have a current valid auth token and net-new users authenticating against previously-approved scopes will not have their experience interrupted. ��Net-new users attempting to auth against your newly added scope(s) prior to re-verification (as a result of the calls you’re making via Nylas auth APIs) will be served an ‘app not verified’ or ‘application blocked’ warning.
Note that when adding new restricted scopes, you’ll need to undergo this re-verification process AND will need to complete a Security Assessment in conjunction with an approved security assessor, effective immediately. This is true even if you previously leveraged restricted scopes and already previously completed an assessment at that time.
Changing, Updating, or adding scopes to a previously verified Google Project
52
Frequently Asked Questions
Why does Nylas need ‘project owner’ access to my GCP Project?
How long does the verification process take?
Do I need to undergo a Security Review in addition to Verification?
How is gmail.modify different than other gmail scopes?
Google rejected my project, but the reasons they provided are not accurate / my app already adheres to their requests. What gives?
53
Frequently Asked Questions
Is there an optimal time to submit for verification or re-verification?
What happens if I call a net-new Google scope in my application without submitting for re-verification in my GCP project?
I’ve exceeded my 100 test user cap, but need to revert my project to ‘testing’ to make a change. How do I record a new demo video if I can’t auth new users?
I have a problem with my GCP project, or specific questions for Google about the verification process. Who should I contact?
54
Final Guidance
Google would like to have the partner - that’s you - reply via the communication email thread during verification process. All emails are sent to the Developer Contact Email you filled out earlier in this process.
For further info, check out this Google link -> Google’s OAuth API verification FAQs
Need more help?�You can also open a ticket with Google using this email: oauth-feedback@google.com prior to submitting for verification if you have any questions or need further guidance on setting up your Google Project.
55