Join
1
3 Comments

Gmail API, audits and Bubble?

by Robert Andrews

I'm looking for some pointers to think through this app idea I had, which I am considering making in Bubble.

  • Users would login using their Google/Gmail account (I think Bubble has an OAuth plugin for that).

  • But then it needs to perform certain actions, with permission, in the user's Gmail account (so, probably using the Gmail API)...

  • On arrival of a new message (Gmail API has a "watch" method, usable with Pub/Sub notifications, but that is all new to me, including how to implement in Bubble), check one of the header's values against strings in an Airtable/Google Sheet...

  • If there is a match, apply a Gmail label (also a Gmail API capability).

It's essentially filtering messages to labels based on header content.

I'm a novice in Bubble so far and, whilst I know you can programme with APIs using it, I'm unsure about some of the above parts.

I don't want or need access to message bodies. So it is doable using the API with the "metadata" scope (ie. headers and labels). That would fall under Gmail API's "Restricted" security level (not Sensitive, but also not Recommended). As well as the workflow, I'm unclear about the security review conditions on that. Does that really fall under the requirement of needing a big security audit and a fee of $15,000 to $75,000?

Avatar for Robert Andrews Robert Andrews
posted to Icon for group No-Code
No-Code
 on January 22, 2021
Say something nice to RobertAndrews…
Post Comment
  1. 1

    For anyone else running into this in the future, looks like you don't need an audit if you're only processing the emails locally / client-side and aren't sending them to a server, based on this: https://news.ycombinator.com/item?id=31420433

    it’s what I was told by a member of the verification team last year (as long as everything is clientside, you can bypass the audit). Before you build anything you should request the restricted scopes in Google’s Cloud Console as if the feature is already built, to kick off the verification process. Then you can ask a human for clarification (IIRC the exemption isn’t mentioned in the FAQ). Assuming it’s okay, you can then build the feature and resubmit your request.

    So just make sure your app is client-side and you don't have to have an audit.

    User Avatar satvikpendem
    ·
    3 years ago
    ·
    Reply
  2. 1

    Restricted Scopes in Gmail APIs is a big challenge for the small projects / startups. The security audit required by them is very expensive.

    will your project fit into any of their exception cases? that can help sometimes.

    User Avatar prathees
    ·
    5 years ago
    ·
    Reply
    1. 1

      Not really. The only thing I'd say is - there is quite a wide spectrum of privacy severity within the Restricted band. The "metadata" scope I'd need doesn't handle message bodies at all, I wouldn't need to.

      Avatar for Robert Andrews RobertAndrews
      ·
      5 years ago
      ·
      Reply
Trending on Indie Hackers
The most underrated distribution channel in SaaS is hiding in your browser toolbar User Avatar 194 comments How are you handling memory and context across AI tools? User Avatar 109 comments Do you actually own what you build? User Avatar 66 comments Code is Cheap, but Scaling AI MVPs is Hard. Let’s Fix Yours. User Avatar 34 comments How to see your entire business on one page User Avatar 29 comments I Think MCP Will Punish Thin API Wrappers User Avatar 27 comments