We fixed 12 bugs in one day, tested the weekly auto-clean end-to-end, and here's what we learned (+ we need your help)
Quick recap if you're new here: I'm building InboxClean — a Gmail cleaner that scans your last 1,000 emails, groups them by sender, and lets you unsubscribe + trash everything in one click. Pro users get this done automatically every Monday morning.
We got our first paid user last week. Still riding that high.
But today was a different kind of day — the unglamorous, heads-down, fixing-things-that-were-quietly-broken kind.
What we fixed today
After our first paid user signed up, I decided to do a proper audit. Not a quick scan — a real, line-by-line review of every API route, every database write, every edge case.
Here's what I found (and fixed):
1. Duplicate senders in scan results
LinkedIn was showing up twice. Microacquire was showing up twice. Any sender with multiple email addresses from the same domain was being treated as separate senders.
The fix: group everything by domain, not by email address. One click now handles every email from @linkedin.com — not just one variant of it.
2. The weekly auto-clean was silently failing
The cron job was running fine. But it was using the anon Supabase key, which was blocked by Row Level Security on a new table I'd created. So the results were getting cleaned but never logged. And the report card on the dashboard was showing nothing.
Fixed by switching to the service key and disabling RLS on that table. Lesson learned: always test your writes, not just your reads.
3. Refresh tokens were being overwritten with nothing
When a user signed in, there were edge cases where a valid refresh token in the database was being overwritten with undefined. Silent data loss. This would've caused auto-clean to fail for users after their access token expired.
4. The unsubscribe route had an SSRF vulnerability
A malicious unsubscribe link could've pointed to an internal network address. Added a guard that blocks private IP ranges before hitting any unsubscribe URL.
There were 8 more — ranging from a missing null check on the Paystack auth URL to the shield route writing to the DB even when the Gmail filter creation had already failed.
Then we tested the full weekly auto-clean end-to-end
I revoked Google access, re-authenticated to get fresh tokens, then triggered the cron manually.
Result: 42 senders cleaned. 368 emails trashed. 0 errors. ~12 minutes for the whole thing.
That felt really good.
Where we are now
✅ First paid user
✅ Weekly auto-clean working end-to-end
✅ 12 bugs fixed and deployed
✅ Launching on Product Hunt this Wednesday
⏳ Still waiting on Google's OAuth verification (the scary warning
screen is still there — users have to click "Advanced" →
"Go to InboxClean" to proceed)
Here's where I need your help
The Google verification process is the single biggest thing hurting us right now. Every new user sees a warning screen before they can even try the product. We know it kills conversion — we just can't control the timeline.
But there are things you can help with:
1. Try it and tell me what breaks
inboxclean.email — free plan gives you 10 unsubscribes. I want to hear every friction point, every confusing moment, every thing you expected to happen that didn't.
2. If you've been through Google's CASA/OAuth verification process
I would genuinely love to talk. How long did it take? Did you use a third-party auditor? Was it worth it at an early stage?
3. Upvote us on Product Hunt this Wednesday
I'll drop the link here when it goes live. If you've ever had an inbox you were ashamed of, this one's for you.
This is still very early. But every bug fixed, every test passed, every user who sticks around — it's all pointing in the same direction.
Building in public. Thanks for following along. 🙏
12 bugs in one day with a documented test cycle - this is what building in public looks like at its best. The habit of structured testing cadences (daily bug triage, weekly end-to-end) is something most solo teams skip until something breaks badly.
The real value isn't just fixing the bugs - it's the decision trail. Now you know exactly what state the system was in when each fix was made. That's worth more than the fixes themselves when you're debugging 3 months from now.
This is so true! There's a level of satisfactory calmness that comes with being very transparent about everything we're doing especially with the fact that we're in a very sensitive space which is access to email. Even though we're only asking for permission for the least sensitive area of user's email, it's still a very sensitive area and so being transparent about how we debug is important for everyone to see. Thank you so much for the candid comment
Trying this — Gmail bankruptcy has hit me twice this year, and the "group by domain, not address" call in fix #1 is exactly the kind of nuance a generic cleaner misses.
On the OAuth warning screen: quick question on CASA timeline — weeks or months? Every "scan your inbox" tool hits this wall (Cleanbox, Unroll.me all did), and the call between "push verification hard now" vs "ship + verify in parallel" depends on how fast Google's actually moving for you.
Good luck Wednesday.
The group by domain is one of our most important feature and like you rightly said, other generic cleaner misses this.
Casa Timeline is roughly 4-6weeks but can be longer which is really a pain in the ass! I honestly wish there was a way around this.
I'll be very much appreciative if you could still test out the platform and looking forward to your response 😊
4-6 weeks explains the pain — pushing hard before PH wasn't realistic.
Honest report on the test: I hit the warning screen as my first interaction. Clicked Advanced, saw "Go to InboxClean (unsafe)" — and the word "unsafe" did most of the damage. Bounced. Even knowing you're a real builder from your detailed post here.
That's actually the most useful data point I can give: a warm lead (read your full post, voluntarily came to test) still dropped at the screen wording. The CASA timeline isn't theoretical for conversion — it's costing warm leads, not just cold ones.
When verification clears, I'd guess your trial signup rate jumps significantly — not 10% better, but maybe 3-5x. Worth tracking the before/after rate when you flip
Thanks for being honest, it's exactly the same issue we're facing with other warm leads. I honestly wish there was a way around this.
I was hoping the warning pop-up just before you signup was going to reduce the bounce rate, well, conversation is still very low yet. The word "unsafe" scares people off just like it did for you and that's quite unfortunate.
We keep building and looking forward to the next step with CASA still.
Thanks again
That confirms it then — the warning screen wording is the bottleneck, not the OAuth flow itself. The pre-pop-up explainer is hitting the right idea (preempt fear with context) but probably can't override Google's "unsafe" framing once that screen lands.
Keep going on CASA — the post-verification trial signup curve usually does step-change. Looking forward to seeing the launch when it clears.
Fixing that refresh token overwrite bug now is a life-saver I've seen so many automation pipelines fail silently because of that exact edge case.
Regarding your Google OAuth/CASA verification: I'm a developer specializing in automation and I've dealt with Google’s Restricted Scopes before. If you're using sensitive scopes for Gmail, make sure your privacy policy explicitly mentions why you need 'https://www.googleapis.com/auth/gmail.modify'. Also, Google's CASA Tier 2/3 can be a bit of a maze if your backend isn't hardened (glad you fixed that SSRF vuln, that's a common flag).
Happy to give your tool a deep technical look from a backend/automation perspective if you want another pair of eyes on the API logic before your PH launch. Good luck with the verification!
Thanks a lot for the insightful comment. As regards our CASA issue, our privacy policy is airtight (we made sure of that) because as you've rightly said, Google takes that very seriously.
Although, we already launched on Product Hunt, I'll be more than happy to still get feedback from a technical angle as you suggested.
Quick question, since you've dealt with CASA before, how was the experience? How long did it take to get verified? How much did it cost you? The CASA partner Google referred us to is asking for almost $1k for the Tier 2 Security Audit. This is really a pain in the ass because this almost discourages small micro saas developers like us.
CASA Tier 2 is a nightmare for micro-SaaS, and that $1k is just the tip of the iceberg if the audit fails.
Here is how I can help you fix this: Before you burn that $1k with the auditor, let me run a Technical Stress Test on your app. I’ll identify the security holes that Google usually flags, saving you weeks of back-and-forth.
Regarding Product Hunt: I’ve seen great products fail because of poor initial traction. Since I build LinkedIn & Reddit automation engines, I can help you drive 'High-Intent' tech traffic to your launch page to boost your ranking.
Drop your Product Hunt link! I’ll give you a free technical audit of the landing page and show you how we can automate your growth while you focus on the CASA mess.
I can't thank you enough! Here's the product hunt link
https://www.producthunt.com/products/inboxclean
Honestly, a part of me feels the regret of not knowing we were going to hit this kind of wall with the Google verification issues. I probably might have done something else 😅 but the fact that a user paid voluntarily despite this issue sparked something in me to just keep going. Still I can't help but keep wondering if other micro saas developers really pay for this Audit or even the competitors in this space actually paid for this.
I'll very much love to see how we can work together on the LinkedIn and Reddit automation as you rightly said. Your skillet in helping to scale this would be a life saver!
I look forward to your audit. Please be as brutal and honest as possible 😅
Hey! Thanks for sharing the background and the Product Hunt link. It takes a lot of grit to keep pushing when Google verification walls hit, so major props to you for getting that first voluntary paying user that’s the ultimate validation!
I’m currently reviewing the details and mapping out a comprehensive, no-BS audit for InboxClean, specifically looking at how we can bypass these verification bottlenecks and scale your outreach via strategic LinkedIn and Reddit automation.
Give me a little time to dive deep into this, and I’ll get back to you with a solid technical breakdown very soon. Let's win this!
Thank you so much. I look forward to the audit.
The OAuth warning is probably not just a temporary conversion problem. For this kind of product, it hits the core trust layer.
You are asking people to connect Gmail, let the app scan old emails, unsubscribe, trash, and then run automatically every Monday. So the first impression has to feel extremely safe, polished, and serious before the user even tests the feature.
InboxClean explains the job clearly, but it also sounds like a generic utility. If the product grows beyond cleaning into trusted email automation, weekly inbox protection, and sender-level control, the brand may need to feel less like a simple cleaner and more like a reliable automation layer. Something like Beryxa .com would probably carry that direction better.
Lol bro!... Appreciate this insightful comment. You've just reiterated how important it is and I know too.
The OAuth thing though... yeah, we know. It's not a small thing and we're not treating it like one. We're in the middle of Google's verification right now and honestly it's just painfully slow, the CASA process takes like about 4 weeks and the fees are no joke. But we're going through it the right way, no shortcuts.
The awkward part is people are signing up while we're still in that gap although very low 😩. I get it, it feels weird asking for Gmail access with that warning sitting there. I just wish there is a better verification method. All we can say is we're on it and it won't be there forever.
On the Beryxa idea; interesting thought but we're staying in our lane with what InboxClean is built to do, so that's not really a direction we're heading.
Anyway, you still haven't come back on that other post! Go test it and report back, I'm waiting. I'm guessing it's still because we're still where we are currently 😂
Fair enough, that makes sense.
If InboxClean is intentionally staying focused on the cleaning/unsubscribe lane, then the name does its job clearly.
The bigger issue is definitely the trust sequence before the product experience. The OAuth warning is not just friction. It changes how people interpret everything after it.
Once CASA/Google verification is done, I’d make that trust work visible immediately:
verified Gmail access
clear explanation of what is scanned
what can be deleted
what never happens automatically
how users stay in control
For this product, the first screen has to reduce fear before it sells convenience.
And yes, I’ll test it properly once that warning is gone. Right now I think the warning would bias the whole experience too much.
This is actually really helpful, like genuinely. The way you broke that down is exactly how we need to be thinking about it.
The trust sequence point hits different when you say it like that. It's not just a warning, it reframes everything the user sees after. That's the part we need to get right and you've basically just handed us the blueprint for the first screen.
We're already noting all of that, the verified badge, what gets scanned, what never touches automatically, keeping the user in control throughout. It should all be upfront, not buried.
And fair enough on waiting till the warning is gone. Honestly that's the right call. we'd rather you test it clean than have the experience tainted before you even get in. We'll ping you once verification comes through.
Appreciate you sticking with the conversation though 👏
That makes sense.
If InboxClean is staying focused on cleaning and unsubscribe control, then the trust layer is probably where most of the conversion lift will come from.
The main thing I’d keep tight is the order.
Before users care about “clean my inbox,” they need to feel:
this is verified
this is limited
this is reversible
this will not silently damage my email
That sequence should probably show up before any big productivity promise.
Once the Google/CASA verification is through, the product will get a much cleaner test because users won’t be judging it through fear first.
Happy to test it then and give a sharper read on where the trust flow still leaks.
Waiting till google successfully approves us seems like an unproductive time. I just implimented a pop up message telling users about this when the try to sign in. This might not neccessarily solve this issue but atleast users are aware of this before google unexpectedly shows them the warning and hence might be more inclined to go ahead and signin. What do you think? you can check out the website and try and signin and see what i mean.
That popup is a good short-term move, but I’d be careful thinking the warning is the only trust problem.
Even after Google verification, users are still being asked to give access to one of their most sensitive accounts: Gmail.
That means the product has to feel trusted before the OAuth screen, not just explain the warning better.
This is where the brand layer matters more than it seems.
InboxClean is clear, but it sounds like a simple utility. The actual trust requirement is much heavier: email access, scanning, unsubscribe actions, trash decisions, weekly automation, and user control.
That gap may keep showing up even after verification.
If the long-term product is trusted inbox automation, not just “clean my inbox,” I would seriously pressure-test whether InboxClean carries enough trust for that.
That is why Beryxa.com came to mind. It feels more like a serious trust-led automation brand than a generic cleaner name.
I’m not saying rename just for style. But if trust is the main conversion wall, the name may be part of that wall too.
Hmmm. From my experience, simplicity is always the best approach to building things and it is on that foundation I built Inboxclean. Just doing 1 thing and doing it well seems to be the best approach. I'll honestly love to hear what others think too.
That being said, how do you think we can build this trust? What suggestions or approach do you think I can take to get people to trust us?
That is the right instinct. I would keep the product simple.
The real work is not adding more features. It is making the trust sequence clear enough that users feel safe before they hit the OAuth screen.
Since this is a sensitive product category, I can help in a more focused way if useful.
I do short naming/positioning/trust-flow audits for early products: current name perception, trust leaks before signup, domain/brand risk, first-screen framing, and what the product needs to say before users give access to something sensitive like Gmail.
For InboxClean, the audit would focus specifically on how to make the product feel safe, limited, reversible, and user-controlled before Google’s OAuth flow.
Not a long consulting thing. Just a sharp written breakdown with practical recommendations you can apply to the landing page, popup, and signup flow.
I’m doing a few of these at $99 while refining the format. If useful, I can review InboxClean and give you a clear outside read before more users hit the current flow.
This comment was deleted a month ago.
we launched on Product Hunt this morning! Would be very grateful if you could check us out there and support us.
https://www.producthunt.com/products/inboxclean?utm_source=other&utm_medium=social