Join
2
4 Comments

We fixed 12 bugs in one day, tested the weekly auto-clean end-to-end, and here's what we learned (+ we need your help)

by Tobi Ogunwande

Quick recap if you're new here: I'm building InboxClean — a Gmail cleaner that scans your last 1,000 emails, groups them by sender, and lets you unsubscribe + trash everything in one click. Pro users get this done automatically every Monday morning.

We got our first paid user last week. Still riding that high.

But today was a different kind of day — the unglamorous, heads-down, fixing-things-that-were-quietly-broken kind.

What we fixed today

After our first paid user signed up, I decided to do a proper audit. Not a quick scan — a real, line-by-line review of every API route, every database write, every edge case.

Here's what I found (and fixed):

1. Duplicate senders in scan results
LinkedIn was showing up twice. Microacquire was showing up twice. Any sender with multiple email addresses from the same domain was being treated as separate senders.

The fix: group everything by domain, not by email address. One click now handles every email from @linkedin.com — not just one variant of it.

2. The weekly auto-clean was silently failing
The cron job was running fine. But it was using the anon Supabase key, which was blocked by Row Level Security on a new table I'd created. So the results were getting cleaned but never logged. And the report card on the dashboard was showing nothing.

Fixed by switching to the service key and disabling RLS on that table. Lesson learned: always test your writes, not just your reads.

3. Refresh tokens were being overwritten with nothing
When a user signed in, there were edge cases where a valid refresh token in the database was being overwritten with undefined. Silent data loss. This would've caused auto-clean to fail for users after their access token expired.

4. The unsubscribe route had an SSRF vulnerability
A malicious unsubscribe link could've pointed to an internal network address. Added a guard that blocks private IP ranges before hitting any unsubscribe URL.

There were 8 more — ranging from a missing null check on the Paystack auth URL to the shield route writing to the DB even when the Gmail filter creation had already failed.

Then we tested the full weekly auto-clean end-to-end

I revoked Google access, re-authenticated to get fresh tokens, then triggered the cron manually.

Result: 42 senders cleaned. 368 emails trashed. 0 errors. ~12 minutes for the whole thing.

That felt really good.

Where we are now

✅ First paid user
✅ Weekly auto-clean working end-to-end
✅ 12 bugs fixed and deployed
✅ Launching on Product Hunt this Wednesday
⏳ Still waiting on Google's OAuth verification (the scary warning
screen is still there — users have to click "Advanced" →
"Go to InboxClean" to proceed)

Here's where I need your help
The Google verification process is the single biggest thing hurting us right now. Every new user sees a warning screen before they can even try the product. We know it kills conversion — we just can't control the timeline.

But there are things you can help with:

1. Try it and tell me what breaks
inboxclean.email — free plan gives you 10 unsubscribes. I want to hear every friction point, every confusing moment, every thing you expected to happen that didn't.

2. If you've been through Google's CASA/OAuth verification process
I would genuinely love to talk. How long did it take? Did you use a third-party auditor? Was it worth it at an early stage?

3. Upvote us on Product Hunt this Wednesday
I'll drop the link here when it goes live. If you've ever had an inbox you were ashamed of, this one's for you.

This is still very early. But every bug fixed, every test passed, every user who sticks around — it's all pointing in the same direction.

Building in public. Thanks for following along. 🙏

Avatar for Tobi Ogunwande Tobi Ogunwande
posted to Icon for group Building in Public
Building in Public
 on May 13, 2026
Say something nice to tobby123…
Post Comment
  1. 1

    The OAuth warning is probably not just a temporary conversion problem. For this kind of product, it hits the core trust layer.

    You are asking people to connect Gmail, let the app scan old emails, unsubscribe, trash, and then run automatically every Monday. So the first impression has to feel extremely safe, polished, and serious before the user even tests the feature.

    InboxClean explains the job clearly, but it also sounds like a generic utility. If the product grows beyond cleaning into trusted email automation, weekly inbox protection, and sender-level control, the brand may need to feel less like a simple cleaner and more like a reliable automation layer. Something like Beryxa .com would probably carry that direction better.

    User Avatar aryan_sinh
    ·
    19 hours ago
    ·
    Reply
    1. 1

      Lol bro!... Appreciate this insightful comment. You've just reiterated how important it is and I know too.

      The OAuth thing though... yeah, we know. It's not a small thing and we're not treating it like one. We're in the middle of Google's verification right now and honestly it's just painfully slow, the CASA process takes like about 4 weeks and the fees are no joke. But we're going through it the right way, no shortcuts.

      The awkward part is people are signing up while we're still in that gap although very low 😩. I get it, it feels weird asking for Gmail access with that warning sitting there. I just wish there is a better verification method. All we can say is we're on it and it won't be there forever.

      On the Beryxa idea; interesting thought but we're staying in our lane with what InboxClean is built to do, so that's not really a direction we're heading.

      Anyway, you still haven't come back on that other post! Go test it and report back, I'm waiting. I'm guessing it's still because we're still where we are currently 😂

      Avatar for Tobi Ogunwande tobby123
      ·
      12 hours ago
      ·
      Reply
      1. 1

        Fair enough, that makes sense.

        If InboxClean is intentionally staying focused on the cleaning/unsubscribe lane, then the name does its job clearly.

        The bigger issue is definitely the trust sequence before the product experience. The OAuth warning is not just friction. It changes how people interpret everything after it.

        Once CASA/Google verification is done, I’d make that trust work visible immediately:

        verified Gmail access
        clear explanation of what is scanned
        what can be deleted
        what never happens automatically
        how users stay in control

        For this product, the first screen has to reduce fear before it sells convenience.

        And yes, I’ll test it properly once that warning is gone. Right now I think the warning would bias the whole experience too much.

        User Avatar aryan_sinh
        ·
        4 hours ago
        ·
        Reply
  2. 1

    we launched on Product Hunt this morning! Would be very grateful if you could check us out there and support us.

    https://www.producthunt.com/products/inboxclean?utm_source=other&utm_medium=social

    Avatar for Tobi Ogunwande tobby123
    ·
    a day ago
    ·
    Reply
Trending on Indie Hackers
I've been building for months and made $0. Here's the honest psychological reason — and it's not what I expected. User Avatar 177 comments 7 years in agency, 200+ B2B campaigns, now building Outbound Glow User Avatar 79 comments This system tells you what’s working in your startup — every week User Avatar 53 comments 11 Weeks Ago I Had 0 Users. Now VIDI Has Reviewed $10M+ in Contracts - and I’m Opening a Small SAFE Round User Avatar 46 comments The "Book a Demo" Button Was Killing My Pipeline. Here's What I Replaced It With. User Avatar 39 comments I built a desktop app to move files between cloud providers without subscriptions or CLI User Avatar 24 comments