4
6 Comments

Gmail API access approved by Google

This was the main roadblock towards launching DetoxBox. Without this approval, Google displayed a big scary screen that my application wasn't safe to use. I guess nobody would be willing to use it.

I need Gmail API access because I search for "unsubscribe" to detect emails from mailing lists. Other tools that I know of require you to enable IMAP in your Gmail account. I assume they asked for your password then, but I didn't go that far. I didn't want to change any settings, and I'm sure nobody would want to have a 3rd party server to download your emails. I promise my users that their emails never leave their browsers, and I don't even have a backend to get any of their data.

  1. 2

    Well done! We still haven't made it. But we just let people sign up and explain why there is a scary warning. Isn't it super expensive? We've got a quote to get approved that was around 20k usd!

    1. 1

      I would have to pay crazy money if I sent the data to my backend. It would totally crash the whole idea. IMO people are much more conscious about their privacy these days (hence all these privacy-focused Google Analytics competitors).

      So my selling point is that I don't send their data anywhere. In fact, I don't even have a backend (which gives me a very strange feeling, since I was originally a backend dev). Hence, I don't have to pass the 3rd party security review.

      1. 1

        I'm close to having to go through the approval/audit process. I use a few "restricted scopes" for accessing Gmail data. I'm still not sure if I have to do the $15k+ audit though because (1) I have a Firestore database for my app, BUT (2) I don't store any Gmail data in it, only data to do with my app. I'm curious if any of you folks who are further along think I would still need to do the security audit? If you're not sure, at what point do you find out from Google? Do you have to publish the add-on and only then can you start that conversation with Google, or can I talk to someone prematurely?

        1. 1

          This is what they say:
          if the app accesses or has the capability to access Google user data from or through a server, the system must undergo an independent, third-party security assessment.

          In my case, they didn't require the audit because I don't use a server, and I explicitly wrote them about it in one of the first emails. So, it doesn't matter if you use a database or not, only matters if you access the API from the client or the server. Because they can look at your client and see that you're OK, but they can't look at your server, so you'll have to perform an audit.

          And yes, it makes sense to publish your app first and make sure you already have this functionality that uses the API, plus you should record a video to demonstrate how you use it. They will try it themselves, so you better tell them the details. In my case, the user has to have at least one email with an "unsubscribe" link, I had to tell them about it.

          1. 1

            Thanks so much, this is really helpful. I'm more optimistic about my situation now. However, our situations might be a little different because you've built a Chrome Extension and I'm building a Google Sheets add-on.. I only access Gmail data via Google Apps Script, which doesn't run on my own server -- I believe Google would always have access to my add-on's code, just not my database; and again, I'm not storing any Gmail data in my database. Based on this, do you think I'm safe from the security audit? Google's documentation is very unclear and I haven't found much 3rd party info on this -- I appreciate the insight!!

            1. 1

              I'm afraid I don't know because add-ons are different and I haven't really looked into it. I even thought they had their own set of APIs or something like that. So I think my experience doesn't apply to your case.

Trending on Indie Hackers
How I grew a side project to 100k Unique Visitors in 7 days with 0 audience 49 comments Competing with Product Hunt: a month later 33 comments Why do you hate marketing? 29 comments My Top 20 Free Tools That I Use Everyday as an Indie Hacker 18 comments $15k revenues in <4 months as a solopreneur 14 comments Use Your Product 13 comments