Google verification and security assessment guide
The Google verification and security assessment processes can take several weeks or longer.
If your application accesses Google user data with Google APIs and requests certain scopes, you might have to complete a Google verification process, and a separate security assessment process. Which process or processes depends on whether your app requests sensitive scopes or restricted scopes.
| Scope type | Required processes | Google's policy and requirements |
|---|---|---|
| Sensitive | Google verification | Your app must follow Google’s API Services User Data Policy |
| Restricted | Both Google verification and security assessment | Your app must follow Google’s API Services User Data Policy and meet Additional Requirements for Specific Scopes. |
- If your app requests one or more sensitive scopes and doesn't meet any of the criteria for an exception, you need to complete a Google verification process.
- If your app requests one or more restricted scopes and doesn't meet any of the criteria for an exception, you need to complete both Google verification and security assessment processes. For the security assessment process, Google will assign either Tier 2 or Tier 3 to your app and provide instructions and tools to complete the assessment.
For more information, see Google's OAuth API verification FAQs.
Scopes
The following are the Google scopes that Nylas projects use:
| Scope type | Scope | Description | Verification | Security assessment |
|---|---|---|---|---|
| Sensitive | gmail.send |
Send messages only. No read or modify privileges on mailbox. | Yes | No |
calendar |
See, edit, share, and permanently delete all the calendars you can access using Google Calendar. | Yes | No | |
calendar.readonly |
See and download any calendar you can access using your Google Calendar. | Yes | No | |
contacts |
See, edit, download, and permanently delete your contacts. | Yes | No | |
contacts.readonly |
See and download your contacts. | Yes | No | |
| Restricted | gmail.readonly |
Read all resources and their metadata—no write operations. | Yes | Yes |
gmail.modify |
Have all read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash. | Yes | Yes | |
gmail.compose |
Create, read, update, and delete drafts. Send messages and drafts | Yes | Yes | |
gmail.metadata |
Read resources metadata including labels, history records, and email message headers, but not the message body or attachments. | Yes | Yes |
Nylas projects also use the gmail.labels scope, which is neither sensitive or restricted and requires no Google verification or security assessment. The gmail.label scope enables apps to create, read, update, and delete labels.
Exceptions to verification and security assessment
- Apps that are not shared with anyone else or that access fewer than 100 Gmail accounts
- Apps that are set to "Testing" and not "In production"
- Apps that are configured to work only with internal Google accounts within your organization
- Apps that have been allowed by Google Workspace admins
For more information, see Google's OAuth API verification FAQs.
Google OAuth verification guide
The Google verification and security assessment processes can be daunting, but our Google OAuth verification guide can help you understand what needs to be done and provide step-by-step instructions on how to do it.