# Google verification and security assessment guide Source: https://developer.nylas.com/docs/provider-guides/google/google-verification-security-assessment-guide/ > **Info:** > **Alternative: skip Google's verification with the [Nylas Shared GCP App](/docs/provider-guides/google/shared-gcp-app/).** Your users authenticate through a Nylas-owned, pre-verified GCP project, so you skip GCP setup, OAuth verification, and the CASA assessment entirely. The Shared GCP App is an add-on for Nylas Contract plans — reach out to your Account Manager or [contact the Nylas Sales team](https://www.nylas.com/contact-sales/) to add it to your contract. Google APIs use the [OAuth 2.0 protocol](https://datatracker.ietf.org/doc/html/rfc6749) for user permissions and consent. If your application accesses Google user data with Google APIs, you might have to take additional steps to comply with Google’s OAuth 2.0 policies and complete the verification process before you publish your application. In this guide, you’ll learn about the Sign in with Google branding guidelines and Google OAuth verification. > **Info:** > **Preparing for Google's OAuth audit?** A Nylas [Professional Services](/docs/support/professional-services/#google-verification-review) verification review checks your production environment and YouTube demo video against what Google reviewers look for, so you can pass on the first attempt. ## Sign in with Google branding guidelines To complete the brand verification process, your application must have the "Sign in with Google" button that meets [Google's branding guidelines](https://developers.google.com/identity/branding-guidelines). This applies to the OAuth flow for both personal Gmail (`@gmail.com`) and Workspace email addresses. For Hosted authentication, Nylas recommends you do one of the following: - Configure the OAuth login prompt by setting the `prompt` parameter with `select_provider` or `detect,select_provider`. For more information, see [Configuring the OAuth login prompt](/docs/v3/auth/customize-login-prompt/). - If you add a `login_hint` that's a personal Gmail or Workspace email address and you don't configure a `prompt` during the Hosted auth flow, the user is immediately directed to the Google OAuth screen, without clicking the "Sign in with Google" button. This can result in delays or failure in verification. - Use the pre-approved "Sign in with Google" button with the “Connect your account” button or other provider login buttons in your application. For more information, see Google's official [Sign in with Google branding guidelines](https://developers.google.com/identity/branding-guidelines). For Bring Your Own Authentication, use the pre-approved "Sign in with Google" button with the “Connect your account” button or other provider login buttons in your application. ## Google OAuth verification > **Warn:** > **The Google verification and security assessment processes can take several weeks or longer**. Be sure to plan your development timeline around this. If your application accesses Google user data with the Google APIs and requests certain scopes, you might have to complete the Google verification process and a separate security assessment process. The processes that you need to complete depends on whether your application requests [_sensitive_ or _restricted_ scopes](/docs/provider-guides/google/google-verification-security-assessment-guide/#google-scopes). | Scope type | Required processes | Google policy and requirements | | ---------- | ------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Sensitive | Google verification | Your application must follow [Google’s API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy). | | Restricted | Google verification and security assessment | Your application must follow [Google’s API Services User Data Policy](https://developers.google.com/terms/api-services-user-data-policy) and meet [additional requirements for specific scopes](https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes). | - If your app requests one or more sensitive scopes and doesn't meet any of the criteria for an [exception](#exceptions-to-verification-and-security-assessment), you need to complete a **Google verification** process. - If your app requests one or more restricted scopes and doesn't meet any of the criteria for an [exception](#exceptions-to-verification-and-security-assessment), you need to complete **both Google verification and security assessment** processes. For the security assessment process, Google will assign either Tier 2 or Tier 3 to your app and provide instructions and tools to complete the assessment. For more information, see [Google's OAuth API verification FAQs](https://support.google.com/cloud/answer/13463817#Verification_Process). ### Google scopes The following are the Google scopes that Nylas projects use: | Scope type | Scope | Description | Verification | Security assessment | | ---------- | -------------------------- | -------------------------------------------------------------------------------------------------------- | ------------ | ------------------- | | Sensitive | `gmail.send` | Send messages only. No read or modify privileges on mailbox. | ☑️ | — | | Sensitive | `calendar` | See, edit, share, and permanently delete all calendars you can access using Google Calendar. | ☑️ | — | | Sensitive | `calendar.readonly` | See and download any calendar you can access using Google Calendar. | ☑️ | — | | Sensitive | `calendar.events` | See and edit events on all your calendars. | ☑️ | — | | Sensitive | `calendar.events.readonly` | See events on all your calendars. | ☑️ | — | | Sensitive | `contacts` | See, edit, download, and permanently delete your contacts. | ☑️ | — | | Sensitive | `contacts.readonly` | See and download your contacts. | ☑️ | — | | Sensitive | `contacts.other.readonly` | See and download contacts that are saved in your "Other Contacts". | ☑️ | — | | Sensitive | `directory.readonly` | See and download your organization's Google Workspace directory. | ☑️ | — | | Restricted | `gmail.readonly` | Read all resources and their metadata. No write operations. | ☑️ | ☑️ | | Restricted | `gmail.modify` | All read/write operations except immediate, permanent deletion of threads and messages, bypassing Trash. | ☑️ | ☑️ | | Restricted | `gmail.compose` | Create, read, update, and delete drafts. Send messages and drafts. | ☑️ | ☑️ | Nylas projects also use the `gmail.labels` scope, which is neither sensitive or restricted and requires no Google verification or security assessment. The `gmail.labels` scope allows apps to create, read, update, and delete labels. ### Exceptions to verification and security assessment - Apps that are not shared with anyone else or that access fewer than 100 Gmail accounts - Apps that are set to "Testing" and not "In production" - Apps that are configured to work only with internal Google accounts within your organization - Apps that have been allowed by Google Workspace admins For more information, see [Google's OAuth API verification FAQs](https://support.google.com/cloud/answer/13463817#Verification_Process). ## Google OAuth verification guide The Google verification and security assessment processes can be daunting, but our Google OAuth verification guide can help you understand what needs to be done and provide step-by-step instructions on how to do it.

Google OAuth Verification Guide