Google requires applications that access Gmail with restricted scopes to complete an OAuth verification and CASA security assessment before going to production. This process can take several weeks, and for many teams it becomes the single biggest delay in shipping a Nylas integration.
The Nylas Shared GCP App removes that bottleneck. Nylas maintains a fully verified Google Cloud Platform project that has already passed Google’s Tier 3 CASA assessment. When you enable it, your users authenticate through Nylas’ verified OAuth application instead of one you build and verify yourself.
Why use the Shared GCP App
Section titled “Why use the Shared GCP App”Skip the CASA security assessment
Section titled “Skip the CASA security assessment”If your application uses restricted Gmail scopes like gmail.modify or gmail.compose, Google requires a CASA (Cloud Application Security Assessment) before you can go to production. This is a Tier 2 or Tier 3 security audit conducted by a Google-authorized third-party assessor, and the process involves:
- Hiring an authorized assessor to audit your application’s security controls
- Remediating any findings before Google approves your application
- Repeating the assessment annually to maintain your verified status
The Nylas Shared GCP App has already completed the most rigorous Tier 3 CASA assessment. Nylas handles every annual re-assessment going forward, so your team never has to engage a security assessor, prepare for an audit, or track renewal deadlines.
Skip Google OAuth verification
Section titled “Skip Google OAuth verification”Even without restricted scopes, Google requires OAuth verification for any application using sensitive scopes (like calendar or contacts). This includes preparing a demo video, configuring branding requirements, and waiting for Google to review your submission. The verification process alone can take several weeks.
The Shared GCP App is already fully verified for all Google scopes that Nylas supports. You skip the entire process.
Go to production faster
Section titled “Go to production faster”With the Shared GCP App, you can go live with Google authentication the same day you enable it. There is no GCP project to create, no APIs to enable, no OAuth consent screen to configure, and no verification to wait for.
Reduce ongoing maintenance
Section titled “Reduce ongoing maintenance”Owning a GCP project means managing OAuth credentials, monitoring Google’s policy changes, and maintaining your verified status year over year. The Shared GCP App offloads all of this to Nylas.
If you need whitelabeled OAuth (your company name on the consent screen instead of “Nylas”) or credential isolation for compliance, you should create your own Google auth app instead.
Before you begin
Section titled “Before you begin”The Shared GCP App is available on Contract plans. It is not available on Sandbox or pay-as-you-go plans. To get access, reach out to your Account Manager or contact the Nylas Sales team. Once your contract includes the Shared GCP App, Nylas enables the feature for your organization.
After it is enabled, it can take a few minutes before the option appears in your Nylas Dashboard.
Enable the Shared GCP App on a connector
Section titled “Enable the Shared GCP App on a connector”If you already have users authenticated through your own GCP project, enabling the Shared GCP App means those users will need to re-authenticate. Make sure you have a re-authentication flow in your application before you enable this. See Migrate existing users to the Shared GCP App for details.
Once the feature is enabled for your organization, you can turn it on when you create or edit a Google connector in the Nylas Dashboard.
- Log in to the Nylas Dashboard.
- Select the application where you want to use the Shared GCP App. The application can be any environment type (Development, Staging, or Production).
- Navigate to Connectors and either create a new Google connector or edit your existing one.
- In the Google connector settings, you will see a toggle to use the Nylas Google OAuth Credentials. The toggle appears greyed out by default.
- Click the toggle to enable it, then click Save.
The following video walks through the steps to enable the Shared GCP App in the Nylas Dashboard:
The toggle may look greyed out even after the feature is enabled for your organization. This is the default “off” state. Click the toggle to switch it on, then save your connector settings.
After you save, Nylas configures the Google connector to use the Shared GCP App credentials. Your users will see “Nylas” on the OAuth consent screen when they authenticate.
Select your Google scopes
Section titled “Select your Google scopes”When using the Shared GCP App, you still choose which Google scopes your application requests. Select only the scopes your application actually needs.
Use parent scopes when possible. For example, selecting the calendar parent scope covers both read and write access, so you don’t need to also select calendar.readonly. Using parent scopes simplifies the consent screen and reduces the number of permissions your users have to review and approve.
For the full list of available scopes, see Google authentication scopes.
How it works
Section titled “How it works”When you enable the Shared GCP App, Nylas configures your Google connector to use credentials from a Nylas-owned, Nylas-verified Google Cloud Platform project. Here’s what that means:
| Component | Who owns it |
|---|---|
| Google Cloud Platform project | Nylas |
| OAuth consent screen and branding | Nylas |
| OAuth client ID and client secret | Nylas |
| Google verification and CASA assessment | Nylas (already completed) |
| Token storage and refresh | Nylas |
| Scope selection | You (in the Nylas Dashboard) |
| API integration and data access | You (through the Nylas APIs) |
Your users go through a standard OAuth flow. The only visible difference is that the consent screen shows “Nylas” as the application name rather than your own branding.
Migrate existing users to the Shared GCP App
Section titled “Migrate existing users to the Shared GCP App”If you already have users authenticated through your own Google Cloud Platform project and you switch to the Shared GCP App, those users need to re-authenticate. Nylas cannot automatically migrate OAuth tokens between different GCP projects because the tokens are tied to the specific OAuth client that issued them.
To migrate your users:
- Enable the Shared GCP App on your Google connector (see above).
- Prompt your users to re-authenticate when they next access your application. This connects them to the Shared GCP App.
- After re-authentication, Nylas issues new grant IDs for the migrated users. Update your application to use the new grant IDs.
Your existing API calls remain the same once the new authentication is in place. The only change is the grant IDs associated with each user.
You don’t have to migrate all users at once. You can use multiple provider applications to run your own GCP credentials alongside the Shared GCP App. This lets you migrate users gradually while keeping both configurations active.
Switch to your own GCP project later
Section titled “Switch to your own GCP project later”You can switch from the Shared GCP App to your own Google Cloud Platform project at any time. Create your own Google auth app, then update your connector with your own credentials using the Connector Credentials API. Your existing grants continue to work, and users are migrated to the new credentials when they next re-authenticate.
What’s next
Section titled “What’s next”- Google authentication scopes - Review available scopes for your application
- Using multiple provider applications - Use your own GCP credentials alongside the Shared GCP App
- Google verification and security assessment guide - Understand what the Shared GCP App replaces