GMAIL API - Does it support access using service accounts and a single access token

Question

Does the GMail API Support service accounts?

I have tried using the service accounts to get access tokens, however when using that access token, I get a "failed precondition" error.

On searching, I found that this error is bacause the service account does not have a gmail mailbox, so I should be using the "sub" field in the JWT with a user in the domain.

However, when using the sub field and authorizing the service account for Gmail Scopes, I do not get a access token. It says "Invalid grant, bad request"

Any help would be appreciated.

---

Update: I have managed to get the Token when using the sub field and using the token to make requests.

However, I cannot use one token to access data for all the users. Delegating domain wide access would mean to me that I can get one token and access all the users data.

Currently, I need to use the Service account and each user in the sub field to get access tokens for each user spearately

Answer 1

You just need to make the single auth call with sub= for each user you want to access to get the token before you call the Gmail API for a different user. That is how oauth2 domain-wide delegation works: https://developers.google.com/identity/protocols/OAuth2ServiceAccount

The "one token can access all users in the domain" is a horrible security practice that most Google APIs are phasing out (imagine if that token gets phished!).