Reputation: 21
How to avoid security assessment for Gmail API integration
I am fetching Gmail inbox to the web application by using Gmail API. I am using RestAPI to connect with the web application. Everything is working and ready to go live. But the app is rejected by Google and asks for a Security assessment which has around $75K expenses.
As we are only reading messages through API and users are also already permitted to perform the same activity.
My question is, How to avoid Security assessment as we are using restricted and sensitive scope like GMAIL API & PubSub. But without these scopes, we can't fetch the messages.
How to avoid Security assessment? Is there any other way to achieve this requirement?
Looking forward to the community help. It's a major blocker for us to go live. Thanks in advance.
Upvotes: 2
Views: 1879
Answers (1)
Reputation: 117301
If you need to use a sensitive or restricted scope, and you are not exempt from verification.
There is no work around to the security assessment.
info from docs.
Apps that request sensitive scopes must verify that they follow Google’s API Services User Data Policy and will not have to undergo an independent, third-party security assessment. This sensitive scopes verification process typically takes 3-5 business days to complete.
Option: don't request a sensitive scope.
- https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/gmail.metadata
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/gmail.insert
- https://www.googleapis.com/auth/gmail.compose
- https://www.googleapis.com/auth/gmail.settings.basic
- https://www.googleapis.com/auth/gmail.settings.sharing
Apps that request restricted scopes must also verify that they follow Google’s API Services User Data Policy, but they must also meet the Additional Requirements for Specific Scopes. One of these additional requirements is an independent, third-party security assessment. For this reason, this restricted scopes verification process can potentially take several weeks to complete.
Option: Dont request a restricted scope.
- https://mail.google.com/ (includes any usage of IMAP, SMTP, and POP3 protocols)
- https://www.googleapis.com/auth/gmail.readonly
- https://www.googleapis.com/auth/gmail.metadata
- https://www.googleapis.com/auth/gmail.modify
- https://www.googleapis.com/auth/gmail.insert
- https://www.googleapis.com/auth/gmail.compose
- https://www.googleapis.com/auth/gmail.settings.basic
- https://www.googleapis.com/auth/gmail.settings.sharing
Exceptions to verification requirements
Could your app be exempt from the verification requirements.
Upvotes: 3
Related Questions
- How to turn on less secure app access on google?
- Personal "Internal" Script against GMail API
- Does my app need verification for using Gmail API?
- Exemption for the Google Security Assesment when using restricted scope
- What kind of application is needed to undergo third-party security assessment?
- Gmail verification
- Email Settings APIs Authentication
- Verification with the new Google rest apis requirements (15.01.2019)
- Gmail API / Google Auth - How to get verified?
- Building a web application to access Gmail