Regarding restrictive API scopes

0 votes

We are planning to integrate Gmail our support management platform.

I have a question regarding the restricted scopes. In the restricted scopes they had given following API endpoints.

mail.google.com/ (includes any usage of REST, IMAP, SMTP, and POP3 protocols)
www.googleapis.com/auth/gmail.readonly
www.googleapis.com/auth/gmail.metadata
www.googleapis.com/auth/gmail.modify
www.googleapis.com/auth/gmail.insert
www.googleapis.com/auth/gmail.compose
www.googleapis.com/auth/gmail.settings.basic
www.googleapis.com/auth/gmail.settings.sharing

But I had seen another Gmail API endpoints without listed in restricted scopes

gmail.googleapis.com

Above endpoint is also called as Gmail API but url is different and is not listed as restricted scopes. So does that means we can use it without 3rd party verification?

by (200 points)

1 Answer

0 votes

To use IMAP and/or SMTP and OAuth 2.0, Google requires you to use https://mail.google.com/ scope.

by (301k points)
That means, if iam using API endpoint gmail.googleapis.com (Which have rate limits, i can byepass the restricted scope?
by (200 points)
This scope is not valid for IMAP/SMTP access.
by (301k points)
edited by
I specifically don't need IMAP/SMTP acces. My requirement is just to read mails and send mails and manage labels. Which they have endpoints with gmail.googleapis.com. I'm yet to figure out the difference between SMTP/Imap access and this GMAIL API access.
by (200 points)
I don't think restricted scopes are that easy to bypass and I think you are confusing scopes with an url of some API.

Again this is *not* the scope for IMAP, POP3, SMTP access.
To use Mail.dll you need to use https://mail.google.com/ scope.
by (301k points)
Yes you are correct. I think we should stick with limilabs for O365 and other emails and use email forwarders for gsuite.
by (200 points)
by (301k points)

Does this app password doesn't need restrictive scope verification? So in that way, how to adds cope while submitting the APP verification?

One more thing, does this restrictive scope applies to GSuite /Workplace Email also?

by (200 points)

App password access doesn't need to go through verification - it's not an OAuth 2.0 flow.

Within organization you don't need your app to be verified.

by (301k points)
...