OAuth reviewer information
Gmail OAuth is used only for the service-owned mailbox.
Quick & Dirty Fixes.ai uses Gmail API access to receive customer requests sent to the service mailbox and to send response emails from that mailbox.
Customers do not authorize Google OAuth access for this service.
Service-owned Gmail mailbox model
The application is built around a Gmail mailbox owned and operated by the service. Customers interact by sending ordinary email to that mailbox.
The application reads messages received by the service mailbox, routes requests internally, and sends responses from the service mailbox.
OAuth boundary
The OAuth boundary is the service/operator Gmail mailbox. OAuth tokens authorize the application to work with that mailbox as userId="me" in the Gmail API.
Customer Gmail accounts are outside this OAuth boundary. The application does not create customer Gmail OAuth flows and does not ask customers to authorize Google accounts.
Who authorizes OAuth
- The service/operator mailbox owner authorizes OAuth.
- The authorized Google account is the service-owned Gmail mailbox.
- The OAuth token files are operator-controlled service token files.
Who does not authorize OAuth
- Customers do not authorize OAuth.
- Customers do not connect Gmail accounts.
- Customers do not grant Gmail scopes.
- Customers do not provide OAuth credentials or refresh tokens.
- Customer Gmail mailboxes are not accessed through OAuth.
Gmail scopes
| Scope | Application area | Purpose |
|---|---|---|
https://www.googleapis.com/auth/gmail.modify |
web inbound service |
Used to detect service-mailbox activity, resolve Gmail history, read messages sent to the service mailbox, and handle attachments when present. |
https://www.googleapis.com/auth/gmail.send |
delivery outbound service |
Used to send response emails from the service-owned Gmail mailbox after processing is complete. |
Why gmail.modify is used
The inbound service needs to work with messages that arrive in the service-owned Gmail inbox. This includes mailbox activity detection, Gmail history handling, reading inbound service-mailbox messages, and handling attachments when a request includes them.
Why gmail.send is used
The delivery service sends completed responses from the service-owned Gmail mailbox. Gmail send access is required because responses are delivered from the service mailbox, not from a customer mailbox.
Reviewer summary
- This is service-owned Gmail automation.
- Customers use ordinary email.
- Customers do not grant Google OAuth permissions.
- Gmail API access is used for inbound processing and outbound delivery for the service mailbox.