How to Avoid the Google OAuth Security Assessment Fee
The security assessment fees for apps that sync G Suite user data can range wildly from $15,000 to $75,000. If these costs are prohibitive to the continued success of your integration, learn how you could avoid the Google security assessment fee in this blog.
Tasia Potasinski | October 9, 2019
At the end of 2018, Google announced new OAuth security enhancements that increase transparency for any applications that sync data from Gmail or G Suite that Google categorizes as “restricted scopes”. If your app enables users to read, modify, or compose emails or read their metadata from Gmail or G Suite, you are accessing restricted scopes.
We’ve written on everything from the timeline to the process for getting your application approved, and (finally) – the costly security assessment. For the most straightforward and simple cases, companies have reported costs around $20K, but the range can vary wildly depending on the complexity of your app’s needs and your pre-existing security infrastructure, with reports between $15-75K.
Who Can Avoid the Security Assessment Fee?
To answer this question, let’s first make a clear delineation: free Gmail accounts (@gmail.com) and paid business G Suite Gmail accounts are treated differently when it comes to Gmail API integration.
If you’re willing to have the G Suite administrator for each of your customers whitelist your application for their entire company, you can avoid the security fee. However, this only applies to G Suite not Gmail (Google’s free consumer product). If your application syncs Gmail data, you will still need to undergo the security assessment even if G Suite users are all whitelisted.*
*If you are syncing data from consumer Gmail accounts but you have less than 100 users, you are also exempt from the security assessment.
How Do Administrators Whitelist My App?
A G Suite super administrator is the only person who can whitelist your application for a customer organization. Admins can follow the instructions in this Google guide to add your app to their whitelist.
If your customer’s super administrator whitelists your application, anyone at that company will be able to sync your approved scopes of G Suite data seamlessly with your application.
How do I Instruct Super Admins to Whitelist their Applications?
1. Admins should sign in to their Google Admin Console; from the Google Admin dashboard, go to “Security” and open up “Settings”.
2. Then, admins should go to API Permissions > click on “Trusted Apps”.
3. From the Trusted Apps dashboard, admins should click on the + button at the bottom right to add the project.
4. Select “Web Application”
5. Add appropriate Google Client ID*
6. The Google project the admin whitelisted will now appear in their list of Trusted Apps
View this one page comparison guide to see the benefits of working with Nylas over integrating with G Suite/Gmail directly.