How to Avoid the Google OAuth Security Assessment Fee
The security assessment fees for apps that sync G Suite user data can range wildly from $15,000 to $75,000. If these costs are prohibitive to the continued success of your integration, learn how you could avoid the Google security assessment fee in this blog.
Tasia Potasinski | October 9, 2019
At the end of 2018, Google announced new OAuth security enhancements that increase transparency for any applications that sync data from Gmail or G Suite that Google categorizes as “restricted scopes”. If your app enables users to read, modify, or compose emails or read metadata from Gmail or G Suite, you are accessing restricted scopes.
We’ve written on everything from the timeline to the process for getting your application approved, and (finally) – the costly security assessment. For the most straightforward and simple cases, companies have reported costs around $20K, but the range can vary wildly depending on the complexity of your app’s needs and your pre-existing security infrastructure, with reports between $15-75K.
Who Can Avoid the Security Assessment Fee?
To answer this question, let’s first make a clear delineation: free Gmail accounts (@gmail.com) and paid business G Suite Gmail accounts are treated differently when it comes to Gmail API integration.
If your app accesses consumer Gmail accounts (a.k.a. non-Gsuite or non business Gmail accounts), you will still need to undergo the security assessment. However, if your app accesses individual’s business/work Gmail accounts, you can avoid the assessment and fee by having the organization’s GSuite admin whitelist your application.
One loophole to avoid the security assessment fee even if you are syncing data from consumer’s Gmail accounts: If you have less than 100 users, you are exempt from the security assessment.
How Do Administrators Whitelist My App?
A G Suite super administrator is the only person who can whitelist your application for a customer organization. Admins can follow the instructions in this Google guide to add your app to their whitelist.
If your customer’s super administrator whitelists your application, anyone at that company will be able to sync your approved scopes of G Suite data seamlessly with your application.
How do I Instruct Super Admins to Whitelist their Applications?
1. Admins should sign in to their Google Admin Console; from the Google Admin dashboard, go to “Security” and open up “Settings”.
2. Then, admins should go to API Permissions > click on “Trusted Apps”.
3. From the Trusted Apps dashboard, admins should click on the + button at the bottom right to add the project.
4. Select “Web Application”
5. Add appropriate Google Client ID*
6. The Google project the admin whitelisted will now appear in their list of Trusted Apps
View this one page comparison guide to see the benefits of working with Nylas over integrating with G Suite/Gmail directly.