Google OAuth Verification: Costs, Timelines, Process, and More
Everything you need to know about app verification & security review.
Tasia Potasinski | July 29, 2019
Updated July 29, 2019
NOTE: If you are a Nylas customer, we help submit your application and shorten the review cycle. View our guide to Google app verification for Nylas Customers.
First, let’s just clear the air: the details of the Google OAuth requirements can feel a little dry and confusing at times, but getting into the weeds is incredibly useful for anyone building products that access Google user data. Here, we’ve distilled the details for you.
When Google announced they were making sweeping changes to the way third-party apps can access Google user data, Google users and security proponents celebrated the enhanced security measures that protect user data — but developers were initially left with little detail about how to continue providing their services to Gmail users in compliance with the new regulations.
Today, we have much more detailed information about Google’s OAuth updates – everything from the third-party app verification process to the security assessment, costs, and timelines.
Let’s dive in.
How Do I Know if I Need to Submit My App For Verification?
Third-party applications that access certain types of Google user data need to undergo app verification – specifically, if your app uses “restricted scopes”, you’ll need to undergo app verification and a security assessment. Currently, Google lists restricted scopes as:
If your app only uses “sensitive scopes” (as defined by Google — essentially, any data that is not a restricted scope is considered a sensitive scope), you’ll need to undergo app verification only (no security assessment needed).
Sensitive scopes include, but are not limited to:
If your app has fewer than 100 users, you will not need to undergo app verification. Note – your users will still see the unverified app screen when they initially authenticate.
Google App Verification
Third-party apps (any web/desktop/mobile app) and APIs (like Nylas) that integrate with Gmail data to better serve their customers must undergo a four-step process to ensure their user’s data continues to sync smoothly:
- Create an unverified Google project for development for your test environment.
- Once you’ve tested the scopes and you’re ready for production, you can create a Google project for production with the same scopes.
- Submit your Google project for production for review: You’ll need a YouTube video that shows your app’s functionality – think of this is a very detailed product demo that proves to Google which scopes you need for your end-user’s benefit. For example, if you’re requesting a send email and modify email scope, you need to show both of these features in your platform. You’ll also need to describe in writing why you need each scope. For example, “My app will use https://www.googleapis.com/auth/calendar to show a user’s Google calendar data on the scheduling screen of my app, so that users can manage their schedules through my app and sync the changes with their Google calendar.”
- Complete a Google OAuth Security assessment (more on this below)
Creating a Google Project
To get your app verified, log in to the Google Developer Console. Enter your project name, organization, and parent organization:
Submit Your Application
Once you’ve created a project, submit your application for review on the GCP (Google Cloud Platform) Console OAuth consent screen here. It’ll look like this:
This verification process can take just a few days or as long as several weeks end-to-end. By clearly demonstrating the scopes you need access to and how you use them, you can drastically reduce the timeline. If Google has clarification questions based on your original submission, you’ll need to address those questions and resubmit your app, which could delay the review process.
As mentioned above, the review process becomes quicker with Nylas. We’ve created a handy and comprehensive guide for Nylas customers on how to create a Google project here.
What happens if I want to add more restricted scopes after my app is approved?
If you want to add a new scope to your Google project, you should follow these steps (note that if you are an existing Nylas customer, we will help expedite the resubmission process):
- After new restricted scopes have been tested on your unverified Google project for development, add the new restricted scopes to your Google project, and resubmit your project for review. (Users will still be able to sync the scopes that you’ve already received approval from Google for).
- Once the new scope is approved, users can use all approved scopes and will see that your app is verified!
Google OAuth Security Assessment
To start, how do you know if you need to undergo a security assessment in addition to app verification?
It’s pretty straightforward – if your app uses restricted scopes, you’ll need to undergo a security assessment. However, there are three ways you can be exempt from the security assessment:
- Internal use case: If your app is only used for internal company purposes (i.e. if you only allow access to users from your organization), you do not need to undergo app verification. We’ve created a guide for submitting your Google Project for review customers who have an internal use case here.
- If you’re using sensitive scopes only
- If you prefer to require the Super admins of each G Suite org to whitelist your application. Learn how in this blog.
If your app accesses what Google defines as “restricted scopes”, the next step after getting your app verified is the third-party a security assessment.
On average, these assessments should take no longer than 1-5 weeks. If your application requires remediation testing (i.e. if you don’t pass the initial security assessment), the process can take an additional couple weeks — but these timelines are largely dependent on your company’s existing security policies and the complexity of your application.
At Nylas, it took us just two weeks to complete the security assessment. We were already SOC 2, Type II certified, which helped reduce the timeline.
If you are not a Nylas customer, or if you’re considering becoming one, and your app access restricted scopes, you’ll need to complete the security assessment before going live with your Google integration.
For existing Nylas customers who created Google apps before 1/15/19, the security reviews must be completed by 12/31/2019.
Costs will vary depending on the complexity of your implementation and the state of security processes that already exist. At Nylas, we already had a few security certifications, which streamlined the process. Our total costs for the two-week assessment came out to $11,000.
If your company is already SOC 2, Type II certified, Google has noted that security assessment costs will be significantly reduced.
How Can I Speed Up the App Verification and Security Review Process?
Nylas has partnered with Google to provide a streamlined verification and security review process for Nylas customers.
By working with Nylas, third-party apps can complete the process faster and with fewer resources than companies starting from scratch.
If you’d like to learn more, contact a Nylas Platform Specialist.
For more information on Google OAuth, visit their support page here.