Configure OAuth for Gmail

This page describes how to configure OAuth to connect Gmail to Gemini Enterprise as a data store.

Set up authentication and permissions for Gmail

To enable Gmail actions, a Google Cloud administrator must perform the following steps to enable the Gmail API and set up authentication.

Enable the Gmail API

In the Google Cloud console, enable the following APIs:

The Gmail API: Enable the API.
The Google People API: Enable the API.

Create an OAuth app and add scopes

If you don't have an OAuth app, follow these steps. If you already have an OAuth app, skip to Create an OAuth client credentials.

Go to Google Auth Platform / Overview.
Click Get started.
Enter a name for your OAuth app.
In User support email, select a support email address for the users of your application to contact with questions about their consent.
Under Audience, select the user type for your app:
- External: Select External if you're creating an app for use outside of your Google Workspace organization. This makes the app publicly available to any user with a Google account. If you selected External for user type, add test users:
  1. Click Audience.
  2. Under Test users, click Add users.
  3. Enter your email address and any other authorized test users, then click Save.
- Internal: Select Internal if the app is restricted to members of a specific Google Cloud organization, limiting access to Google Workspace organizational members only.
Click Next.
Under Contact Information, enter an email address where you can be notified about any changes to your project.
Click Next.
Under Finish, review the Google API Services User Data Policy. If you agree, select I agree to the Google API Services: User Data Policy.
Click Continue.
Click Create.

After you create the app, you can update the OAuth Consent Screen settings in Branding and Audience.

Add minimum scopes

To add the minimum required scopes, follow these steps:

In the Google Cloud console, go to Menu .
Select Data Access from the navigation menu.
Click Add or Remove Scopes.
Under Manually add scopes, paste the following scopes for Gmail as per your connection mode:

Connection mode	Scope	Purpose
Federated Search	`https://www.googleapis.com/auth/gmail.readonly`	Required to search email messages.
Federated search and Actions	`https://www.googleapis.com/auth/gmail.send` `https://www.googleapis.com/auth/gmail.readonly`	Required to send and read email messages.

Click Add to table and then click Update.
Click Save.

Note: If you only intend to use the data store for search and not perform any actions, you can limit the scopes to just https://www.googleapis.com/auth/calendar.readonly. The other scopes are required to perform the actions mentioned in Supported actions.

Create OAuth client credentials

This procedure describes how to create a new OAuth client ID for Google Cloud actions. If you already have an OAuth client ID for Google Cloud actions, you can use that client ID and secret for Google Calendar actions instead of creating a new one.

Go to Google Auth Platform / Clients.
Click Create client.
For Application type, select Web application.
In the Name field, type a name for the credential.
Skip Authorized JavaScript origins.
In the Authorized redirect URIs section, click Add URI and enter the following URI: https://vertexaisearch.cloud.google.com/oauth-redirect
Click Create. The newly created credential appears under OAuth 2.0 Client IDs. Open the client that you have created and copy the following information:
- Client ID
- Client secret