# Gmail authentication

> Depending on the authentication
type you select, you need one of the following credentials:

## Prerequisites

Depending on the authentication
type you select, you need one of the following credentials:

* OAuth 2.0 Authorization code: Your Google
  email address and the password associated with your Google account.
* Bring your own OAuth 2.0 app:
  Your application's Client ID and Client secret, and Scopes.
* Service account: Service account key,
  Account email.

If your account is not enabled by Google:

* Reach out to your administrator
  for approvals on creating connections.
* Enable permission by checking the
  options available to allow creating a connection.

:::note
For more details
regarding the different authentication types, refer to the [How to connect to Google Workspace 365
activities](https://docs.uipath.com/activities/other/latest/productivity/how-to-connect-to-google-workspace-activities) guide.
:::

For more information on Gmail, visit
the [Gmail documentation](https://developers.google.com/gmail) website.

## Scopes

The connector requests the following permissions/scopes:

* UiPath public app default scopes:
  `openid`,
  `https://www.googleapis.com/auth/userinfo.email`,
  `https://www.googleapis.com/auth/userinfo.profile`,
  `https://mail.google.com/`,
  `https://www.googleapis.com/auth/calendar`,
  `https://www.googleapis.com/auth/gmail.settings.basic`.
* Google Service Account default
  scopes: `openid`,
  `https://www.googleapis.com/auth/userinfo.email`,
  `https://www.googleapis.com/auth/userinfo.profile`,
  `https://mail.google.com/`,
  `https://www.googleapis.com/auth/calendar`,
  `https://www.googleapis.com/auth/gmail.settings.basic`.
* Bring your own OAuth 2.0 app:
  + Mandatory scopes: `openid`, `https://www.googleapis.com/auth/userinfo.email`, `https://mail.google.com/`
  + Minimal scopes for
    creating a connection: `openid`,
    `https://www.googleapis.com/auth/gmail.readonly`.
  + Minimal list of
    scopes required for Gmail triggers:
    - `openid`,
      `https://www.googleapis.com/auth/gmail.readonly`
      – for event on mailboxes.
    - `openid`,
      `https://www.googleapis.com/auth/calendar.readonly`
      – for events on calendars.

:::note
If you authenticate using Bring your own
OAuth 2.0 app, you benefit by default from the scopes configured at app
creation. If you want to use the default app permissions, you can declare a
`common` scope. This means you use only the permissions
configured for that application. You can also declare additional scopes at
connection creation, using the **Scopes** field. You will then be asked to
grant the additional consent during sign-in.
:::

Connecting allows
UiPath products to interact with Gmail data on your behalf. This may include read,
write, modify and delete data, depending on your Gmail permissions. You can always
remove any access in your [Google
Account](https://myaccount.google.com/permissions).

## Add the Gmail connection

1. Select Orchestrator from the product launcher.
2. Select a folder, and then navigate to the **Connections** tab.
3. Select **Add connection**.
4. To open the connection creation page, select the connector from the list. You can use the search bar to find the connector.
5. Select your preferred authentication type.
   
   If you select Bring your own OAuth 2.0 app, you must provide a
   Client ID and Client secret, and the Scopes you may need to interact
   with different activities. Check out the activities' documentation to
   learn what scopes they require.
6. Enter the required credentials and select **Connect**.

   For any secret-type field, you can select the menu next to the field and choose **Use credential asset** to reference an Orchestrator credential asset linked to an external vault instead of entering the value directly. For more information, see [Use credential assets for connections](credential-store-connections.md).

## Bring your own OAuth 2.0 app

In
Integration Service, when creating a connection to one of our Google API-based
connectors, you can choose between two authentication options:

* OAuth 2.0 Authorization
  code – which connects to the UiPath public application.
* Bring your own OAuth 2.0
  app – which connects to a private application you create.

To learn how to create an application, go to Google's official
documentation and follow the described steps: [Authentication – Sign In with Google for Web](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid).

* When configuring your
  application, set the **Authorized redirect URIs** field to: `https://{baseURL}/provisioning_/callback`

### Configuring Scopes

When you create a connection
using Bring your own OAuth 2.0 app, you have to option to customize application
scopes.

## Refresh tokens for OAuth applications

Google has refresh token
limitations for individual OAuth 2.0 client IDs. If the limit is reached, creating a
new refresh token automatically invalidates the oldest refresh token without
warning. This limit does not apply to service accounts (refer to [Using OAuth 2.0 for Server-to-Server Applications](https://developers.google.com/identity/protocols/oauth2/service-account)). For
more information, refer to Google's official [documentation](https://developers.google.com/identity/protocols/oauth2#expiration).

A list of reasons which can cause
token expiry:

* You have [revoked your app's access](https://support.google.com/accounts/answer/3466521#remove-access).
* The refresh token has not
  been used for six months.
* You need to change passwords
  and the refresh token contains Gmail scopes.
* Your account has exceeded a
  maximum number of granted (live) refresh tokens.
  + If you request a new
    token after the limit is exceeded, your old connection, based on a
    previously granted token, will expire. Only the new connection or
    the latest edited/reauthenticated connection (with the latest token)
    will work.
* An admin has set any of the
  services requested in your application's scopes to [Restricted](https://support.google.com/a/answer/7281227#restrictaccess) (the error is
  `admin_policy_enforced`).
* For [Google Cloud Platform APIs](https://developers.google.com/identity/protocols/oauth2#gcp): the session length
  set by the admin could have been exceeded.

:::note
The limit is currently set to 100 refresh
tokens per Google account per OAuth 2.0 client ID. This number can be subject to
change. For the latest information, always check the Google documentation.
:::

There is a larger limit on the total number of refresh tokens a user
account or service account can have across all clients. Regular users won't exceed
this limit, but a developer account used to test an implementation might.

To
make sure this limit is not exceeded, UiPath offers users the ability to create
their own OAuth applications and connect using the Bring your own app authentication
type. Make sure to follow the best practices from Google when creating your OAuth
application. For details on how to create an OAuth application, refer to Google's
official [documentation](https://developers.google.com/identity/gsi/web/guides/get-google-api-clientid).

:::note
Token invalidation results in failed connections and automations
are unable to run without fixing connections.
:::