Hey guys,
For some reason, the authentication isn’t successful (but only restricted) unless I give it full consent, including sending emails and stuff.
How do I limit it only to read, labels, body, and stuff of READ-ONLY?
Thanks..
Hey guys,
For some reason, the authentication isn’t successful (but only restricted) unless I give it full consent, including sending emails and stuff.
How do I limit it only to read, labels, body, and stuff of READ-ONLY?
Thanks..
Hello @sondre
n8n’s default Gmail credential includes full access scopes. To limit access:
Use a Service Account (with domain-wide delegation) for secure, read-only email access.
Or configure a custom OAuth2 credential and list only the specific read-only scopes.
Thanks,
this is what I did, as you can see here:
But as soon as I press the “sign in”, and select the user, it only works if I grant full permission. Otherwise it says forbidden 403 error.
you need to create custom OAuth2 credential for your problem.
As @cutecatcode said, even though your Google Cloud project is correctly limited to read-only scopes, the built-in Gmail credential in n8n automatically injects additional scopes like gmail.modify and gmail.compose. If you don’t accept them, Google throws a 403 error.
https://accounts.google.com/o/oauth2/v2/auth
https://oauth2.googleapis.com/token
access_type=offline
and prompt=consent
in OAuth options.This way, you’re fully controlling what’s requested, no hidden Gmail scopes added by n8n.
Thank you very much for you answer.
If I understand correctly, I’d need to create some HTTP Request for each operation:
read messages, labels, modify labels, create a label, right?
It makes me create these commands that are already fulfilled within the GMAIL API.
If so, I don’t get why the Gmail API integration in n8n can’t just allow me to set readonly permissions, and force me to implement each request separately.