How to set Gmail OAuth for ONLY READ?

Hey guys,

For some reason, the authentication isn’t successful (but only restricted) unless I give it full consent, including sending emails and stuff.
How do I limit it only to read, labels, body, and stuff of READ-ONLY?

Thanks..

Hello @sondre

n8n’s default Gmail credential includes full access scopes. To limit access:

Use a Service Account (with domain-wide delegation) for secure, read-only email access.

Or configure a custom OAuth2 credential and list only the specific read-only scopes.

Thanks,
this is what I did, as you can see here:

But as soon as I press the “sign in”, and select the user, it only works if I grant full permission. Otherwise it says forbidden 403 error.

you need to create custom OAuth2 credential for your problem.

2 Likes

As @cutecatcode said, even though your Google Cloud project is correctly limited to read-only scopes, the built-in Gmail credential in n8n automatically injects additional scopes like gmail.modify and gmail.compose. If you don’t accept them, Google throws a 403 error.

  1. Go to Credentials → New → OAuth2 API
  2. Fill in:
  • Auth URL: https://accounts.google.com/o/oauth2/v2/auth
  • Access Token URL: https://oauth2.googleapis.com/token
  • Client ID / Secret: from your Google Cloud project
  • Scope: readonly
  • Set access_type=offline and prompt=consent in OAuth options.

This way, you’re fully controlling what’s requested, no hidden Gmail scopes added by n8n.

2 Likes

Thank you very much for you answer.
If I understand correctly, I’d need to create some HTTP Request for each operation:
read messages, labels, modify labels, create a label, right?
It makes me create these commands that are already fulfilled within the GMAIL API.
If so, I don’t get why the Gmail API integration in n8n can’t just allow me to set readonly permissions, and force me to implement each request separately.