1

We are integrating the Gmail API with Integromat and, in order to avoid re-authorizing Integromat’s access every 7 days, we need to submit for Google verification.

Now the problem is that the Google verification wants to verify the ownership of each domain. I’m afraid this includes the integromat.com domain (since integromat.com is the authorized domain). That’s a problem since we don’t own the integromat.com domain and we therefore cannot verify domain ownership. Is there a contingency plan for this?

Besides, Google wants a YouTube video showcasing how the permission is being used, which is quite a silly requirement since our Integromat account is only used by us (obviously).

I wonder whether Make/Integromat has some official recommendation/help for this? I couldn’t find any so far.

Note that we are not using Google Workspaces so we can’t use Google’s "internal usage" option.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
brillout
  • 7,804
  • 11
  • 72
  • 84

2 Answers2

1

You have two issues here. The refresh token expiring, and your desire to submit your application for verification.

These are separate issues that are unrelated.

expiring token

Refresh token expiring after seven days is due to the fact that your application is currently in testing phase not that it has not been verified.

refresh token expiration

A Google Cloud Platform project with an OAuth consent screen configured for an external user type and a publishing status of "Testing" is issued a refresh token expiring in 7 days.

On the Ouath2 screen set the project to production and your tokens will stop expiring.

verification

Domain name:

If you are using a domain name either for redirect uri or hosting of your privacy policy. You must verify that you own this domain though though google search console. There is no way around this.

If you don't own integromat.com your not going to be able to use that. Host it on your own domain.

Gmail scopes are one of hardest scopes to be able to get an application verified for.

YouTube Video:

You will need to create a YouTube video and host it public so that the security team can verify what your application is doing and how it its intended to work. It is not a silly requirement. It is there to protect your users data.

Remember the third party security assessment for gmail scopes is going to cost you between 15k-75k dollars a year.

internal

As stated in exceptions-to-verification-requirements

Internal Use: The app is used only by people in your Google Workspace or Cloud Identity organization. Note that your app will not be subject to the unverified app screen or the 100-user cap if it's marked as Internal.

Your last line says.

Note that we are not using Google Workspaces so we can’t use Google’s "internal usage" option

You don't need to be verified. So you dont need to worry about the domain, or the youtube video.

Linda Lawton - DaImTo
  • 106,405
  • 32
  • 180
  • 449
0

While the information in Linda Lawton's answer is correct, it does not answer the original question, and it can be misleading for other people with the similar problem. Below, I will try to clarify the problem for other people with the similar problem.

Introduction:

When connecting Make (Integromat) to Google services, you need to setup a custom OAuth client. When you setup the client, you must choose the "Publishing status" of the app (you can either choose "Testing" or "In Production") and the "User type" (you can either choose "External" or "Internal") -- see Google docs.

The "Internal" user type is used if you want to make an app that will only be used by you or other members of your Google Workspace. You can use the "Internal" user type only if you are a member of a Google Workspace.

The "External" user type is used if you want to make an app that will be available to any user with a Google Account. Anyone can use the "External" user type.

If you choose the "Testing" publishing status, the app is considered unverified which means that there are some restrictions in it's use. One of the restrictions is that if any user wants to use the app, he needs to authorize the app, and the authorization is valid only for 7 days. If you want to use the app after 7 days, you need to reauthorize it.

If you choose the "In production" publishing status, then when a user wants to use the app, he needs to authorize the app only once and the authorization stays valid indefinitely.

Problem:

If you want to to create an app which does not need to be reauthorized every 7 days by its users, the app must have the "In production" publishing status.

If the app is Internal, you can push it into production without any problems.

However, if the app is External, you must go through a complicated process of verifing the app and this includes verifying ownership of your project’s authorized domains.

Therefore, if you want to create an app which does not need to be reauthorized every 7 days, you either must have a Google Workspace or must be prepared to go through the complicated verification process (and you must own the authorized domains).

Answer to the original question:

As far as I know, Integromat does not have an official recommendation for this. Since you do not own the integromat.com domain, if you want to create an app which does not need to be reauthorized every 7 days, you must create a Google Workspace and use the "Internal" user type.

If creating Google Workspace is not an option for you, you could try modifying your scenario in such a way that you do not need to use the Gmail API. If, for example, you need to trigger your scenario when a specific email is recieved in your gmail inbox, you could use the "Custom mailhook" option of the "Webhooks" app, which lets you forward your email to the mailhook, and this mailhook triggers the scenario.

Jakub Holan
  • 303
  • 1
  • 8