I will be using the Gmail API for sending mails from my website with my submail (a noreply-mail), I have added a billing method for the admin mail but not for my sub mails, is that something I have to do so it works correctly? (thinking about the credits and so on?)
Very thankful for your help!
/Dejan
Gmail API is not a billed service, but do be mindful of quota limits:
Gmail sending limits in Google Workspace
Gmail API usage limits
The more restrictive of the above limits will apply.
Related
Does anyone know what are the "single account SMTP plugins" referenced here in this Google OAuth API policy?
See the last bullet of the "Exceptions to verification requirements":
SMTP/IMAP/WP: The app is used to send emails through WordPress, or similar single-account SMTP plugins.
Answer
Single-account is one account connected to your project or the only sender in it and SMTP plugins refers to the plugin that uses this OAuth token in order to send messages.
In summary, the bullet SMTP/IMAP/WP means that if you are using WordPress and set it up to be able to send emails using Gmail scopes, this is relegated to a single account SMTP plugin use and is not applicable for verification. Otherwise if your app is meant for public use it might require using https://mail.google.com/ scope, you will need to submit your app for the restricted scope verification.
The "Find and delete malicious emails" page in the Google Workspace Admin Help Center states:
Using the investigation tool, you can identify all users in your domain that have received the message (for example, a phishing email). You can then use the investigation tool to delete the email from your users' Gmail inboxes (note that log data might take up to a few minutes before being available in the investigation tool).
From this, I understand that, assuming you have the right package, it is possible to use the investigation tool to delete the unwanted email from your users' Gmail inboxes.
Can I delete emails from my users' Gmail inboxes via Google App Script using the API? If so, how can I do that?
Currently it is not possible with the Investigation tool
But there is already an existing feature request for exposing the Google Workspace Investigation Tool programmatically.
I recommend you to "star" it to show Google that more people are interested in this feature - hopefully this will accelerate the implementation.
UPDATE:
In th meantime you can use a workaround, e.g. using a service account with domain-wide delegation as suggested by #TheAddonDepot
It is possible via DwDg(domain-wide delegation)
You have to create a service account and delegate domain-wide authority to that service account with the appropriate scopes. There are no explicit instructions for the Gmail API but you can use this guide from the Admin Directory API documentation.
You then use the service account credentials with the GAS OAuth2 Library to make calls on behalf of your existing users to the Gmail API. Note that you can't use the built-in or advanced services for Gmail, you'll have to call out to the Gmail REST API directly via UrlFetchApp.
I'm interested of building a spreadsheet add-on that relies on external services and it seems that URLFetch is the only way of performing remote HTTP/S calls with app script.
I've reached the app script quota page to check limitations and I can see that they are
100.000 calls/day for GSuite plans
20.000 calls/day for Gmail plans
What is not clear from the documentation is if these limits are related to the whole application or just the single user installation of the add-on / application.
Also the documentation doesn't really explain if there's any way to can ask google for increased quotas for a specific application, something that you might need and do in GCP for specific apis for example.
Anybody with app script experience and with a published add-on can share some light to it ? Has anyone attempt to create a app-script that heavily uses external services ?
Apps Script quota apply per user invoking a service.
i.e. if each user of the application calls a service on his own behalf - each user will have awarded the quota mentioned in the documentation.
On the contrary, if you are using a service account that performs a call on behalf of a user without impersonating him - all calls from all users will count against the service account quota.
As for API quotas, they apply per project. You can consult here how to request an increase of quota.
We are working on testing email on-premise and may be considering moving away from Google Apps for Email. Our current projects within GCE are tied to our current Google Apps Email accounts. Do we have to use Google Apps Email in order to use GCE? If not, does anyone know how login to the GCE web console would work since it is currently tied to our Google Apps Email accounts?
I can't seem to find a proper way to shift the project to a non-google authentication method.
You do need a Google account to use Google Cloud Platform services. However, it doesn't need to be a Google Apps account, you can use a free Gmail account as well.
I believe you need a google "apps" account for everything since you will have to pay for your GCE and payment comes from a profile that is associated with that account.
If you move your email, assuming your domain is using Google's services now, I think you Google account will still use that domain's email login for the Google account even if you change your MX records to use a different email host.
Or maybe I don't understand your question ...
I am working on an app that allows user to share their Drive files to friends. But there is a problem of Google App Account, like someone#somadomain.com, of which files cannot be shared with people who are not under that domain. Although the share policy can be changed by admin of somedomain.com, but I prefer not allowing people use my app with Google Apps Account.
I also check this post: How to determine if the account is a Google apps account?. But I don't agree with the idea of checking domain to detect account type. Because people can register Google Account with any email address. I just registered one with my Hotmail, someone#hotmail.com, which has no domain restriction when sharing a file.
Can anyone help with this? Thanks!
Assuming you included:
https://www.googleapis.com/auth/userinfo.email
in your OAuth scopes, you can make a request to:
https://www.googleapis.com/oauth2/v2/userinfo
If it's a Google Apps account, an "hd" parameter (Hosted Domain?) will be returned by the call with the Google Apps domain as it's value. If it's a consumer account, whether it's #gmail.com or even a potential "conflicting account", the hd parameter will not be returned. See my example below. admin#jay.powerposters.org is a Google Apps Account while consumer#jay.powerposters.org is a consumer account. If I created a consumer user in the Google Apps domain it wouuld become a conflicting account and the consumer account would be pushed out of the #jay.powerposters.org namespace but that hasn't happened yet.
For admin#jay.powerposters.org:
GET https://www.googleapis.com/oauth2/v2/userinfo
HTTP/1.1 200 OK
Content-length: 99
X-xss-protection: 1; mode=block
...
{
"email": "admin#jay.powerposters.org",
"verified_email": true,
"hd": "jay.powerposters.org"
}
For consumer#jay.powerposters.org:
GET https://www.googleapis.com/oauth2/v2/userinfo
HTTP/1.1 200 OK
Content-length: 71
X-xss-protection: 1; mode=block
{
"email": "consumer#jay.powerposters.org",
"verified_email": true
}
I don't think there is a good way to check if an account is a Google Apps account. The only way I'm thinking of is to check the Domain's DNS MX records and see if some service of the domain are served by Google Apps servers (like email served from gmail etc...) but even there you might have to check more than one service because some Google Apps companies deactivate Gmail for instance (or some other service) to use a custom solution instead.
If I were you I would not disable the service to Google Apps accounts (how unfair!! :)) many people bought Google Apps account to have a nice looking email domain and their account behave just like any other Google Accounts...
I would simply try to set the ACL of the fils to public when you need to and if this does not work display them with a nice error message warning them about their Admin having disabled public sharing... It's not going to be lots of users anyways and it would be too bad to have your app not available to others "normal" Google Apps accounts.
Or check the domain using a service like BrowserSpy. If the MX records appear correct, then it's using Google Apps.