Google Workspace email connection

How will Google Workspace integration work?

This planned feature will let you connect your Gmail or Google Workspace account so Tallyfy can send workflow emails from your email address. It’ll use Google’s OAuth 2.0 with only the gmail.send permission - the minimum needed to send emails on your behalf without accessing your inbox or contacts.

Google classifies email permissions into three tiers. The gmail.send scope is “Sensitive” (not “Restricted”), so Tallyfy can offer this integration without the expensive annual security audits that full email access requires. Personalized sending, no privacy concerns.

What’s required for Google OAuth verification?

Tallyfy will complete Google’s standard OAuth verification for the gmail.send scope. This is a one-time process handled before launch - nothing you need to do.

What this means for you:

• No security assessment required: No CASA audits needed since we don’t read your email
• Standard verification only: Takes 2-4 weeks, not months
• Faster approval: Google reviews send-only apps quicker

The verification confirms:

• Tallyfy’s identity and privacy policy
• The app name and logo
• Security practices and consent screens

Why This Matters

Many email integrations request the https://mail.google.com/ scope, which requires expensive annual security assessments. By limiting to just gmail.send, Tallyfy keeps costs down while maintaining full security.

Will users see an “unverified app” warning?

No. After verification, you’ll see a standard Google consent screen showing Tallyfy’s verified publisher badge, the exact permission you’re granting (send email only), and how to revoke access later. Beta testers might see an “unverified app” screen during development, but that disappears after Google approves the application.

What about Google Workspace admin controls?

Your Google Workspace admin controls whether users can connect third-party apps.

Scenario 1: Open access (default)

• Admin has “Allow users to access any third-party apps” enabled
• You can connect Tallyfy immediately - no admin action needed

Scenario 2: Restricted access

• Admin has blocked unconfigured third-party apps
• Admin must add Tallyfy to the allowed list using the OAuth client ID we’ll provide
• Takes about 5 minutes to configure

Scenario 3: Highly restricted

• Organization blocks all third-party API access
• Requires a policy exception - we’ll provide security documentation for review

How do IT admins approve Tallyfy?

1. Access Google Admin Console

   • Sign in to admin.google.com
   • Navigate to Security → API controls → Manage Third-party App Access

2. Add Tallyfy as trusted app

   • Click “Add app” → “OAuth App Name Or Client ID”
   • Enter Tallyfy’s OAuth Client ID (we’ll provide this)
   • Select “Trusted” or “Specific Google data”

3. Configure permissions

   • If choosing “Specific Google data”, add scope: https://www.googleapis.com/auth/gmail.send
   • Apply to entire organization or specific units
   • Save configuration

4. Notify users

   • Changes take effect immediately
   • Users can now connect their accounts
   • No individual approval needed

We’ll provide admins with a setup guide including our OAuth client ID, screenshots, security compliance documentation, and a direct support contact.

What if my organization uses IP restrictions?

IP restrictions won’t affect this integration. Emails sent through your account originate from Google’s servers, not Tallyfy’s. The API calls come from Tallyfy’s servers, which you can whitelist if needed - typically just 3-5 IP addresses that rarely change.

How does this work with Google’s “Less Secure Apps” policy?

It doesn’t use “Less Secure Apps” at all. Tallyfy uses OAuth 2.0, which Google actively recommends. Google has already phased out less secure app access, but OAuth connections continue working indefinitely.

• Less Secure Apps: Used your password directly (deprecated)
• OAuth 2.0: Uses revocable tokens without password access (recommended)

What about sending limits and quotas?

Your existing Gmail sending limits apply when Tallyfy sends on your behalf. Google enforces these to prevent spam:

Account type	Daily limit	Recipients per message
Google Workspace	2,000 emails	500
Free Gmail	500 emails	500

Workflow notifications rarely hit these limits. 50 task notifications per day is just 2.5% of a Workspace quota.

Will emails appear in my Sent folder?

Yes. Every email Tallyfy sends shows up in your Gmail Sent folder, creating a full audit trail. You can search, forward, or reply to any workflow email. Your existing backup systems and retention policies apply to these messages too.

How do I revoke access?

Three options:

From Tallyfy - Go to Settings > Email Integration and click “Disconnect Google Account.”

From Google - Visit myaccount.google.com/permissions, find Tallyfy, and click “Remove Access.”

Admin removal - In Google Admin Console > Security > API controls, find Tallyfy and remove for specific users or the entire organization.

Revocation takes effect immediately. Tallyfy can’t send from your account anymore, but emails already sent stay in your Sent folder.

What data does Tallyfy store?

Only the OAuth refresh token - not your emails or password.

Stored	Never stored
OAuth refresh token (encrypted)	Your Google password
Your email address (for display)	Email contents from your inbox
Token expiration time	Contacts or calendar data
Last successful send timestamp	Any other Google data

The refresh token is encrypted at rest and can only request short-lived access tokens for sending emails.

Google security feature compatibility

The integration works with all Google security settings:

• 2-Factor Authentication: Fully supported - OAuth works regardless of 2FA
• Advanced Protection Program: Compatible with Google’s highest security tier
• Context-Aware Access: Follows your organization’s access policies
• Security Keys: Work normally during initial authorization

If Google detects unusual activity, it might temporarily block sending, require reauthorization, or send you a security alert.

Troubleshooting common authorization issues

“This app is blocked” - Your admin has blocked third-party apps. Ask them to add Tallyfy using the OAuth client ID.

“Requires admin approval” - Forward the consent link to your IT team. One-time approval unlocks access for all users.

“Invalid scope” error - Clear your browser cache and try again. Contact support if it persists.

Authorization succeeds but sending fails - Usually a temporary Google API issue. Wait 5 minutes and retry. Check daily sending limits.

“Token expired” - Normal after 6 months of inactivity. Reconnect your account - takes about 30 seconds.

Related articles

Email > Connect your email

Connect Your Email is a planned Tallyfy feature that sends workflow emails from your personal Gmail or Outlook account for better deliverability and trust.

Connect Your Email > Microsoft Outlook email connection

Planned Microsoft Outlook integration will use Graph API with delegated Mail.Send permissions to send workflow emails from your personal email address.

Authentication > Integrate Google Workspace

Set up Google Workspace SAML SSO with Tallyfy by creating a custom SAML app in Google, configuring attribute mappings, and exchanging config details with Tallyfy Support for single sign-on with automatic user provisioning.

Email > Gmail add-on

Use the Tallyfy Gmail Add-on to create tasks, start processes, and track progress directly from your Gmail inbox.

Was this helpful?

YesNo