We’re experiencing OAuth token revocations for our Gmail API application that we can’t diagnose.
SITUATION:
- ~15-20% of users experience token revocation (the last 3 we’ve spoken to about this were unaware / didn’t actively block our app, but not sure yet of % intentional blocks vs automatic)
- Revocations happen at two different times:
- Within minutes of active email processing (real-time)
- Days/weeks after last activity
- Users with identical usage patterns - some are blocked, most are fine
- No correlation with email volume (blocked users process similar amounts to active users)
WHAT WE’VE RULED OUT:
- Quota limits: Well under per-user and app-wide quotas
- Token refresh: OAuth in Production mode, not Testing, and most of these blocks happen before the 6 month window
- Manual revocation: some users confirmed they didn’t revoke
- Workspace-specific policies: Affects both personal Gmail accounts and Google Workspace accounts
OUR API USAGE PATTERN:
- Continuous background processing throughout the day
- messages.list with various label filters (multiple times per email processed)
- messages.get
- messages.modify
- messages.batchModify (typically 20-500 messages at a time)
- labels.list
- users.watch for push notifications
SPECIFIC QUESTIONS:
- Does repeatedly calling messages.list with the same query pattern flag as suspicious?
- Is there a frequency threshold for batchModify operations?
- What behavioral patterns differentiate normal email management from abuse?
- Could processing Google’s own security notification emails trigger flags?
We’re adding detailed logging but would appreciate guidance on what aspects of API usage Google’s systems scrutinize.