Internal docs · OAuth verification
Submitting StockPilot for Google OAuth verification
Until the app is verified, new users see a scary “Google hasn't verified this app” screen when they connect Gmail and have to click “Advanced → Go to StockPilot (unsafe)”. Verification removes that. One-time form, 1–2 weeks turnaround.
- Confirm only sensitive scopes are requested — no restricted scopes. Open console.cloud.google.com/apis/credentials/consent under the project that owns the OAuth client (the one whose ID is in
GOOGLE_CLIENT_ID). Under “Scopes” there should be only:https://www.googleapis.com/auth/gmail.sendhttps://www.googleapis.com/auth/userinfo.email
gmail.readonly,gmail.modify, ormail.google.com/— triggers Google's CASA tier-2 security assessment (~$4–15k and months of paperwork). StockPilot deliberately avoids all of them. Supplier replies are handled by our inbound-email webhook instead, so we don't need any read access to user mailboxes. - Fill in the OAuth consent screen app details.
- App name:
StockPilot - User support email:
support@stockpilot.app - App logo: any clean 120×120 PNG from your design assets (must match the one we use in the marketing site).
- Authorized domains:
stockpilot.app(and the Railway preview domain during testing). - App home page:
https://stockpilot.app/ - Privacy policy:
https://stockpilot.app/privacy(already live). - Terms of service:
https://stockpilot.app/terms(already live). - Developer contact: your personal email.
- App name:
- Justify each scope. Google asks in plain English why you need each scope. Copy-paste these:
gmail.send
StockPilot sends purchase-order emails on behalf of the signed-in café owner to their suppliers. The owner approves each order in the app, and the email is sent from their own Gmail account so the supplier sees a normal, personal email.
userinfo.email
Used once during OAuth to identify which Gmail address the user connected, so we can label it in Settings and sign outbound emails from the correct
From:address. - Record a short demo video. Google requires a 30-second-to-2-minute screen capture showing:
- The consent screen appearing when a new user clicks “Connect Gmail”.
- The user granting the scopes.
- An example of the resulting functionality (e.g. an email being sent to a supplier).
Upload to YouTube as Unlisted and paste the URL in the form.
- Submit for verification.Click “Prepare for verification” at the top of the consent screen page. Google typically responds within 5 business days requesting small clarifications, and the full cycle takes 1–2 weeks. The product stays fully functional for existing connected users during review.
- Add test users in the meantime.Before verification completes you can add up to 100 Gmail addresses as “Test users” in the consent screen — those users will skip the unverified-app warning immediately. Add your first customers here so their onboarding is painless while the form works through review.
Once verified
New users clicking “Connect Gmail” will see a clean consent screen with the StockPilot logo and “Continue” — no “unsafe” warning. That's the single biggest trust improvement available pre-launch. Do it before your first external customer demo.