Read-only · The smallest scope
We never touch
your inbox.
When you connect Gmail or Outlook, Avocabo asks for one permission: read. Not send. Not move. Not delete. Not label. The OAuth scope is the entire ceiling on what we can do — and the floor.
What we ask for. What we don’t.
The OAuth consent screen lists exactly two abilities. The first lets us read your messages. The second lets us read the message metadata (subject, sender, date) so we can tell which messages are newsletters. That’s the entire list.
We can
- Read messages in your inbox
- Read sender, subject, date
- Identify which messages are newsletters
We can’t
- Send mail on your behalf
- Delete or archive mail
- Move mail between folders
- Modify labels or subject lines
- Touch anything you didn’t open in Avocabo
These aren’t promises — they’re what the OAuth scope itself allows. Not “we choose not to.” Cannot.
How the tokens live.
OAuth gives us a refresh token from your provider. We never see your password — the password stays with Google or Microsoft. We store the token encrypted at rest on European infrastructure (Hetzner, Falkenstein). Tokens are rotated automatically, and the connection is one revoke-click away in your provider’s account settings.
Revoke anytime. Pull access from your Google account or Microsoft account and Avocabo loses access immediately. We don’t get a chance to argue.
The exact scopes.
For the curious or the paranoid — here’s the literal list of OAuth scopes we request, by provider. You’ll see the same list on the consent screen when you connect.
- Gmailgmail.readonly
- Gmailgmail.metadata
- OutlookMail.Read
Nothing else. Ever. If we ever need more, we’ll ask — you can refuse.
Ready when you are — ninety seconds.
Connect Gmail or Outlook from the onboarding flow. The first digest lands the next morning at seven, your time.
Prefer not to OAuth? Use a forwarding address instead →