Go to section

Capsule Gmail Add-On Permissions Change

We recently contacted all Capsule Gmail Add-On users asking them to approve a permission change to our Google Workspace (formerly G Suite) Marketplace App to continue using the Add-On.

Please ensure that one of your Google Workspace Domain administrators has approved this change before Tuesday, March 24th 2021 by following these instructions:

  1. Log in to the Google Workspace Admin console
  2. Navigate to Apps > Google Workspace Marketplace apps > Capsule CRM
  3. Under Data Access > Gmail you’ll see a new OAuth Scope https://www.googleapis.com/auth/gmail.readonly listed as ‘Not Granted’
  4. Click Grant access at the top of the Data Access pane to approve the new scope.
Google Workspace Marketplace scopes before
Google Workspace Marketplace scopes after

Why are we making this change?

Capsule has integrated with Gmail since 2011 first via our Contextual Gadget. Back then only a single OAuth scope (or permission) existed giving full read/write access to a user’s Gmail mailbox.

When Contextual Gadgets were later replaced with Gmail Add-Ons we wanted to make the transition for our users as easy as possible. Therefore we continued to use the existing OAuth scope which they had previously authorized.

Google have since introduced new more granular OAuth scopes for their Gmail API including a more restricted read-only scope to access user mailboxes.

As part of our ongoing commitment to security we have decided it is prudent to switch to the more restricted scope.

What happens if this change is not approved?

After Tuesday, March 24th the Capsule Gmail Add-On will no longer function for your users and new replies on existing stored conversations will not be stored in Capsule.

Can the old read/write scope be removed?

Unfortunately Google’s OAuth scopes do not have a hierarchy and Google does not provide a mechanism to automatically downgrade scopes. Therefore the full read/write scope https://mail.google.com/ must remain in place as a fallback for us to access your user’s mailboxes until we’ve identified that you have approved the new OAuth scope.

We will send a follow up email with instructions on when and how the old read/write scope can be removed.