What happened to Local App Gmail API access?

Hi ​@loknload 

I checked in with Gemini, and here is what I found! I hope this helps clarify things for you. 

Google’s security policies for Restricted Scopes (which include the Gmail API) have become much more stringent to ensure user data remains protected regardless of where it is stored.

While there were historically nuances for 'local-only' applications, the current Google API Services User Data Policy effectively requires a security assessment for any application that accesses Restricted Scopes in a production environment (beyond 100 users). Because the Gmail API grants such broad access to personal data, the 'local-only' nature of an app does not automatically waive the requirement for a third-party security assessment (CASA)."

Recommended Actions for the User

1. Verify Scope Necessity: Re-evaluate if your app truly needs a Restricted Scope (e.g., [https://mail.google.com/](https://mail.google.com/)). If you only need to send emails, consider using a Sensitive Scope instead, which has a simpler verification process.

2. Review CASA Tiers: Check the Cloud App Security Assessment (CASA) tiering. Depending on your app's user count and data handling, you may qualify for a lower-tier assessment that is less intensive.
3. Submit for Verification: Even if you believe you qualify for an exception, you must still submit your project for OAuth verification in the Google Cloud Console. The Trust & Safety team will then provide the specific assessment requirements for your case.

4. Stay Under the User Cap: While developing and testing, you can bypass the assessment as long as you stay under the 100-user limit. This allows you to implement and test the API before committing to the full security review.