> ## Documentation Index
> Fetch the complete documentation index at: https://docs.hymalaia.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Gmail Service Account Setup

> Set up the Gmail connector using a Service Account (Google Workspace only)

## Overview

This guide walks through configuring the Gmail connector using a **Service Account**.

> 🏢 A **Google Workspace** is required to use this method.

> 🙋 Prefer to use OAuth with a personal or individual Google account? [Click here](#gmail-oauth-setup) to see the OAuth flow instead.

## Authorization

### 1. Create a Google Cloud Project

* Go to [Google Cloud Console](https://console.cloud.google.com/projectcreate)
* Create a new project for the Gmail integration

### 2. Enable Required APIs

#### Gmail API

1. In the left menu, go to **APIs & Services** → **Enabled APIs and services**
2. Click **+ ENABLE APIS AND SERVICES**
3. Search for **Gmail API** and click **ENABLE**\
   → Or directly [enable Gmail API here](https://console.cloud.google.com/apis/library/gmail.googleapis.com)

#### Admin SDK API

1. Again click **+ ENABLE APIS AND SERVICES**
2. Search for **Admin SDK API** and click **ENABLE**\
   → Or directly [enable Admin SDK API here](https://console.cloud.google.com/apis/library/admin.googleapis.com)

### 3. Create a Service Account

* Go to the [Service Accounts page](https://console.cloud.google.com/iam-admin/serviceaccounts)
* Click **Create Service Account**
* Fill out Step 1 (Service account name, ID, etc.)
* You can skip Steps 2 and 3

#### Generate Key

* After creating the Service Account, go to the **Keys** tab
* Click **Add Key** → **Create new key**
* Choose **JSON** and **Download** the key

> 📥 You'll upload this JSON to Hymalaia during connector setup

***

### ⚠️ Extra Step for Organizations Created After April 2024

Google has added additional permission enforcement for new orgs:

1. Visit [this link](https://admin.google.com/ac/owl/domainwidedelegation)
2. Select your newly created Service Account
3. Click **Manage**
4. Select **Override parent’s policy**
5. Set **Rules → Not Enforced**
6. Click **Set Policy**

***

### 4. Grant Read-Only Access to Gmail

1. Copy the **Unique ID** of your Service Account (you'll find this on the Service Account page)
2. Go to the [Domain-wide Delegation page](https://admin.google.com/ac/owl/domainwidedelegation) in the Google Admin Console
3. Click **Add new**
4. In **Client ID**, paste the Unique ID of the Service Account
5. In **OAuth Scopes**, paste the following scopes (comma-separated):

```text theme={null}
https://www.googleapis.com/auth/gmail.readonly,
https://www.googleapis.com/auth/admin.directory.group.readonly,
https://www.googleapis.com/auth/admin.directory.user.readonly
```

> 🔐 This grants the Service Account access to read Gmail, users, and groups

***

Once this setup is complete, you can go to the **Hymalaia Admin Dashboard**, select the **Gmail Connector**, and upload your downloaded **Service Account Key JSON** to start indexing emails.
