Reference gmail modify restricted tier
As of Google's 2024-2025 scope reclassification, gmail.modify is Restricted, not Sensitive. This bit Claude in the OAuth planning session on 2026-05-17 — the scope was listed in a 12-scope Sensitive bundle before Justin caught it in the live console.
Current Gmail scope tier reality:
- Sensitive: gmail.send, gmail.compose, gmail.labels, gmail.metadata, gmail.settings.basic
- Restricted (CASA audit required): gmail.modify, gmail.readonly, gmail.insert, https://mail.google.com/
The pattern: any scope that reads email bodies = Restricted. Subject lines and headers only = Sensitive.
CATA audit cost: $3K-$15K via approved auditors (Bishop Fox, Leviathan Security, etc.), 6-12 week review, annual re-audit.
Why: Justin's live Google Cloud Console showed the Restricted badge; Claude had stale training data on the tier.
How to apply: When planning any Gmail OAuth integration, start from the assumption that body reads are Restricted. Confirm scope tiers against live console before building a verification plan. Never include gmail.modify in a "Sensitive-only" scope list.
[auto-memory session 1a660aac-56d2-400d-8206-c59564bbff19, confidence 0.88, mode direct]