2
votes

I am using Gmail API and I am trying to fetch emails from all users under company. But when I run code such as:

function runAPI(auth) {
  var gmail = google.gmail('v1');
  gmail.users.threads.list({auth: auth, userId: '108800016305523828361'},'',function(err, response){
    if (err) {
      console.log("The API returned an error: " + err);
      return;
    }
    var threads = response.threads;
    console.log(threads);
  })
}

I get error:

The API returned an error: Error: Delegation denied for [email protected]

In admin console I did this:

enter image description here

As client name I used id from the client_secret.json file. And for scope, I gave it all permissions.

How do I properly setup domain wide delegation for Gmail API ?

2

2 Answers

1
votes

The setup is fine, however in your code you're doing it wrong.

This code:

gmail.users.threads.list({auth: auth, userId: '108800016305523828361'},'',function(err, response)

specifically.

userId should be "me" however before you can call the Gmail API you need to use the service account "JWT flow" in your code to retrieve an oauth2 credential for the Gmail user you want to access as described in the Preparing to make an authorized API call service account domain-wide delegation doc.

Specifically this uses your service account's private key to request to get a credential for the user you desire (set the user's email in your domain that you want to access in the setServiceAccountUser([email protected]) function in the request). Then you can use that GoogleCredential in your call to the Gmail API.

0
votes

For the question How do I properly setup domain wide delegation for Gmail API?

I think this documentation from Google can help you with this, just follow this steps to delegate domain-wide authority.

  1. Go to your Google Apps domain’s Admin console.

  2. Select Security from the list of controls. If you don't see Security listed, select More controls from the gray bar at the bottom of the page, then select Security from the list of controls. If you can't see the controls, make sure you're signed in as an administrator for the domain.

  3. Select Show more and then Advanced settings from the list of options.

  4. Select Manage API client access in the Authentication section.

  5. In the Client Name field enter the service account's Client ID. You can find your service account's client ID in the Service accounts page.

  6. In the One or More API Scopes field enter the list of scopes that your application should be granted access to. For example, if your application needs domain-wide access to the Google Drive API and the Google Calendar API, enter: https://www.googleapis.com/auth/drive, https://www.googleapis.com/auth/calendar.

    In your case, use this scope for Gmail API.

  7. Click Authorize.

For more information about the error 403 or Delegation denied for <user email>,check this related SO question: