Can GAIA access more than I authorized?

No. OAuth scopes strictly limit what GAIA can access. If GAIA is authorized to read email but not delete it, the API will reject any deletion attempt. GAIA requests the minimum scopes needed for the features you enable.

OAuth

OAuth (Open Authorization) is an open standard for delegated authorization that allows a third-party application to access a user's data in another service without requiring the user to share their password.

Understanding OAuth

OAuth solves a fundamental problem in integrations: how does App A access your data in App B without you giving App A your App B password? Sharing passwords is dangerous — if App A is compromised, your App B credentials are too. OAuth creates a safer alternative through authorization tokens. The OAuth flow works as follows: you click 'Connect to Gmail' in GAIA, you're redirected to Google's authorization page, you approve the specific permissions GAIA is requesting (read email, send email, manage calendar), Google issues an access token to GAIA, GAIA uses that token to make API calls on your behalf. You never share your Google password with GAIA. OAuth 2.0 (the current standard) supports multiple flows for different contexts: Authorization Code (for web applications, the most secure), Client Credentials (for server-to-server integrations), and Device Code (for devices without browsers). Most user-facing integrations use Authorization Code flow. Scopes are a critical security feature of OAuth. Rather than all-or-nothing access, OAuth scopes define granular permissions — GAIA might request 'read email' scope but not 'delete email' scope. Users can see exactly what permissions they're granting and revoke them at any time.

How GAIA Uses OAuth

GAIA uses OAuth 2.0 for all third-party integrations including Gmail, Google Calendar, Slack, Notion, Linear, and 50+ other services. You authorize GAIA with specific scopes for each service; GAIA never stores your passwords. All OAuth tokens are encrypted at rest and can be revoked at any time from your connected accounts settings.

Related Concepts

API Integration

API integration is the process of connecting different software applications through their Application Programming Interfaces, enabling them to share data and functionality seamlessly.

Self-Hosting

Self-hosting is the practice of running software on your own servers or infrastructure instead of using a cloud-hosted service, giving you complete control over your data, configuration, and availability.

Data Sovereignty

Data sovereignty is the principle that data is subject to the laws and governance of the jurisdiction where it is stored, and that individuals and organizations have the right to control where their data resides and who has access to it.

REST API

A REST (Representational State Transfer) API is a web service interface that uses standard HTTP methods (GET, POST, PUT, DELETE, PATCH) to access and manipulate resources identified by URLs, following a set of architectural conventions that make APIs predictable and interoperable.

Webhook

A webhook is an HTTP callback mechanism where a system sends an automated HTTP request to a specified URL whenever a defined event occurs, enabling real-time notification and integration between services without polling.

Frequently Asked Questions

Yes. GAIA uses OAuth 2.0, which means you authorize specific permissions without sharing your Google password. Google's authorization page shows exactly what GAIA can access. You can revoke access at any time from your Google account settings or GAIA's connected accounts page.