An MCP server that reads across all your Gmail accounts from one connection.
Most Gmail integrations — including the native connectors — bind a single
account per OAuth grant: connect a second inbox and you disconnect the first.
gmail-mcp keeps any number of accounts authorized at once. One Google Cloud
client authorizes them all, each lands as a row in a local SQLite file, and every
tool takes an account argument that routes to the right mailbox.
search_all_accounts sweeps all of them in a single query.
Python 3.12+ · MIT · stdio MCP server + auth CLI · local SQLite token store
It's built to be owned completely: runs in-process over stdio, stores tokens in one SQLite file you can inspect, copy, or delete, talks only to Google and your MCP client, and hardcodes no secrets.
It reads, searches, drafts, and labels. It doesn't send — create_draft leaves
a draft for you to send yourself. That's a deliberate default (reasoning in
Security model), not a hard stance; if you want autonomous
send, it's a small addition or a different server.
- The idea in 30 seconds
- Design notes
- Tools
- Architecture
- Identity & auth model
- Security model
- Install
- Quickstart
- Configuration
- Register with an MCP client
- Development
- Project layout
- License
Authorize N accounts once via the CLI. Then every tool takes an account, and
search_all_accounts hits all of them at once:
search_all_accounts(query="invoice newer_than:30d")
── personal@gmail.com ───────────────────────────────
from: billing@acme.com subject: Invoice #4821 (id 18f...)
── work@company.com ─────────────────────────────────
from: ap@vendor.io subject: March invoice (id 19a...)
One query, every inbox, each result tagged with its account and carrying the
message id — so the agent can chain read_message(account, id) or
create_draft(...) next.
One OAuth client, many inboxes. A single Google Cloud project and one
client_secret.json authorize every account. Adding the tenth inbox is the same
one-command flow as the first.
Boring storage. Tokens live in one SQLite file under ~/.gmail-mcp/. No
daemon, no keyring dependency, no cloud. Back it up by copying it; revoke an
account by deleting a row; inspect it with any SQLite tool.
Least privilege. Three granular scopes — gmail.readonly, gmail.compose,
gmail.modify — never the full-mailbox https://mail.google.com/. It can read,
draft, and label; it can't delete mail.
Headless-friendly. The auth flow assumes the server may have no browser: it prints a consent URL, binds a fixed port, and you SSH-forward the redirect. Works fine on a desktop too.
Every tool except list_accounts and search_all_accounts takes an account
(the email address). Unknown accounts return an error listing the authorized ones.
| Tool | Arguments | Returns |
|---|---|---|
list_accounts |
— | Authorized accounts + last-used time. Discover valid account values. |
search_messages |
account, query, max_results=20 |
Message summaries (Gmail search syntax) with ids. |
read_message |
account, message_id, format="full" |
Decoded headers, plaintext body (HTML stripped if needed), attachment metadata. |
read_thread |
account, thread_id |
Every message in the thread, in order. |
search_all_accounts |
query, max_results_per_account=10 |
One search across every account, each result tagged by account. |
create_draft |
account, to, subject, body, cc?, bcc?, html=false |
A draft (not sent). Returns the draft id. |
list_drafts |
account, max_results=20 |
Draft ids in the account. |
list_labels |
account |
The account's labels (name + id). |
modify_labels |
account, message_id, add?, remove? |
Add/remove labels by id or name (resolves existing labels; won't create). |
flowchart TD
subgraph client[Your machine]
Agent[MCP client / agent]
CLI[gmail-mcp-auth CLI]
Server[gmail-mcp stdio server]
Store[("SQLite<br/>~/.gmail-mcp/tokens.db")]
Secret["client_secret.json<br/>one OAuth client"]
end
Google[Google OAuth + Gmail API]
CLI -->|"loopback OAuth, once per account"| Google
CLI -->|"store refresh token"| Store
Secret -.-> CLI
Agent -->|"tool call (account=...)"| Server
Server -->|"look up + refresh creds"| Store
Secret -.-> Server
Server -->|"read / draft / label"| Google
Server --> Agent
Authorization happens once per account through the CLI (it needs a browser). After that the stdio server reads tokens straight from SQLite, refreshing access tokens on demand and persisting them back. The rest of this section is the "why it works the way it does" detail.
How gmail-mcp authenticates to Gmail, juggles multiple accounts under a single
OAuth client, refreshes tokens over time, and authorizes accounts on a headless
server. If you just want to get running, jump to Quickstart.
gmail-mcp authenticates using a Google "Desktop app" OAuth client (an
installed application in OAuth 2.0 terms), driven by the InstalledAppFlow
helper from google-auth-oauthlib.
Why an installed-app / desktop client. Installed apps run on a machine the
end user controls, so OAuth treats them as public clients: the client_secret
in the downloaded client_secret.json is not assumed to be confidential.
That's the right trust model for a local CLI/desktop tool — there's no
server-side component that could keep a secret truly secret, and security rests
on the user controlling the redirect (the loopback address) rather than on secret
confidentiality. It's the client type Google recommends for command-line and
desktop tools.
The loopback redirect flow. After you approve consent in a browser, Google
redirects the authorization code to http://localhost:<port>/, where a tiny
throwaway HTTP server (started by InstalledAppFlow.run_local_server) catches
it. gmail-mcp pins this to a fixed port (default 8765, override with
GMAIL_MCP_OAUTH_PORT) and runs with open_browser=False so it works on
machines with no browser — see The headless auth path.
Scopes requested. Three granular scopes — never the full-mailbox
https://mail.google.com/:
| Scope | What it grants |
|---|---|
gmail.readonly |
Read mail and metadata: search messages/threads, read bodies, list labels and drafts. Read-only — cannot modify anything. |
gmail.compose |
Create, update, and manage drafts. Used only by create_draft. |
gmail.modify |
Add/remove labels on messages. Used by modify_labels. |
gmail.send is not requested. Without it the credential simply has no Gmail API
path to send mail — the drafts-only behavior is a property of the grant, not just
an omitted tool. The scope list lives in one place: SCOPES in
src/gmail_mcp/config.py.
- One OAuth client authorizes many accounts. You create a single Google
Cloud project and one "Desktop app" OAuth client, then run the consent flow
once per Gmail account, signing into the account you want to add each time. A
single
client_secret.jsoncan authorize any number of accounts. - Each account is a row in SQLite. Every authorized account is stored in the
accountstable (~/.gmail-mcp/tokens.db, override withGMAIL_MCP_DB), keyed by email. The row holds the long-lived refresh token, the most recent access-token blob, the granted scopes, and timestamps. - Tool calls route by the
accountparam. Every tool exceptlist_accountsandsearch_all_accountstakes anaccount. The server looks that email up, builds a credential for it, and calls the Gmail API as that account. Unknown accounts return a clear error listing what's authorized.search_all_accountsiterates over every stored row.
flowchart LR
Client[MCP client / agent] -->|"account=a@x.com"| Server[gmail_mcp.server]
Server --> Store[("accounts table<br/>keyed by email")]
Store -->|"row a@x.com"| CredsA[Credentials a]
Store -->|"row b@y.com"| CredsB[Credentials b]
CredsA --> InboxA["Gmail: a@x.com"]
CredsB --> InboxB["Gmail: b@y.com"]
Secret["client_secret.json<br/>one OAuth client"] -.->|"shared by all rows"| CredsA
Secret -.-> CredsB
Initial grant (one-time, per account, via the CLI). The OAuth flow needs a
browser, which an MCP tool can't drive cleanly, so authorization lives in the
gmail-mcp-auth CLI rather than as a tool.
sequenceDiagram
actor User
participant CLI as gmail-mcp-auth add
participant Browser
participant Google as Google OAuth + Gmail API
participant Store as SQLite token store
User->>CLI: run `gmail-mcp-auth add`
CLI->>CLI: load client_secret.json,<br/>start loopback server on :8765
CLI-->>User: print consent URL (open_browser=False)
User->>Browser: open URL, sign into target account
Browser->>Google: consent + approve scopes
Google-->>Browser: redirect with authorization code
Browser->>CLI: GET http://localhost:8765/?code=...
CLI->>Google: exchange code for tokens
Google-->>CLI: access token + refresh token
CLI->>Google: users.getProfile (discover email)
Google-->>CLI: emailAddress
CLI->>Store: upsert(email, refresh_token, token, scopes)
CLI-->>User: "Authorized and stored: you@gmail.com"
- The CLI passes
prompt="consent"to force a refresh token to be issued — Google only returns one on a fresh consent. The CLI errors clearly if no refresh token comes back (revoke the app at https://myaccount.google.com/permissions and re-run). - The account's email is discovered, not typed: after the token exchange the
CLI calls
users.getProfileand keys the stored row by the returned address.
Per-request refresh (every tool call). Access tokens are short-lived (≈1
hour). On each call the server rebuilds a credential for the target account, lets
google-auth refresh it on demand, and persists the refreshed blob back.
sequenceDiagram
participant Client as MCP client / agent
participant Server as gmail_mcp.server
participant Store as SQLite token store
participant Google as Google OAuth + Gmail API
Client->>Server: tool call (account=you@gmail.com)
Server->>Store: get(account) → refresh_token + last token
Server->>Server: build Credentials
alt access token still valid
Server->>Google: Gmail API request
else access token expired
Server->>Google: refresh using refresh_token
Google-->>Server: new access token
Server->>Store: update_token(account, new blob)
Server->>Google: Gmail API request
end
Google-->>Server: response
Server->>Store: touch(account) → last_used_at
Server-->>Client: result (email content wrapped as untrusted)
If a refresh fails (revoked grant, expired refresh token), the server raises
GmailAuthError with a "re-run gmail-mcp-auth add" message rather than crashing.
Testing vs. Published — the 7-day gotcha. This is the usual "it stopped working after a week" surprise:
- While the OAuth consent screen is in Testing mode, only listed test
users can authorize, and refresh tokens issued to an unverified app
expire after 7 days — you'd re-run
gmail-mcp-auth addweekly. - Publishing the app (consent screen → Publish app) makes refresh tokens long-lived. Google will warn it's "unverified" — expected and fine for a self-hosted personal tool you don't distribute. For long-lived use, publish. SETUP.md has the exact clicks.
The typical target is a headless server (no desktop, no browser), but OAuth consent has to happen in a browser. The flow bridges that:
-
open_browser=False— the CLI prints the consent URL instead of launching a browser. You open it on your own laptop, signed into the account you're adding. -
Fixed loopback port — after approval Google redirects to
http://localhost:<port>/. That "localhost" is the server's loopback, where the CLI listens. The port is fixed (default8765,GMAIL_MCP_OAUTH_PORT) so you can forward it deterministically. -
SSH port-forward — bridge your laptop's browser to the server's loopback:
ssh -L 8765:localhost:8765 you@your-server
Now when the redirect hits
localhost:8765on your laptop, SSH tunnels it to the server, where the CLI catches the code and finishes the exchange.
An inbox is full of text other people wrote, so it's a natural place for prompt injection. The standard framing is the lethal trifecta — injection is dangerous when an agent has all three of:
flowchart LR
A[Private data<br/>your mailboxes] --- C{Injection<br/>risk}
B[Untrusted content<br/>any email you receive] --- C
D[Egress channel<br/>a way to send data out] --- C
C -.->|drafts-only removes the obvious one| D
style D stroke-dasharray: 5 5
A mail reader has the first two by nature. A couple of choices keep the third low-stakes:
- Drafts instead of send.
create_draftis the outgoing ceiling — there's no send tool and nogmail.sendscope. A draft sits in your drafts folder until you send it, so an instruction buried in an email can't make the agent mail your data anywhere. Sensible default, easy to change if you want send. - Email content is marked as untrusted. Message text the tools return is
wrapped in
⟦UNTRUSTED EMAIL CONTENT⟧delimiters by a single helper (wrap_untrustedingmail.py), with ids kept outside so tool-chaining still works. The read tools also note in their descriptions that content is data, not instructions.
Known limitation. This only governs this server's surface. If the same
agent session also has a tool that can reach the open internet (web fetch, HTTP),
that's a separate egress path gmail-mcp can't do anything about — pairing it
with an arbitrary-egress tool re-opens the trifecta elsewhere. Be deliberate
about which tools share a session.
Two more notes: no audit log is implemented (intentionally out of scope), and no
secrets are hardcoded — client_id/client_secret come from your downloaded
client_secret.json, and tokens live only in your local SQLite store.
Requires Python 3.12+.
git clone https://github.com/cunicopia-dev/gmail-mcp.git
cd gmail-mcp
python -m venv .venv && source .venv/bin/activate
pip install -e . # add ".[dev]" for ruff + pytestThis installs two console scripts: gmail-mcp (the stdio server) and
gmail-mcp-auth (the account-authorization CLI).
You need a Google "Desktop app" OAuth client (client_secret.json) and one
authorization per account. The full click-by-click — creating the Google Cloud
project, enabling the Gmail API, publishing the consent screen, and the headless
SSH-forward step — is in docs/SETUP.md. The short version:
# 1. Drop your downloaded OAuth client here:
mkdir -p ~/.gmail-mcp && mv ~/Downloads/client_secret_*.json ~/.gmail-mcp/client_secret.json
# 2. Authorize an account (prints a URL to open in a browser; repeat per account).
# On a headless server, SSH in with -L 8765:localhost:8765 first.
gmail-mcp-auth add
# 3. Confirm what's authorized.
gmail-mcp-auth list
# 4. Point your MCP client at the `gmail-mcp` command (see below).Remove an account later with gmail-mcp-auth remove you@gmail.com.
All optional — sane defaults under ~/.gmail-mcp/.
| Variable | Default | Purpose |
|---|---|---|
GMAIL_MCP_DB |
~/.gmail-mcp/tokens.db |
SQLite token store path. |
GMAIL_MCP_CLIENT_SECRET |
~/.gmail-mcp/client_secret.json |
Downloaded Google OAuth client. |
GMAIL_MCP_OAUTH_PORT |
8765 |
Fixed loopback port for the auth flow (forward this over SSH on a headless box). |
The server speaks stdio. Point your client's mcpServers config at the
gmail-mcp command:
{
"mcpServers": {
"gmail": {
"command": "/path/to/gmail-mcp/.venv/bin/gmail-mcp"
}
}
}If gmail-mcp is on PATH, "command": "gmail-mcp" is enough. Override paths
explicitly when needed (some clients don't expand ~):
{
"mcpServers": {
"gmail": {
"command": "/path/to/gmail-mcp/.venv/bin/gmail-mcp",
"env": {
"GMAIL_MCP_DB": "/home/you/.gmail-mcp/tokens.db",
"GMAIL_MCP_CLIENT_SECRET": "/home/you/.gmail-mcp/client_secret.json"
}
}
}
}pip install -e ".[dev]"
ruff check .
pytest # 48 tests, no network — the Gmail client is mockedTests cover the pure layers — MIME parsing/decoding, label name→id resolution, the untrusted-content wrapper, output formatting, and token-store CRUD against a temp SQLite db.
src/gmail_mcp/
server.py MCP tool definitions + dispatch + per-account routing
gmail.py Gmail service build, token refresh/persist, MIME parse/format,
wrap_untrusted(), label resolution, MIME message build
store.py TokenStore — sqlite3 accounts table CRUD
auth.py gmail-mcp-auth CLI: add / list / remove (loopback OAuth)
config.py SCOPES + env-overridable paths
docs/
SETUP.md step-by-step Google Cloud + account authorization
tests/ store / gmail / server, Gmail client mocked
MIT — see LICENSE.