Building a CRM with Bubble: Navigating Gmail API Restrictions
If you're building a CRM with Bubble, then this video is for you because I want to talk about something I posted on the Bubble forum back in January 2021. It's about the Gmail API restrictive content and Google security audit, and the huge cost involved. In a nutshell, if you want to access a Gmail user's inbox, you have to jump through a load of hoops to confirm that you're using that data in a secure and proper way.
The Challenges of Using Gmail API in Bubble Apps
As a consumer, it's quite a relief that Google is being protective of that data. But effectively, what that means is that if you're planning on using the Gmail API and you want to build something that is an external application, not just for internal use in your business, then you could be faced with a $1,000 or more fee to conduct a security audit.
The Gray Area of Security Audits for Bubble Apps
I've had a quick look through the Bubble forum this morning, and it's a bit of a gray area. How much of a security audit could an external security company conduct on your Bubble app? You then have access to the AWS elements. It's a bit of a mystery box. Well, it's not a mystery box, but how much can you actually comply with an auditor when auditing your app? There's a bit of a discussion going on, and every few months I get a message about this asking if I came up with a solution.
An Alternative Solution: Using Help Scout
The solution I'd recommend is that you go down the route of a service like Help Scout. Help Scout is a helpdesk SaaS application. They're very good; I've used them in the past. They let you send and receive email through an inbox in their application. Last time I checked, they don't use the Gmail API because they use a service called Postmark, which is a transactional and marketing email API.
Building Your Own Inbox with Postmark API
Postmark allows you to send and receive emails. By using an API service like Postmark, you can build your own inbox in your Bubble app for your users. The emails aren't actually going into a Gmail or Google Workspace inbox at all. They're all handled through your app, and you can set up domain verification so that the outbound emails are legit. They come under the authority and identity of your users. You can do all of that through the Postmark API, inbound and outbound.
How Other CRMs Handle Email Integration
This is exactly how services like Help Scout work. In fact, in my experience looking through different CRMs, if they don't offer a Gmail integration, they're probably using a solution like this with Postmark to send and receive emails.
Considerations When Building Your Own Inbox
A few caveats on this: if you are making your own inbox and it's not going through Gmail, then your users are not actually getting the messages themselves. The messages are only going to be found on your Bubble application. You might want to consider how easily, if at all, you can export those messages so that if a user leaves your service, they're not having to leave without access to any of the email inbound or outbound that they created or received while using your app.
Google's OAuth API Verification Process
I'll just point out what I was referring to earlier. This is the page on Google about OAuth API verification. It's been updated more recently than when I last checked it, and I can't find the mention of this $15,000 fee. But what I could find is that it's conducted by an external auditor and that there are costs involved. Maybe they're deliberately obscuring the costs even more now.
Conclusion: Alternatives to Gmail API for Bubble Apps
Unless you've got deep pockets, I think you're going to struggle to use the Gmail API with a Bubble app. The alternative I'd recommend is to use Postmark and basically set up your own inbound/outbound inbox email service. So yeah, if you're learning Bubble, this is something to keep in mind when building email functionality into your CRM.