If you have ever tried to connect Gmail to a CRM, you know the pain. Most CRMs use OAuth, which means you click "Connect Gmail," get redirected to a Google consent screen with a wall of permissions, click Allow, get redirected back, and hope it works. When it does work, great. When it does not -- and it breaks more often than anyone admits -- you are stuck in a loop of revoking permissions, clearing cookies, and trying again.
OAuth also has a trust problem. The consent screen asks for access to "read, send, and manage your email." That is a lot of access to give to a third-party app. Some companies block OAuth connections entirely for security reasons, which means their sales reps cannot use CRM email integration at all. And OAuth tokens expire, so the connection randomly breaks every few weeks and you have to reconnect.
We chose a different approach for SalesSheet's email integration. Instead of OAuth, we use Google App Passwords. It is simpler to set up, more reliable, and gives you more control over what access you are granting.
OAuth was designed for consumer apps where users click buttons and do not think about security. For B2B tools where data matters, App Passwords give you more control with less complexity.
A Google App Password is a 16-character password that Google generates for you. It works like a regular password but is scoped to a single application. You create one specifically for SalesSheet, and it only works for SalesSheet. If you revoke it, SalesSheet loses access instantly. Your main Google password is never shared.
App Passwords require 2-Step Verification on your Google account, which you should have enabled anyway. If you do not have 2-Step Verification turned on yet, the setup process below will walk you through that too.
That is it. The entire process takes under 3 minutes. SalesSheet verifies both IMAP and SMTP connections in sequence and shows green checkmarks for each step. If something fails, you will see a troubleshooting tip -- for example, "Make sure you are using an App Password (not your regular Google password)" or "Ensure IMAP is enabled in Gmail Settings." No redirects, no consent screens, no permission walls.
This might sound counterintuitive. OAuth is the "modern" approach, so it must be more secure, right? Not necessarily. Here is why App Passwords can actually be better from a security standpoint:
An App Password only grants access to email (IMAP and SMTP). It cannot access your Google Drive, Calendar, Contacts, or any other Google service. OAuth tokens, depending on the scopes requested, can access multiple services. The App Password has a narrower blast radius if it were ever compromised.
Revoking an App Password takes 5 seconds. Go to your Google account, find the App Password, click Revoke. Access is terminated immediately. OAuth revocation works too, but it sometimes takes time to propagate, and some apps cache tokens locally.
OAuth requires the CRM vendor to maintain a Google API integration, handle token refreshes, and manage client secrets. If any of those break, your email stops syncing. App Passwords work through standard IMAP/SMTP, which is the most battle-tested email protocol in existence. There are no API rate limits, no token expirations, and no dependency on Google's OAuth infrastructure.
With OAuth, the CRM stores a token that represents your access. You have to trust that they store it securely. With an App Password, you generated the credential and you can destroy it at any time. If you stop using SalesSheet, revoke the App Password and the connection is gone. No need to wonder whether the CRM still has a valid token sitting in their database.
Once connected, SalesSheet syncs your email in both directions:
SalesSheet does not sync every email in your inbox. It only syncs emails that match contacts in your CRM. Your personal emails, newsletters, and receipts stay private. This is another advantage of the App Password approach -- we only read the emails that are relevant to your sales activity.
If you use Google Workspace (formerly G Suite) through your company, the setup is identical. Your admin may need to allow App Passwords in the Workspace admin console first. The setting is under Security, then Less secure apps (despite the misleading name, App Passwords are not "less secure"). If your admin has disabled App Passwords, show them this article -- the security argument is straightforward, and many organizations allow App Passwords once they understand the scoping.
This means 2-Step Verification is not enabled on your account. Go back to Step 1 and enable it first. Google only shows the App Passwords option after 2-Step Verification is active.
Double-check that you copied the full 16-character App Password without any spaces before or after. Also verify that you entered your full Gmail address (including @gmail.com or your custom domain). If it still fails, generate a new App Password and try again -- sometimes the copy did not capture all 16 characters.
Sync runs every 5 minutes. After the initial connection, wait at least 5 minutes before checking. If emails still are not appearing, open the Gmail Connection Status dialog and click "Health Check" to verify the connection is healthy. Occasionally, Google requires you to re-verify your identity after generating an App Password, which can temporarily disable it.
The simplest email integration is the most reliable one. No tokens to refresh, no APIs to maintain, no consent screens to click through. Just a password and a standard protocol that has worked for 30 years.
The whole process takes under 3 minutes. Open SalesSheet, go to Settings, click Connect Gmail, and follow the steps above. Once connected, every email you send and receive from your CRM contacts is automatically tracked. No more forgetting to BCC the CRM. No more manually logging emails. It just works. See the full email integration feature for more details on what you can do once connected.