Nice, but I'm very reluctant to give any third-party access to my mailbox. Most sites I use let me reset my password by email, so this is like handing over the keys to the castle.
Yep. It would depend how granular it is. I'd like to only allow access by sender domain or something like that.
However - how many people trust our email to small web hosting companies? How much better is that?
For example - many of my clients use the mailbox provided by Webfaction who I'm sure are beyond reproach but do I trust them any more than I trust a well known SASS company that integrates using the GMail API?
I run a small self-tracking service (zenobase.com), and would love to let my users pull in some "metadata" from their email (e.g. the number of messages in the inbox, or the number of messages sent by hour). But I don't want my users to trust me with unrestricted access to their email.
One of the advantages of this is that it allows finer-grained control than IMAP, so it can be used, e.g., for apps that can send mail (or create/read outgoing drafts) but cannot read incoming mail. So you can have at least some mail apps that don't require the "keys to the castle" that you are worried about.
It looks like auth scopes allow to restrict to read-only already [1], but I would really love to be able to restrict to a specific label/subfolder. Would provide a good level of security without having to forward the email etc, plus labels can be applied afterwards without modifying an email.
This seems great for building bridges from Google Apps' Gmail to internal applications, though, where there's no third-party to worry about.
Being able to replace my current IMAP client code - full of hacks to convert internal ids to Gmail ids and format conversion issues - into a couple of HTTP calls sounds great to me.
