Increased account security via OAuth 2.0 token revocation for Google Apps

September 26, 2016

To increase account security for Google Apps users, starting on October 5, 2016, OAuth 2.0 tokens issued for access to certain products will be automatically revoked when a user's password is changed. Third-party mail apps like Apple Mail and Thunderbird―as well as other applications that use mail scopes to access a user’s mail―will stop syncing data upon password reset until a new OAuth 2.0 token has been granted. A new token will be granted when the user re-authenticates with their Google account username and password.

Third-party mail applications on mobile are also included in this policy change. For example, users who use the native mail application on iOS will now have to re-authenticate with their Google account credentials when their password has been changed. This new behavior for third-party mail apps on mobile aligns with the current behavior with Gmail on iOS and Android, which also require re-authentication upon password reset.

The token revocation process does not include applications built on Apps Script, even if the script accesses mail.

For more information about this upcoming change, review the Google Support document Automatic OAuth 2.0 token revocation upon password change