How inbox.dog Works
inbox.dog is an OAuth proxy. It handles the Google OAuth 2.0 flow so you don't have to.
Architecture
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Your App │───▶│ inbox.dog │───▶│ Google │
│ │◀───│ │◀───│ OAuth │
└─────────────┘ └──────────────┘ └─────────────┘- Your app redirects the user to
inbox.dog/oauth/authorize - inbox.dog redirects the user to Google's consent screen with the correct scopes and credentials
- The user authenticates with Google and grants permission
- Google redirects back to inbox.dog with an authorization code
- inbox.dog redirects the user to your
redirect_uriwith a short-lived code - Your app exchanges that code for tokens via
POST /oauth/token - The tokens work directly with
gmail.googleapis.com— inbox.dog is no longer in the path
What inbox.dog stores
| Data | Stored by inbox.dog | Notes |
|---|---|---|
| Your API key (client_id, client_secret) | Yes | In Cloudflare KV |
| OAuth state (CSRF token) | Temporarily | Expires after 10 minutes |
| Authorization codes | Temporarily | Expires after 5 minutes |
| Access tokens | No | Returned to you, never stored |
| Refresh tokens | No | Returned to you, never stored |
| User emails | No | inbox.dog never reads email content |
Security model
- inbox.dog never sees or stores your users' emails, tokens, or email content
- Tokens are passed through to your app and discarded
- All traffic is HTTPS
- OAuth state tokens prevent CSRF attacks
- Authorization codes are single-use and expire in 5 minutes
- The entire codebase is open source (MIT) — audit it yourself