← Docs

Self-Hosting

inbox.dog is open source. You can deploy it to your own Cloudflare account and use your own Google OAuth credentials.

CASA Audit Required for Write Access

For production Gmail write access (send, modify, labels), Google requires a CASA Tier 2 security audit. The hosted inbox.dog service has already passed this audit—self-hosted deployments do not inherit that certification.

If you need write scopes in production, you must either use the hosted service or complete your own CASA audit for your deployment.

vet — CASA Tier 2 security scanner. Pre-scan your app before the assessor arrives.

Prerequisites

  • Cloudflare account
  • Google Cloud project with OAuth 2.0 credentials
  • For write scopes: CASA Tier 2 audit (or use read-only)

Deploy

  1. Clone the repo: git clone https://github.com/acoyfellow/inbox.dog
  2. Configure worker/wrangler.jsonc with your KV namespace and bindings
  3. Set secrets:
    • GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET — your Google OAuth credentials
    • ENCRYPTION_SECRET — at least 32 characters, used to encrypt tokens at rest in KV
    • ALLOWED_ORIGINS(optional) comma-separated origins for CORS, e.g. https://your-domain.com. Open to all origins if unset.
  4. Add your OAuth redirect URIs in the Google Cloud Console
  5. Deploy: cd worker && wrangler deploy

Use Your Deployment

Point the inbox.dog SDK at your deployed URL: 

import { InboxDog } from 'inbox.dog';

const dog = new InboxDog({ baseUrl: 'https://your-worker.your-domain.workers.dev' });

View source on GitHub