Reviewer Guide

This guide helps Google Trust & Safety validate how the application uses the https://mail.google.com/ scope, including permanent deletion of Gmail messages via IMAP + XOAUTH2.

Prerequisites

• Use a Gmail test account with at least three sample emails so that backup and delete features can be exercised.
• Ensure the account has IMAP enabled under Gmail > Settings > Forwarding and POP/IMAP.
• Open https://mailapi.vip in a desktop browser.

1. Sign in & Consent

1. Click Sign in with Google.
2. Approve the consent screen that requests the https://mail.google.com/ scope.
3. After redirect, verify the home page displays the signed-in email address.

2. Run a Backup

1. Click Start Backup, keep the default threshold, and submit the form.
2. Observe the progress screen; once complete, a ZIP archive is available via the Download Backup ZIP button.
3. The app stores .eml files and attachments under the gmail_backup/ directory on our server until the session expires.

3. Verify Permanent Deletion

1. Return to the home page and click Delete Backed-Up Emails.
2. The app authenticates to Gmail IMAP using XOAUTH2 and issues a STORE +FLAGS (\Deleted) followed by EXPUNGE for each backed-up message. This bypasses the Trash entirely.
3. The confirmation card displays the count of permanently deleted messages.
4. In the Gmail web UI for the test account, confirm the deleted messages do not appear in Inbox, Trash, or All Mail.

4. Session Cleanup

• Click Sign Out. This clears OAuth tokens, wipes the temporary backups from our server, and removes all cached metadata.
• Optionally revoke the app under Google Account > Security > Third-party apps with account access.

Support

If any step fails, contact admin@mailapi.vip with the test account email and timestamp.