← All posts

April 18, 2026 · 5 min read

What the Gmail "Unverified App" Warning Means for Job Trackers

Connecting your Gmail to a job tracker shows a scary warning screen. Here is exactly what it means, what data is accessed, and how to stay safe.

When you connect your Gmail to HireCanvas or any other job tracking tool, Google shows a warning: "Google hasn't verified this app." For many users, this feels alarming — so let us explain exactly what is happening and what your options are.

Why the warning appears

Google divides Gmail permissions into two categories. Basic permissions (reading your profile, sending emails on your behalf) are easy to get approved. But reading your inbox — even read-only — is classified as a restricted scope.

For restricted scopes, Google requires an independent security audit called a CASA (Cloud Application Security Assessment) Tier 2 audit before removing the warning. This process takes 3–6 weeks and costs several thousand dollars. Most small SaaS tools show the warning while the audit is in progress.

The warning does NOT mean the app is malicious. It means Google has not yet completed its review process.

What HireCanvas actually accesses

HireCanvas requests gmail.readonly — read-only access to your inbox. Specifically, it:

  • Searches for emails matching job-related patterns (ATS senders, interview keywords)
  • Reads the subject, sender, and body of matching emails
  • Extracts company name, role, and application status using AI

It cannot send emails, delete emails, or access emails outside job-related searches. The access token is encrypted at rest using AES-256.

How to verify what an app can do

Before connecting any tool to your Gmail:

  1. Check the permissions screen carefully — it lists exactly what the app can access
  2. Look for gmail.readonly (safe) vs gmail.modify or gmail.compose (more invasive)
  3. Check the privacy policy for data retention and deletion policies
  4. Confirm you can revoke access at any time via Google Account Permissions

How to revoke access if you change your mind

Go to myaccount.google.com/permissions, find the app, and click Remove Access. The app immediately loses the ability to read your inbox.

HireCanvas also provides a disconnect button in Settings → Connections that revokes the token and deletes it from the database.

The bottom line

The "unverified app" warning is a Google compliance checkpoint, not a security verdict. It appears for all apps using restricted Gmail scopes until Google completes its audit. The audit process for HireCanvas is in progress. In the meantime, you can connect safely — the permissions are read-only, the tokens are encrypted, and you can disconnect at any time.

Track your job search automatically with HireCanvas.

Try HireCanvas free →