Access gMail via domain-wide delegation of authority

Marek Dopiera marek at
Sun May 9 22:57:32 BST 2021

I just started using offlineimap and I love it. It took me a while,
however, to set it up to access gMail via a service key and domain-wide
delegation of authority and I thought I'd share somewhere how to do it, as
I don't think it's documented anywhere. Therefore, I have two questions:
would you care for such a howto and which is the right place for it?

My use case is to back up a couple of Google Workspace accounts to an
external storage. Therefore, I don't want every user to give me (the admin)
the consent (i.e. the documented OAuth flow), nor do I want to manage their
passwords for obvious reasons.

The solution is to create a service account with Google and delegate
domain-wide authority to that service account (as per
OfflineIMAP doesn't seem to allow for using such a service key directly,
but I made it work by abusing *oauth2_access_token_eval* to call a ~10-line
python script, which generates the access token from the service key.

Thanks for a great piece of software

Marek Dopiera
marek at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the OfflineIMAP-project mailing list