Photo by Funky64

Gabor Cselle, formerly a Gmail engineer and now a founder of the YCombinator startup Remail, has been doing some really interesting work in the email field recently. Their main Remail product takes the normal approach of asking for your Gmail username and password and then fetching all your messages through IMAP. As far as I knew this was the only way of accessing your inbox, but it is horrible for security since it requires users to hand over their Google passwords to a third-party website.

That meant I was intrigued to see that one of their experimental projects using OAuth to access user's inboxes. This is a massive improvement, since the third-party never sees the original password, but I didn't know that any of the mail APIs supported this. Trying to figure out how he did it I discovered it's possible to grab an RSS feed of your messages. Here's a few command-line examples you can try for yourself, replacing username and password with your Gmail credentials:

curl "https://username:password@mail.google.com/mail/feed/atom/unread#all"
Shows unread emails from all your folders

curl "https://username:password@mail.google.com/mail/feed/atom/inbox"
Shows unread emails in your inbox

curl "https://username:password@mail.google.com/mail/feed/atom/spam"
Shows all your unread spam emails

These all use basic HTTP authentication but web applications can call the same URLs after authenticating with OAuth, giving users a much more secure experience.

There are some pretty serious limitations though. These only let you see unread emails, and is limited to 20 messages at most. That rules out applications that need a lot of email to analyze, but I'm sure there's some other interesting tools that could be built within the restrictions. I'd be curious to know if any other developers are using this and if there's any ways around the limitations. In the meantime I'll keep debugging my IMAP code!