Provides comprehensive Gmail inbox management with 26 tools for reading, searching, organizing emails, managing labels, creating drafts, and supporting multiple connected Gmail accounts with thread-aware operations.
Gmail MCP Server
An MCP (Model Context Protocol) server that exposes Gmail tools via Streamable HTTP transport. Enables AI assistants to read, search, organize, and draft emails in your Gmail inbox.
Quickstart
Server runs at http://localhost:3000. Connect your Gmail at /oauth/start.
Features
26 Gmail tools for comprehensive inbox management
Multi-inbox support: Connect multiple Gmail accounts per user
Two-layer OAuth: MCP-level JWT authentication + Google OAuth for Gmail access
Secure token storage: SQLite with AES-256-GCM encryption for refresh tokens
Streamable HTTP transport: Stateless mode for easy deployment
Automatic token refresh: Proactive refresh 5 minutes before expiry
Requirements
Node.js >= 20.0.0
Google Cloud project with Gmail API enabled
OAuth 2.0 credentials (Web application type)
Google Cloud Setup
Create a project at console.cloud.google.com
Enable the Gmail API
Go to APIs & Services → Library
Search for "Gmail API" and enable it
Configure OAuth consent screen
Go to APIs & Services → OAuth consent screen
Choose "External" user type
Fill in app name and support email
Add scopes:
gmail.readonly,gmail.labels,gmail.modify,gmail.composeAdd your email as a test user
Create OAuth credentials
Go to APIs & Services → Credentials
Click "Create Credentials" → "OAuth client ID"
Choose "Web application"
Add authorized redirect URI:
http://localhost:3000/oauth/callbackCopy the Client ID and Client Secret
Add to .env
GOOGLE_CLIENT_ID=your-client-id.apps.googleusercontent.com GOOGLE_CLIENT_SECRET=your-client-secret OAUTH_REDIRECT_URI=http://localhost:3000/oauth/callback
Installation
Configuration
Copy .env.example to .env and configure:
Required Environment Variables
Variable | Description |
| Server port (default: 3000) |
| Public URL of the server |
| Google OAuth client ID |
| Google OAuth client secret |
| OAuth callback URL (e.g., |
| 32-byte key for encrypting stored tokens |
| Secret for signing MCP-level JWTs |
Optional Variables
Variable | Description |
| SQLite database path (default: |
| Comma-separated CORS origins |
Generating Secrets
Running the Server
Docker
The easiest way to deploy anywhere:
The SQLite database persists in ./data/ via volume mount.
The server exposes:
POST /mcp- MCP protocol endpointGET /healthz- Health checkGET /oauth/start- Initiate Gmail OAuth flowGET /oauth/callback- OAuth callback handlerGET /.well-known/oauth-protected-resource- OAuth discovery
Available Tools
All tools accept an optional email parameter to target a specific connected account. If omitted, the default account is used.
Authentication & Accounts
Tool | Description |
| Check connection status and list connected accounts |
| Initiate OAuth flow to connect Gmail |
| List all connected Gmail accounts |
| Set which account is used by default |
| Disconnect a Gmail account |
Reading Messages
Tool | Description |
| Search using Gmail query syntax |
| Get a single message by ID |
| List conversation threads |
| Get all messages in a thread |
| Get attachment info (filename, size, MIME type) |
Labels
Tool | Description | Scope Required |
| List all labels with counts | - |
| Get label details | - |
| Add labels to messages/threads |
|
| Remove labels from messages/threads |
|
| Create a custom label |
|
Message Organization
Tool | Description | Scope Required |
| Archive messages/threads (thread-aware by default) |
|
| Move back to inbox (thread-aware by default) |
|
| Mark as read |
|
| Mark as unread |
|
| Add star |
|
| Remove star |
|
Thread-Aware Archiving: By default,
archiveMessagesandunarchiveMessageswill archive the entire thread when given amessageId. This ensures conversations leave your inbox. SetarchiveEntireThread: falseto archive individual messages only.
Drafts
Tool | Description | Scope Required |
| Create a new draft |
|
| List all drafts | - |
| Get draft content | - |
| Update existing draft |
|
| Delete a draft |
|
OAuth Scopes
Request scopes when calling gmail.authorize:
Scope | Permissions |
| Read messages, threads, labels |
| Manage labels, star, mark read/unread |
| Archive/unarchive messages and threads |
| Create, update, and delete drafts |
Example:
Multi-Inbox Support
Users can connect multiple Gmail accounts. The first connected account becomes the default.
Connecting Additional Accounts
Call gmail.authorize again to connect another Gmail account. Each account can have different scopes.
Targeting Specific Accounts
All tools accept an optional email parameter:
If email is omitted, the default account is used.
Managing Accounts
Architecture
Key Components
src/index.ts- Entry pointsrc/config.ts- Zod-validated configurationsrc/http/server.ts- Fastify HTTP serversrc/mcp/server.ts- MCP server with all toolssrc/gmail/client.ts- Gmail API wrapper with token refreshsrc/auth/mcpOAuth.ts- MCP-level JWT authenticationsrc/auth/googleOAuth.ts- Google OAuth flow with PKCEsrc/store/sqlite.ts- SQLite token storage with encryption (composite key for multi-account)
Development
Claude Code Integration
Install MCP Server
Add the Gmail MCP server to your Claude Code configuration:
This adds the server to ~/.claude.json. Make sure the server is running first.
Install Subagents
Install custom Claude Code subagents for enhanced Gmail workflows:
This installs 12 specialized Gmail agents that provide intelligent email management capabilities.
Available Subagents
Agent | Description | Example Prompt |
gmail-inbox-explorer | Analyzes inbox structure, labels, and activity | "Explore my Gmail inbox" |
gmail-email-triage | Prioritizes unread emails by urgency | "Help me triage my inbox" |
gmail-email-summarizer | Summarizes emails matching search criteria | "Summarize emails from John this week" |
gmail-draft-composer | Helps write professional email drafts | "Help me write an email to my boss" |
gmail-inbox-cleanup | Archives old emails and reduces clutter | "Clean up my inbox" |
gmail-follow-up-finder | Finds emails needing response or follow-up | "What emails need follow-up?" |
gmail-action-item-extractor | Extracts tasks and deadlines from emails | "What action items are in my emails?" |
gmail-project-email-collector | Gathers all emails about a project/topic | "Find all emails about the redesign project" |
gmail-newsletter-manager | Manages newsletter subscriptions | "What newsletters am I subscribed to?" |
gmail-contact-insights | Analyzes communication with a contact | "Show my email history with sarah@company.com" |
gmail-multi-inbox-dashboard | Unified view across multiple accounts | "Overview of all my email accounts" |
gmail-email-reply-drafter | Drafts contextual replies to threads | "Help me reply to the project deadline email" |
Example Usage
Ask Claude Code naturally and it will automatically use the appropriate agent:
Error Handling
The server uses JSON-RPC error codes:
Code | Type | Description |
|
| User not authenticated, token revoked, or insufficient scope |
|
| Invalid input parameters or account not found |
|
| Gmail API error or rate limit |
When invalid_grant is returned from Google (token revoked), stored tokens are cleared and the user must re-authorize.
Security
Refresh tokens encrypted with AES-256-GCM before storage
MCP-level JWTs (HS256) with 1-hour lifetime
Google OAuth with PKCE support
CSRF protection via state parameter
License
MIT