gmail-mcp

The server functions as an OAuth proxy for the Google Gmail API. It is designed to be stateless and does not persistently store user access or refresh tokens, which is a significant security advantage. Google OAuth client credentials (ID and Secret) are correctly sourced from environment variables, preventing hardcoding. Input and output data for tools are rigorously validated using Zod schemas, mitigating risks from malformed requests. A token validation cache is implemented to efficiently check token validity and provide appropriate HTTP 401 responses, enabling clients to handle token expiration gracefully. The primary security consideration for deployment is the protection of the Google OAuth Client ID and Secret that the server uses to proxy authentication. If the server is exposed publicly, robust network security measures (e.g., HTTPS, appropriate firewall rules, secure hosting environment) are critical to safeguard these credentials. No 'eval' or other directly malicious code patterns were found.