Guide

Gmail App Passwords: Setup and Gotchas

A Gmail app password is the 16-character key you generate so an IMAP or SMTP client that can't speak OAuth can still sign in to your account. Since Google removed plain-password access in 2024, it's often the only way to connect older mail tools — but it comes with real constraints. Here's how to create one, exactly when you need it, the errors it throws, and the path that skips app passwords entirely.

Written by Qasim Muhammad Staff SRE

Updated June 8, 2026

Verified — CLI 3.1.16 · Gmail · last tested June 8, 2026

Command references used in this guide: nylas auth login, nylas email list, and nylas email send.

What is a Gmail app password?

A Gmail app password is a 16-character, single-purpose credential that lets an app sign in to your Google account without your real password or an interactive OAuth flow. You generate it from your account's security settings, paste it where the app asks for a password, and Gmail accepts it over IMAP, POP, and SMTP. It exists for clients that predate or don't support OAuth 2.0.

App passwords require 2-Step Verification to be enabled — Google won't show the option otherwise — and each one is tied to that single use. Per Google's app password documentation, you can hold many at once and revoke any individually, which limits the blast radius if one leaks compared to handing over your account password.

How do you create a Gmail app password?

Creating one takes about a minute and four steps. The flow lives behind 2-Step Verification, so enable that first if you haven't. The generated value is shown only once, so copy it immediately — there's no way to view it again, only to delete it and make a new one.

Enable 2-Step Verification at myaccount.google.com/security if it isn't already on.
Go to myaccount.google.com/apppasswords (search “App passwords” in account settings if the link 404s).
Name the app (for example “mutt” or “backup script”) and select Create.
Copy the 16-character password — Google shows it once — and paste it into your IMAP/SMTP client.

Use it as the password with imap.gmail.com:993 for reading and smtp.gmail.com:465 for sending, with your full address as the username, per Google's IMAP/SMTP setup docs. The 16 characters are usually displayed in four groups of four; the spaces are cosmetic and can be omitted.

When do you need an app password versus OAuth?

You need an app password only when your tool talks raw IMAP, POP, or SMTP and can't perform an OAuth handshake — terminal mail clients like mutt, a legacy backup script, or a device that asks for a plain password. This became mandatory for those tools in 2024: Google removed Less Secure Apps access on September 30, 2024, so a Gmail account's normal password no longer works over IMAP/SMTP.

You do not need one when the tool supports OAuth, which is the modern, more secure path — scoped, revocable per app, and never exposing a reusable secret. API-based access uses OAuth, so anything built on the Gmail API or a unified provider authenticates without an app password at all. That distinction is the whole reason to prefer OAuth where you have the choice.

What are the common Gmail app password errors?

Three failures account for most app-password trouble. A 535-5.7.8 Username and Password not accepted over SMTP usually means 2-Step Verification isn't on, the password was mistyped, or you used your account password instead of the generated one. The fix is to regenerate and re-paste the 16-character value exactly.

The second is sudden, total failure of a working setup: changing your main Google password revokes every app password at once, so a script that ran yesterday returns auth errors today until you generate new ones. The third is administrative — on Google Workspace, an admin can disable app passwords org-wide, in which case the option never appears and only OAuth or admin-sanctioned access works.

How do you skip app passwords with OAuth?

The nylas auth login --provider google command authenticates over OAuth, so there's no app password to generate, paste, or lose when your account password changes. The token is stored in your system keyring and refreshes automatically every 3,600 seconds, which means a script written today still runs next month without a credential rotation. After login, nylas email list reads the inbox and nylas email send sends — no IMAP host, no SMTP port.

This matters most for automation. A cron job or CI pipeline using an app password breaks the moment the password is rotated or the admin tightens policy; an OAuth grant survives both. App passwords remain the right tool for genuinely OAuth-incapable clients — but for anything you can point at an API, OAuth removes the failure modes above. See Gmail SMTP settings for the IMAP/SMTP values and listing Gmail without an app password for the OAuth path.

# OAuth — no app password to generate or rotate
nylas auth login --provider google
nylas email list --limit 10
nylas email send --to teammate@example.com \
  --subject "No app password needed" --body "Authenticated over OAuth."

Next steps

Gmail SMTP settings — ports, TLS, and where the app password goes
List Gmail emails from the CLI — read Gmail over OAuth
Send email with curl — where an app password is actually required
Email API authentication methods — OAuth, app passwords, and API keys compared
Full command reference — every flag and subcommand documented