Guide

Gmail OAuth in PowerShell

Gmail OAuth from PowerShell is painful. You register an app in Google Cloud Console, generate a client ID and secret, build the consent URL, exchange the authorization code for tokens, handle refresh logic, and store everything securely. Nylas CLI replaces all of that with one command. This guide shows how to authenticate with Gmail and use your inbox from PowerShell -- no manual token management.

The manual Gmail OAuth flow in PowerShell

If you have ever tried to authenticate with the Gmail API from PowerShell, you know the pain. Here is what the manual flow looks like:

# Step 1: Register an OAuth app in Google Cloud Console
# (manual browser steps -- create project, enable Gmail API, create credentials)

# Step 2: Build the consent URL
$clientId = "your-client-id.apps.googleusercontent.com"
$clientSecret = "your-client-secret"
$redirectUri = "http://localhost:8080"
$scope = "https://www.googleapis.com/auth/gmail.readonly"

$authUrl = "https://accounts.google.com/o/oauth2/v2/auth" +
    "?client_id=$clientId" +
    "&redirect_uri=$redirectUri" +
    "&response_type=code" +
    "&scope=$scope" +
    "&access_type=offline"

Start-Process $authUrl

# Step 3: Run a local HTTP listener to catch the redirect
$listener = [System.Net.HttpListener]::new()
$listener.Prefixes.Add("$redirectUri/")
$listener.Start()
$context = $listener.GetContext()
$code = $context.Request.QueryString["code"]
$listener.Stop()

# Step 4: Exchange the code for tokens
$tokenBody = @{
    code          = $code
    client_id     = $clientId
    client_secret = $clientSecret
    redirect_uri  = $redirectUri
    grant_type    = "authorization_code"
}
$tokens = Invoke-RestMethod `
    -Uri "https://oauth2.googleapis.com/token" `
    -Method POST `
    -Body $tokenBody

# Step 5: Store the tokens securely
$tokens.access_token   # expires in 1 hour
$tokens.refresh_token  # store this, you need it to get new access tokens

# Step 6: Refresh when expired (every hour)
$refreshBody = @{
    refresh_token = $tokens.refresh_token
    client_id     = $clientId
    client_secret = $clientSecret
    grant_type    = "refresh_token"
}
$newTokens = Invoke-RestMethod `
    -Uri "https://oauth2.googleapis.com/token" `
    -Method POST `
    -Body $refreshBody

That is six steps before you can make your first Gmail API call. And you still need to handle token expiry, secure storage, and error recovery. Every PowerShell script that touches Gmail needs this boilerplate.

The Nylas CLI solution: one command

# Install Nylas CLI (one-liner for PowerShell)
irm https://cli.nylas.com/install.ps1 | iex

# Or install with Go (requires Go 1.21+)
# go install github.com/nylas/cli/cmd/nylas@latest

# Authenticate with Gmail
nylas auth login

That is it. The CLI opens your browser, you sign in with Google, and the OAuth tokens are stored securely in Windows Credential Manager. No client IDs, no secrets, no refresh logic.

Verify your authentication

# See who you are authenticated as
nylas auth whoami
# Example output:
# Email: you@gmail.com
# Provider: google
# Grant ID: grant_abc123
# Status: active

Manage multiple Gmail accounts

You can authenticate with multiple Gmail accounts and switch between them. Each account gets its own grant ID.

# Authenticate a second account
nylas auth login

# List all authenticated accounts
nylas auth list
# Example output:
# GRANT ID          EMAIL                PROVIDER  STATUS
# grant_abc123      work@gmail.com       google    active
# grant_def456      personal@gmail.com   google    active
# Use a specific account with any command
nylas email list --grant grant_def456

# Revoke access for an account
nylas auth revoke grant_def456

List Gmail emails from PowerShell

Once authenticated, you can list, search, and read emails directly from PowerShell. All commands output JSON when you pass --json, which integrates natively with PowerShell's ConvertFrom-Json.

# List recent emails
nylas email list

# List with JSON output for PowerShell processing
$emails = nylas email list --json | ConvertFrom-Json
$emails | Format-Table subject, from, date -AutoSize

Search Gmail from PowerShell

# Search for emails
nylas email search "quarterly report"

# Search and process with PowerShell
$results = nylas email search "from:alice@company.com" --json |
    ConvertFrom-Json

# Filter further with PowerShell
$results | Where-Object { $_.unread -eq $true } |
    Select-Object subject, date

Send email from Gmail via PowerShell

# Send an email (interactive confirmation)
nylas email send `
    --to "colleague@company.com" `
    --subject "Q1 Report" `
    --body "Attached is the Q1 report. Let me know if you have questions."

# Send without confirmation (for scripts)
nylas email send `
    --to "colleague@company.com" `
    --subject "Q1 Report" `
    --body "See attached." `
    --yes --json | ConvertFrom-Json

For more on sending email from PowerShell, see the Send Email from PowerShell guide and the Replace Send-MailMessage guide.

PowerShell scripting with Gmail

Because the CLI outputs JSON, you can build PowerShell scripts that automate Gmail tasks:

# Script: Check for unread emails from a specific sender
$unread = nylas email list --json --unread |
    ConvertFrom-Json |
    Where-Object { $_.from -match "boss@company.com" }

if ($unread.Count -gt 0) {
    Write-Host "You have $($unread.Count) unread email(s) from your boss!"
    $unread | ForEach-Object {
        Write-Host "  Subject: $($_.subject)"
    }
} else {
    Write-Host "No unread emails from your boss."
}
# Script: Daily email summary
$today = (Get-Date).ToString("yyyy-MM-dd")
$emails = nylas email list --json --limit 20 | ConvertFrom-Json

$summary = $emails | Group-Object { $_.from } |
    Sort-Object Count -Descending |
    Select-Object @{N="Sender";E={$_.Name}}, Count

Write-Host "Email summary for $today"
Write-Host "========================"
$summary | Format-Table -AutoSize

Side-by-side comparison

TaskManual OAuth in PowerShellNylas CLI
Initial setupGoogle Cloud Console + 50 lines of codenylas auth login
Token refreshManual refresh logic in every scriptAutomatic
Token storageYou build it (file, registry, vault)Windows Credential Manager
List emailsInvoke-RestMethod with auth headersnylas email list --json
Multi-accountSeparate credential sets per account--grant flag

Frequently asked questions

Can I use Nylas CLI with PowerShell on Windows?

Yes. Nylas CLI is a standalone Go binary that runs on Windows, macOS, and Linux. It works in PowerShell, CMD, Windows Terminal, and any other shell. The only syntax difference is that PowerShell uses backtick (`) for line continuation instead of backslash.

Do I need a Google Cloud project for Gmail OAuth?

No. Nylas CLI handles the entire OAuth flow. Run nylas auth login, select Gmail, and authenticate in your browser. No Google Cloud Console, no client IDs, no client secrets. The CLI manages everything.

How do I switch between multiple Gmail accounts?

Run nylas auth login for each account. Use nylas auth list to see all accounts with their grant IDs. Then pass --grant <id> to any command to specify which account to use.

Where does Nylas CLI store OAuth tokens on Windows?

Tokens are stored in Windows Credential Manager, the same secure store used by Git, Docker, and other developer tools. They are encrypted at rest and never written to plain-text config files. You can view them in Credential Manager under "Generic Credentials."

Next steps