Secure email sending with the Gmail API in Laravel

If you landed here you probably develop in PHP with Laravel, but the approach applies to other stacks too.

Scenario: your app sends emails and the sending account is Gmail / Google Workspace. Previously you just configured Gmail SMTP. With Google tightening security this is increasingly fragile (auth issues, spam flags, blocked less‑secure apps). The robust alternative is using the official Gmail API.

Below is how we tackled it.

Enable the Gmail API

Go to Google Cloud Console; create/select a project.
Enable “Gmail API”.
Create credentials (OAuth – user data access only).
Scopes: “Read, compose & send email from your Gmail account” (or the minimal gmail.send).
App type: Web application.
Download the JSON credentials file.

Code

Place the credentials securely (e.g. storage/app/credentials.json). Install the client library:

composer require google/apiclient

Create GmailApiServiceProvider and register it in config/app.php:

<?php
namespace App\Providers;
use Illuminate\Support\ServiceProvider;
use Illuminate\Mail\TransportManager;

class GmailApiServiceProvider extends ServiceProvider
{
    public function register()
    {
        $this->app->singleton(\Google_Client::class, function () {
            $client = new \Google_Client();
            $client->setApplicationName('Your App Name');
            $client->setScopes(\Google_Service_Gmail::GMAIL_SEND);
            $client->setAuthConfig(storage_path('app/credentials.json'));
            return $client;
        });
    }

    public function boot()
    {
        $this->app->extend('swift.transport', function (TransportManager $manager) {
            $manager->extend('gmail_api', function () {
                $client = $this->app->make(\Google_Client::class);
                return new \App\Mail\Transport\GmailApiTransport($client);
            });
            return $manager;
        });
    }
}

Replace application name & path as needed.

Implement the custom transport at app/Mail/Transport/GmailApiTransport.php:

<?php
namespace App\Mail\Transport;
use Google_Client;use Google_Service_Gmail;use Swift_Mime_SimpleMessage;use Swift_Transport;use Swift_Events_EventListener;
class GmailApiTransport implements Swift_Transport
{
    private $client;
    public function __construct(Google_Client $client){$this->client = $client;}
    public function isStarted(){return true;}
    public function start(){}
    public function stop(){}
    public function send(Swift_Mime_SimpleMessage $message, &$failedRecipients = null)
    {
        $gmail = new Google_Service_Gmail($this->client);
        $mime = rtrim(strtr(base64_encode($message->toString()), '+/', '-_'), '=');
        $payload = new \Google_Service_Gmail_Message();
        $payload->setRaw($mime);
        $gmail->users_messages->send('me', $payload);
        return $message->getId();
    }
    public function ping(){return true;}
    public function registerPlugin(Swift_Events_EventListener $plugin){}
}