You are not violating any security policy. This is a standard mail that comes when ever a user connects their account to a new application containing high risk scopes (note as far as I know not all scopes will result in this mail but I haven’t actually tested all scopes). This most often comes with the Gmail scopes in applications.
I would double check that your application has been verified it may help to remove some of the notifications your users are getting. Users should be informed by Google when they are accessing third party applications and warned about what that could mean.
The following scope is one of the most critical as far as Google is concerned this is most likely the one that will mean your users will always get this email when they authenticate your application. I wouldn’t be surprised if all the Gmail scopes would result in that mail but I haven’t tested it.
This email is most likely related to the fact that this application has not been verified to use the gmail scopes. Gmail scopes are one of the most sensitive scopes as far as Google is concerned as the chance that they could be abused by malicious developers is even greater.
You should apply for verification as soon as you can google may contact you and ask for a video of your application running.
In most cases it does NOT cost anything to be verified. In some cases, for particularly sensitive APIs, Google may require an outside audit of your code to make sure it does not put users of your program at risk.
After several hours of piecing together information across multiple sites along with a friend while waiting for further clarification from Google the following information was found which I hope will help developers in the future.
additional reading piecing together information available:
- Elevating user trust in our API ecosystem while this page does mention “All fees are paid directly to the assessor and not to Google.” it does not state an amount. Again i have never heard
of anyone having to pay for this. However I have contacted Google and requested that the page be updated with more accurate information as to what the fee entails.
- Additional Requirements for Specific API Scopes
- Why fee clearly states why a fee is charged. These assessments are done by a third party company that must be paid. It would be unrealistic IMO for a company wishing to develop an application using Googles API to expect Google to pay for this: IMO it makes perfect sense that the cost would be transferred to the company developing the application. they will after all be making money on the application.