I tried to give an AI agent its own email account three different ways. The first two took most of an afternoon. The third took 28 seconds. This is the migration story.
Attempt 1: dedicated Gmail account
The first instinct: just create a Gmail. Free, familiar, works everywhere.
Forty-five minutes in:
- Created a new Google account with a phone number Google would accept (the agent does not have a phone)
- Configured 2FA, generated an app password (Gmail no longer accepts plain passwords for IMAP)
- Hit the "less secure apps" wall, learned it has been retired
- Set up OAuth 2.0 client in Google Cloud Console
- Configured the consent screen, reviewed scopes, marked it "Internal"
- Realised Internal apps cannot be created on free Workspace, so I made it External
- Filled in the privacy policy URL, terms URL, app domain — for an agent
I had not sent a single message yet.
Attempt 2: shared Gmail with a +alias
"Just use me+agent@gmail.com" is the popular shortcut. It works for receiving (Gmail routes + aliases to the same inbox), but:
- The "From" address on outbound is still the parent account
- The agent's mail mixes with mine, so my filters break
- Compromise of the agent's credentials = compromise of my personal mail
- Audit logs cannot tell us apart
Two hours later I gave up on this path. The mixing problem is fatal once you have more than one agent.
Attempt 3: nylas agent account create
$ nylas agent account create coder@yourapp.nylas.email
✓ Agent account created successfully!
Email: coder@yourapp.nylas.email
Provider: nylas
Status: valid
Twenty-eight seconds wall-clock. No OAuth, no Workspace seat, no shared mailbox.
What is happening under the hood
Three things, in this order:
- The CLI auto-creates the
nylasconnector on your application if it does not exist. This is a one-time, idempotent setup. - It provisions a managed mailbox under your application's
*.nylas.emailzone. The mailbox lives entirely on Nylas — no Gmail, no Workspace, no third-party IMAP. - It stores the new grant locally so subsequent CLI commands resolve it without an explicit
--grant.
The grant is provider=nylas, which means: no OAuth handshake, no token refresh, no client-secret rotation. The identity is managed end-to-end.
Side-by-side comparison
| Step | Gmail OAuth | Agent account |
|---|---|---|
| Create the identity | ~5 min (account, 2FA, app password) | One command |
| Configure OAuth client | ~12 min (Cloud Console, scopes, consent) | Not applicable |
| Wire up auth in your app | ~10 min (refresh token plumbing) | One nylas auth config
|
| Setup time total | ~45 min | ~30 sec |
| Per-month cost | Workspace seat $6 | None |
| Token refresh | Yours to manage | Not applicable |
| Multi-provider reach | Gmail only | Gmail, Outlook, Exchange, Yahoo, iCloud, IMAP, agent |
Migrating an existing agent
If you have already wired up an agent to a Gmail account, the migration is mechanical:
# 1. Provision the agent's new identity
nylas agent account create coder@yourapp.nylas.email
# 2. Optional: enable IMAP/SMTP (if your agent uses a stock library)
nylas agent account update coder@yourapp.nylas.email \
--app-password 'ValidAgentPass123ABC!'
# 3. Send a test
nylas email send --to you@example.com \
--subject "test from new agent identity" \
--body "Hi from the managed inbox."
# 4. Update the agent's prompt / config to use the new address
That is the whole migration. The hardest part is finding everywhere the old address is hard-coded.
What I'd warn future-me about
Three lessons from the misadventure:
- Phone number requirement: Gmail's signup will demand a phone for verification. Agents do not have phones. Burn an OTP-friendly number and accept Google may flag the account later.
- OAuth refresh tokens expire: a Gmail OAuth refresh token is not infinite. Tokens for unverified Cloud apps expire after 7 days; production verification is its own multi-week project.
- Per-seat costs scale: if your team runs 5 agents, that is 5 Workspace seats at $6 each = $30/mo just to give them mail.
When Gmail still wins
Be honest about the trade. If the agent must read or send from an existing inbox at @yourcompany.com (your real domain), and your company is on Workspace, you do not want a separate Nylas address. In that case, OAuth Gmail and pay the setup cost. The agent identity model is for new agent inboxes, not for migrating your CEO's mailbox.
For everything else — testing, signup automation, agent-to-agent messaging, ephemeral inboxes, managed bots — the agent account wins on every dimension I can measure.
Next steps
- Create an AI agent email identity — the full setup walkthrough
- Why AI agents need email — the case before the setup
- Email as identity for AI agents — the deeper argument about agent identity
- Full command reference
Top comments (0)