In our latest release, Chrome is asking you to re-authorise ActiveInbox.

This is a tremendously sensible policy it uses to protect you when an extension asks for greater permissions. And as a developer I’m 100% in favour of such precautions 🙂

But as we’ll explain in a moment, we don’t actually require any additional permissions… we’ve just changed the way we utilise the existing permissions (a subtly that Chrome doesn’t worry about!).

What Is The New Permission?

We ask to access https://*

This is Google’s API server, and in our case, we specifically need the Gmail API. (An ‘API’ is a way for software to communicate ‘officially’ between two machines, in this case between your computer and Gmail’s server).

For 10 years, we’ve had our own custom mechanism for managing your Gmail labels around emails. This is because when we began, the API didn’t exist, so we had to get imaginative and reverse-engineer Gmail. My inner-geek loves it because it was clever, but it meant that it was also prone to breaking when Gmail changed.

And boy did Gmail change… they’re currently rolling out their biggest update in 9 years.

This meant we had to throw out a huge amount of ActiveInbox’s codebase, and presented us with the justification to finally adopt Gmail’s API.

What Benefits Does The New Permission Bring?

Quite simply, it’s more robust. So there should be less down time if Gmail changes. And because it’s much simpler than our existing mechanism, it’ll be easier to make it work faster in the future.

How Secure Is it?

As a baseline it’s the same as it was in AIB 6. We’re still doing the same basic thing: adding and removing labels from your emails.

Most importantly, we still absolutely cannot read your emails. The data exchange happens exclusively between your machine and Gmail’s servers. To be very clear, your emails don’t touch our servers.

But the API is Google’s “official” way for apps like us to manage your email data. So in the long term, it should be the most secure approach.

And in the next month, we should be able to make your data even more secure. At the moment, we let the API ask for theoretical permission to ask your email’s content (even though, just to be clear, it never touches our server – we can’t read it!), because that’s how Send Later used to work in AIB6.

But we’re working hard to reduce that permission to just access “meta data” about your emails (e.g. from/to/labels/subject… but not the content). More on that soon!

What do I need to do to get ActiveInbox back?

Just load your Chrome Extensions list (click the 3 vertical dots in the top right, then ‘More Tools’, then ‘Extensions’). Find ActiveInbox, and you should see a prompt to re-enable it.


This was written by Andy Mitchell