Gmail OAuth vs. App Passwords: Which Should You Use?

Gmail offers two authentication methods for third-party applications like WordPress SMTP plugins: OAuth 2.0 and App Passwords. Since Google removed Less Secure Apps access entirely in 2022 (and from Workspace accounts in May 2025), these are the only two options for sending WordPress email through Gmail.

OAuth

OAuth is a modern, secure, and widely-adopted authentication protocol. It enables third-party applications to access your Gmail without sharing your password. Instead, OAuth uses access tokens to grant specific permissions for a limited period. OAuth is Google’s preferred authentication method.

Advantages

1. Enhanced security: OAuth does not require sharing your password with third-party applications.
2. Granular permissions: You can control the level of access granted to each application.
3. Revocable access: You can easily revoke access for any application at any time through your Google Account settings.

Disadvantages

1. Technical understanding: Setting up OAuth requires a certain level of technical understanding. Individuals who are not familiar with the process may find it challenging to implement OAuth for their apps or devices.
2. Multi-step process: The OAuth setup process involves multiple steps, such as creating API credentials, setting up a project in the Google Developer Console, and configuring the app to use OAuth. This can be time-consuming and daunting for users who prefer a simpler authentication method.
3. Administrator privileges: In some cases, setting up OAuth for Google Workspace accounts may require administrator privileges, as certain API access controls and scopes might need to be enabled by the administrator. This could pose a barrier to implementation for users who do not have the necessary permissions.

When to use OAuth

• Use OAuth when connecting to modern apps that support OAuth-based authentication, such as mobile apps, cloud-based services, or web applications.
• Choose OAuth when you want to have more control over the permissions granted to third-party applications.

How to set up Gmail with OAuth

Follow the instructions at How to get a set of OAuth 2.0 credentials on Google.

App Passwords

App Passwords are unique passwords that grant access to specific apps and devices without sharing your main Gmail password. App Passwords are designed for situations where OAuth is not supported or practical.

Advantages

1. Compatibility: App Passwords can be used with older apps or devices that do not support OAuth.
2. Simplified access: App Passwords provide a way to access your Gmail account when OAuth isn’t an option.
3. Ease of setup: App Passwords can be much easier to set up for clients, especially in cases where the client has limited technical knowledge or is unfamiliar with the OAuth process. Generating an App Password is a straightforward process, while OAuth often requires more steps, such as creating API credentials and setting up a project in the Google Developer Console.
4. Revocable access: You can easily revoke access for any application at any time through your Google Account settings.

Disadvantages

1. GUTENBERG_IMAGE

   

   GUTENBERG_IMAGE Account dependency: App Passwords are linked to individual user accounts. If an account is closed when an employee leaves, the App Passwords associated with that account will no longer function. Consequently, any applications relying on those App Passwords, such as a WordPress site, will stop sending emails.
2. GUTENBERG_IMAGE

   

   GUTENBERG_IMAGE Revocation upon password change: App Passwords get revoked when the main account’s password is changed. This means you need to remember to regenerate and update them in all relevant apps and devices every time you change your main account password.

When to use App Passwords

• Use App Passwords when dealing with older email clients, such as Outlook 2010, or devices that lack direct Google sign-in support.
• Choose App Passwords when you need to set up email access on older smartphones or other applications that don’t support OAuth-based authentication.

How to set up Gmail with App Passwords

Follow the instructions at How to set up App Passwords in Gmail to set up App Passwords for Gmail.

Which method to choose

For WordPress sites, the decision is straightforward: use OAuth if your SMTP plugin supports it (WP Mail SMTP, FluentSMTP, and Post SMTP all do). OAuth tokens refresh automatically and survive password changes. Use App Passwords only when your plugin or hosting environment cannot handle the OAuth redirect flow — typically headless setups, CLI-only servers, or configurations where browser-based OAuth consent is impractical.