3 Ways to Grant Email Delegation in Google Workspace
Email delegation lets assistants or teams manage inboxes without sharing passwords. In Google Workspace, you can grant it in different ways, and the right choice depends on scale, control, and audit needs.
This guide compares three options, user-driven in Gmail, admin-driven in the Admin console, and automated via API or CLI, so you can match the method to your workflow. You’ll see when to use each for quick one-offs, bulk updates, or standardized, least‑privilege processes.
Table of Contents
Use Google Workspace’s UI
Here, you’ll use the Google Admin console and Gmail’s own settings to delegate a mailbox to another person. This follows the steps Google’s Help Center describes for Gmail and Admin console.
Turn on mail delegation in the Admin console
- Sign in at admin.google.com with an admin account.
- Go to Apps, then Google Workspace, then Gmail, then User settings.
- Find Mail delegation:
- Make sure mail delegation is allowed for your users.
- Save your changes.
Note: Google’s docs explain that delegation works within your organization. External delegation is limited or not supported in most editions.
Add a delegate from the user’s Gmail inbox
- Have the mailbox owner open Gmail in a browser.
- Click the gear icon, then See all settings.
- Open the Accounts and Import tab.
- In Grant access to your account, click Add another account.
- Enter the delegate’s work email address, then follow the prompts to Send email to grant access.
Google’s Gmail Help notes the delegate must confirm by email before access starts working.
Have the delegate accept the email invite
- The delegate will get an email from Gmail asking to confirm access.
- They must click the confirmation link and accept.
- It can take some time after acceptance for access to start working. Google’s docs say this can take up to 24 hours.
How the delegate opens the mailbox
- After access is active, the delegate signs in to their own Gmail.
- Click the profile photo at the top right.
- Under Delegated accounts, click the owner’s email to open that inbox in a new tab.
What the delegate can do, per Google’s documentation:
- Read, send, and delete messages on the owner’s behalf.
- When sending, the From line shows the owner. The message includes a “sent by” header with the delegate’s identity.
- They cannot chat as the owner or change the owner’s password or Gmail settings.
Remove or update a delegate
- The mailbox owner can go back to Gmail settings.
- Accounts and Import, then Grant access to your account.
- Click delete next to the delegate to remove them. To add a new one, repeat the add steps.
Common gotchas to check
- Don’t see Grant access to your account in Gmail? Ask your admin to enable Mail delegation in the Admin console.
- Delegation works in Gmail on the web. The Gmail mobile apps do not support opening a delegated mailbox.
- Both accounts should be active and in good standing. Suspended or archived accounts cannot be delegates.
Use Torii
Instead of handling this directly in Google Workspace, you can use Torii, a SaaS Management Platform, to delegate a user’s email in Google Workspace. SMPs centralize management of SaaS tools and integrations, allowing teams to programmatically onboard/offboard users, view subscription information, and more.
Where Google Workspace would require a manual step, Torii lets you automate it so the task runs whenever a defined trigger occurs. Common triggers include a new hire, an employee offboarding, or a contract renewal. If this action recurs regularly, automation can save meaningful time.
To delegate a user’s email in Google Workspace directly from Torii, follow these steps:
1. Sign up for Torii
Contact Torii, and request your free two-week proof-of-concept.
2. Connect your Google Workspace account to Torii
Once your account is active, connect Google Workspace to Torii (assuming you already have an account). Here are the instructions for the Google Workspace integration.
3. Create a Torii workflow for Google Workspace
In Torii, set up an automated workflow to delegate a user’s email in Google Workspace. Go to the Workflows tab, choose a trigger, and add an action that performs the email delegation in Google Workspace. After that, whenever the trigger conditions are met, Google Workspace will be updated automatically.
Use Google Workspace’s API
Here, you’ll use the Gmail API to add, check, and remove mailbox delegates for a user. No UI steps, just API calls.
Step 1: Get authorized with the right scope
You need an OAuth 2.0 access token that acts as the mailbox owner and includes the Gmail settings scope.
- Required OAuth scope:
https://www.googleapis.com/auth/gmail.settings.sharing
- Choose one auth flow:
- User OAuth: Have the mailbox owner grant consent for the scope.
- Service account with domain-wide delegation: Impersonate the mailbox owner via the subject field. Make sure the service account is allowed for the scope in your org.
- Create an access token and export a few helpers:
ACCESS_TOKEN="ya29.a0AfH6S."
USER="[email protected]"
DELEGATE="[email protected]"
If you’re using domain-wide delegation, set USER to the mailbox you’re impersonating.
Step 2: Add a delegate to the user’s mailbox
Call the create method on users.settings.delegates. The body only needs the delegate’s email.
Example curl is:
curl -s -X POST \
-H "Authorization: Bearer $ACCESS_TOKEN" \
-H "Content-Type: application/json" \
"https://gmail.googleapis.com/gmail/v1/users/$USER/settings/delegates" \
-d '{"delegateEmail":"'"$DELEGATE"'"}'
You’ll get a Delegate resource back. Look at verificationStatus to see if it’s accepted or pending. If it’s pending, the delegate needs to accept the request. Some org policies can affect auto-accept.
Common results:
- 200 with a delegate object: Request created.
- 409: A delegate entry already exists or is already pending.
- 400: Invalid delegate (for example, a group address or the same as the owner).
- 403: Missing scope or not impersonating the mailbox owner.
Step 3: Check the delegate’s status
You can fetch a single delegate or list them all.
Get a specific delegate:
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://gmail.googleapis.com/gmail/v1/users/$USER/settings/delegates/$DELEGATE"
List all delegates for the user:
curl -s -H "Authorization: Bearer $ACCESS_TOKEN" \
"https://gmail.googleapis.com/gmail/v1/users/$USER/settings/delegates"
Review verificationStatus. If it stays pending, the delegate hasn’t accepted yet or the request expired. Recreate the request if needed.
Step 4: Remove a delegate
Use the delete method on users.settings.delegates.
Example curl is:
curl -s -X DELETE \
-H "Authorization: Bearer $ACCESS_TOKEN" \
"https://gmail.googleapis.com/gmail/v1/users/$USER/settings/delegates/$DELEGATE"
A 200 with an empty response means it’s removed.
Step 5: Practical notes from the API docs
- The caller must be the mailbox owner or a service account impersonating that user with domain-wide delegation.
- You can’t delegate to a group, alias, or non-Google account. Many orgs also block external delegates.
- New delegations can take a few minutes to fully propagate.
- Use exponential backoff on 429 and 5xx responses.
- Keep tokens short-lived and scoped to
gmail.settings.sharingfor this workflow.
Frequently Asked Questions
You have three options to delegate a user's email in Google Workspace: use the Gmail UI (owner grants access and delegate accepts), enable Mail delegation in the Admin console for admin-driven grants, or automate via the Gmail API/CLI or an SMP like Torii.
Use the Gmail UI for quick, owner-driven one-offs where the delegate accepts manually. Use the Admin console to enable delegation policies or make bulk changes and enforce organization-wide settings without per-user manual steps.
Automate delegation with Torii workflows or by scripting the Gmail API/CLI. In Torii create triggers for hires, offboards, or renewals; with the API use domain-wide delegation or a service account to run create/delete delegate calls programmatically.
The required OAuth scope is https://www.googleapis.com/auth/gmail.settings.sharing. Use user OAuth for owner consent, or a service account with domain-wide delegation impersonating the owner (subject field). Keep tokens scoped and short-lived.
You cannot delegate to groups, aliases, or non-Google accounts. External delegation is limited or blocked in many editions; delegates must be active internal accounts and usually must accept the invitation to gain access.
The mailbox owner removes a delegate in Gmail Settings > Accounts and Import, or call the API delete method. Removal is generally quick but may take minutes to propagate; initial delegation acceptance can take up to 24 hours.
