LinkedIn
Instagram
WhatsApp
Telegram
Google Calendar
Join Slack CommunityGive Your SaaS Access to User Inboxes via Email API
An email API for SaaS lets your product read, send, and sync emails directly from your users' Gmail, Outlook, or IMAP accounts - without touching passwords. Build CRM integrations, sales tools, helpdesks, and AI assistants on a unified OAuth foundation.
import { UnipileClient } from 'unipile-node-sdk';
const client = new UnipileClient('YOUR_DSN', 'YOUR_TOKEN');
// Link a user's inbox
const link = await client.account.create({
type: 'google',
redirect_url: 'https://app.com/cb'
});
// Fetch the latest 50 emails
const { items } = await client.email.getAll({
account_id: 'user_account_id',
limit: 50
});
// Send from the user's address
await client.email.send({
account_id: 'user_account_id',
to: [{ identifier: 'lead@co.com' }],
subject: 'Following up',
body: 'Hi, just checking in...'
});
What Is an Email API for SaaS?
Most developers hear "email API" and think of tools like SendGrid or Mailgun - services for sending transactional emails (receipts, notifications, magic links) from your own domain. That is a different market entirely. An email API for SaaS solves a fundamentally different problem: giving your product programmatic access to your users' own email accounts.
An email API for SaaS is a set of HTTP endpoints that lets your product authenticate with a user's email provider (Gmail, Outlook, or IMAP) via OAuth, then read, send, sync, and search emails on their behalf - all through a single integration, without storing passwords or managing provider-specific quirks.
Sends emails from your domain to your users. Used for password resets, invoices, notifications, and marketing campaigns. Your product controls the sender address.
Gives your SaaS access to your users' inboxes via OAuth. Your product reads, sends, and syncs emails on behalf of each user - from their Gmail, Outlook, or IMAP account.
What SaaS Products Actually Build with an Email API
Any product where users need to act on emails - or where emails need to flow into your data model - is a candidate for a user-sync email API. Here are the five most common patterns builders ship with Unipile.
Automatically capture every email exchanged between a sales rep and a contact. No manual logging, no missed touchpoints. Your CRM stays current without any user action.
Run multi-step outreach sequences from each rep's own Gmail or Outlook address - not a shared sending domain. Replies land in the rep's real inbox and get detected automatically.
Pull support emails from multiple team inboxes into a unified ticket queue. Replies sent from your helpdesk UI go out through the agent's own linked account, preserving deliverability.
Give your AI product access to a user's full email history. Summarize threads, draft replies, extract action items, or classify leads - all grounded in the user's real inbox data.
Let users connect their inbox to trigger automations - create tasks from emails, extract invoice data, route attachments to storage, or bridge email with Slack, Notion, or your own workflow engine.
Connect recruiter inboxes to your ATS. Automatically associate candidate emails with job applications, track response rates, and let recruiters reply directly from their linked account without leaving your platform.
What a Production Email API for SaaS Must Support
Building a reliable email integration is more than calling a REST endpoint. Here are the six capabilities any serious SaaS email API integration needs to cover - and where the hidden complexity lives in each.
Each user links their own inbox via a separate OAuth consent. Your SaaS acts on behalf of each authenticated user - not through a single shared service account. Google and Microsoft each require app verification before you can issue OAuth tokens at scale.
Your users will have Gmail, Outlook (personal and Microsoft 365), and IMAP-based inboxes. A robust email API for SaaS normalises these three providers into a single unified response format so your product logic stays provider-agnostic.
Polling every few minutes is fragile and slow. Production SaaS requires webhook notifications when new emails arrive or message state changes. Gmail uses Pub/Sub, Microsoft Graph uses subscriptions - your API layer should abstract both into one event format.
Email clients group messages into threads. Your email API must expose a consistent thread identifier across providers so you can reply-in-thread, collapse conversations, and detect whether an outbound sequence got a reply - without parsing raw Message-ID headers yourself.
Reading attachments means decoding MIME parts, handling inline images, and downloading binary blobs across provider-specific APIs. The endpoint must let you fetch attachments by ID without re-downloading the full message body on every request.
Email data is sensitive. Your integration needs token encryption at rest, scoped OAuth permissions (request only what you need), audit logs, and a documented data-deletion path to satisfy GDPR right-to-erasure requests and SOC 2 Type II audits.
The Hidden Costs of Building Your Own Email API Integration
The Gmail API, Microsoft Graph, and IMAP libraries are all free and well-documented. So why do most SaaS teams underestimate the build cost by 3-5x? Because the complexity is not in the initial integration - it is in everything that comes after.
Apps requesting Gmail scopes beyond basic profile must pass Google's CASA Tier 2 security assessment before they can serve more than 100 test users. The process involves a third-party security lab, takes 4-8 weeks, and costs $4,000-$75,000 depending on scope.
Microsoft requires publisher verification for apps requesting higher-privilege Graph API scopes. Without it, every user sees a red warning banner during the OAuth consent screen - a major conversion killer for B2B SaaS onboarding flows.
There are hundreds of IMAP server implementations in the wild. Each has quirks: non-standard folder names, broken IDLE support, TLS certificate edge cases, connection timeout behaviour, and per-server authentication flows. Every enterprise customer you land may surface a new edge case that blocks their team.
OAuth tokens expire. Refresh tokens can be revoked by the user or by provider policy. At scale, managing token lifecycle for thousands of linked accounts across three providers requires a reliable background job, failure alerting, and a graceful re-auth UX flow.
Google and Microsoft deprecate and update API surfaces. Gmail Basic Auth was removed. Microsoft deprecated legacy Exchange endpoints. Keeping pace with three providers' changelogs is an ongoing maintenance burden that falls entirely on your engineering team.
Email data is in scope for GDPR and SOC 2 Type II. You need documented data flows, encryption at rest and in transit, token storage policies, and a verifiable deletion process. Building this from scratch for a SaaS audit can take weeks and requires legal review.
Build In-House vs. Email Aggregation API for SaaS
Here is how building your own three-provider email integration compares to using a unified email API for SaaS across every dimension that matters at production scale.
| Capability | Build in-house | Unipile Email API |
|---|---|---|
| Gmail OAuth integration | Manual - CASA Tier 2 required |
Included - CASA Tier 2 certified |
| Outlook / Microsoft 365 OAuth | Manual - publisher verification required |
Included - verified publisher |
| IMAP support | Build yourself - edge cases at scale |
Fully abstracted - all server quirks handled |
| Unified response format | 3 separate data models to normalise |
Single schema for all providers |
| Real-time webhooks | Pub/Sub + Graph subscriptions - separate setup per provider |
One webhook endpoint for all providers |
| OAuth token refresh | Your background job - failure handling required |
Managed automatically |
| Thread and conversation model | Provider-specific - custom normalisation needed |
Consistent thread IDs across all providers |
| Attachments API | MIME parsing - build separately per provider |
Fetch by attachment ID - provider-agnostic |
| GDPR data deletion | Your responsibility - custom audit trail |
Documented deletion path - GDPR ready |
| SOC 2 Type II coverage | Scope your own controls |
SOC 2 Type II certified |
| Time to first email sync | 4-6 months (all three providers) |
Less than 1 day |
| Ongoing maintenance | Your team tracks all provider API changes |
Handled by Unipile - zero provider maintenance |
How Unipile Delivers an Email API for SaaS in One Integration
Unipile is a unified email API for SaaS built specifically for the user-sync market. One set of endpoints covers Gmail, Outlook, and IMAP - with OAuth, webhooks, threading, attachments, and compliance handled for you. Here is what each provider integration looks like under the hood.
Unipile uses Google OAuth 2.0 to request the minimum necessary scopes. The platform is CASA Tier 2 certified, so your app inherits verified status without going through your own assessment.
Unipile connects via the Microsoft Graph API using the Microsoft Identity Platform. This covers both personal Outlook accounts and corporate Microsoft 365 tenants through one OAuth flow.
For users on Yahoo, Fastmail, custom corporate servers, or any other provider, Unipile connects via IMAP. All the server-specific quirks, TLS edge cases, and folder-naming differences are abstracted away from your code.
account_id. Store it against your user record. All subsequent email calls reference this ID - no tokens, no secrets in your database.GET /emails to list messages, POST /emails to send, and GET /emails/:id/attachments for files. Same endpoints for all three providers.Sync User Emails in Your SaaS: Complete Code Example
Three languages, one pattern. Link a user inbox, fetch their emails, and send from their address - all through the Unipile unified email API. The same code works for Gmail, Outlook, and IMAP linked accounts.
import { UnipileClient } from 'unipile-node-sdk';
const client = new UnipileClient('YOUR_DSN', 'YOUR_TOKEN');
// Step 1: Generate a hosted OAuth link for your user
const authLink = await client.account.create({
type: 'google', // or 'microsoft' or 'imap'
redirect_url: 'https://yourapp.com/callback'
});
// Redirect your user to authLink.url to complete OAuth consent
// Step 2: List the 50 most recent emails for a linked account
const { items: emails } = await client.email.getAll({
account_id: 'ACCOUNT_ID',
limit: 50
});
emails.forEach(email => {
console.log(email.subject, email.from_attendee.identifier);
});
// Step 3: Send from the user's own address
await client.email.send({
account_id: 'ACCOUNT_ID',
to: [{ identifier: 'lead@company.com', display_name: 'Prospect' }],
subject: 'Following up on our call',
body: 'Hi, just wanted to check in...
'
});
// Step 4: Register a webhook for real-time new email events
await client.webhook.create({
url: 'https://yourapp.com/webhooks/email',
events: ['email.received', 'email.sent']
});import requests
BASE = "https://api9.unipile.com:13234/api/v1"
TOKEN = "YOUR_TOKEN"
HEADERS = {"X-API-KEY": TOKEN, "Content-Type": "application/json"}
# Step 1: Create a hosted auth link for your user
resp = requests.post(f"{BASE}/hosted/accounts/link", json={
"type": "google",
"redirect_url": "https://yourapp.com/callback"
}, headers=HEADERS)
auth_url = resp.json()["url"]
# Step 2: Fetch 50 most recent emails
emails = requests.get(f"{BASE}/emails", params={
"account_id": "ACCOUNT_ID",
"limit": 50
}, headers=HEADERS).json()["items"]
for email in emails:
print(email["subject"], email["from_attendee"]["identifier"])
# Step 3: Send from the user's own address
requests.post(f"{BASE}/emails", json={
"account_id": "ACCOUNT_ID",
"to": [{"identifier": "lead@company.com"}],
"subject": "Following up",
"body": "Hi, just wanted to check in...
"
}, headers=HEADERS)# Step 1: Create a hosted auth link
curl -X POST \
"https://api9.unipile.com:13234/api/v1/hosted/accounts/link" \
-H "X-API-KEY: YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"type":"google","redirect_url":"https://yourapp.com/callback"}'
# Step 2: List the 50 most recent emails
curl -G \
"https://api9.unipile.com:13234/api/v1/emails" \
-H "X-API-KEY: YOUR_TOKEN" \
--data-urlencode "account_id=ACCOUNT_ID" \
--data-urlencode "limit=50"
# Step 3: Send from the user's own address
curl -X POST \
"https://api9.unipile.com:13234/api/v1/emails" \
-H "X-API-KEY: YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{"account_id":"ACCOUNT_ID","to":[{"identifier":"lead@company.com"}],"subject":"Following up","body":"Hi...
"}'Unipile generates the OAuth URL. Your user clicks, consents, and is redirected back to your app. You never handle OAuth tokens directly.
GET /emails and POST /emails work identically for Gmail, Outlook, and IMAP. Change the account_id - everything else stays the same.
Register a single URL. Unipile normalises Gmail Pub/Sub notifications, Microsoft Graph change events, and IMAP IDLE signals into one unified event payload.
Frequently Asked Questions
Common questions from SaaS founders and engineers evaluating an email API for user inbox sync.
EN 
FR 
ES 
DE 
IT 
BR 
NL 
PL 
TR