<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Configuring BYO SMTP Server Using OAuth 2.0 With Okta
Mar 30, 2026
Okta Classic Engine
Okta Identity Engine
Custom Email Domain
Overview

This guide provides step-by-step instructions for configuring a "Bring Your Own (BYO) SMTP" server using OAuth 2.0 authentication. Okta recommends OAuth 2.0 over basic authentication to ensure higher security and maintain compatibility, as many email providers are phasing out support for legacy connection methods.

Applies To
  • Configuring Google/Gmail as a custom email provider using OAuth 2.0
  • Okta Identity Engine (OIE)
  • Okta Classic Engine
  • Configuring Bring Your Own (BYO) SMTP Server with OAuth2
Solution

Configuring BYO SMTP for Gmail with OAuth 2.0

Okta recommends using OAuth 2.0 (JWT Bearer Token Flow) over basic authentication for higher security and long-term compatibility.

Phase 1: Google Cloud Console Configuration

Before heading to Okta, ensure the Google environment is prepared:

  1. Enable Gmail API:

    1. In the Google Cloud Console, navigate to APIs & Services > Library.
    2. Search for "Gmail API" and ensure it is Enabled.

  2. Service Account & JSON Key:

    1. Go to APIs & Services > Credentials.
    2. Select a Service Account (or create one) and copy the Unique ID. This will be needed for Domain-Wide Delegation.
    3. Go to the Keys tab > Add Key > Create new key.
    4. Select JSON and click Create. Save this file securely; it contains the private key.

  3. Domain-Wide Delegation:

    1. Log in to the Google Admin Console.
    2. Navigate to Security > Access and data control > API controls.
    3. On the next page, click on Manage Domain Wide Delegation > Add new.
    4. Client ID: Paste the Unique ID copied in step 2.
    5. OAuth Scopes: Enter https://mail.google.com/.
    6. Click AUTHORIZE.

Manage Domain Wide Delegation

Phase 2: Enable the Feature in Okta

The OAuth option for email providers is often behind an Early Access (EA) flag.

  1. In the Okta Admin Console, go to Settings > Features.
  2. Locate and enable OAuth 2.0 support for custom email providers.

Phase 3: Connect Okta to Gmail

Navigate to Customizations > Email Provider and click Add Custom Email Provider.

 

FieldValue / Action
Connection TypeSelect > OAuth 2.0 - JWT Bearer token flow
Client IDUse the Unique ID saved earlier, client_id from the JSON file
Token endpoint URL

The token_uri value from the JSON file

https://oauth2.googleapis.com/token

Signing algorithmRS256
Key IDThe private_key_id from the JSON file
Issuer

The client_email value from the JSON key file.

This will be the Servica Account Email

Subject

A valid Google Workspace user email (the "sender" account).

This is not the service account JSON email

Audience

The token_uri value from the JSON file

https://oauth2.googleapis.com/token.

Scopeshttps://mail.google.com/
Private KeyPaste the entire private_key string from the JSON file.
Hostnamesmtp.gmail.com
Port587
UsernameSame as the Subject email address.

 

After successful configuration, a search in the system logs for "Email Sent" events using the below search query will display these details in the event's DebugData:

eventType eq "system.email.delivery"


System Logs




Related references


Recommended content
Still looking for help?
Loading
Configuring BYO SMTP Server Using OAuth 2.0 With Okta