Summary
[!note] 📚 Pilotflow Pre-Launch Series
- The $50,000 Gmail Add-on Myth ← you are here
- Gmail OAuth Scopes Decoded: Public, Sensitive, and Restricted — March 13
- Pre-Development Codebase Review: Finding Bugs Before You Write Code — March 18
- Legal Documents for Gmail Add-ons in 15 Minutes — March 20
What if the most important research you do before launching a Gmail add-on takes one day and costs nothing — but failing to do it costs you the entire project?
Before writing a single line of production code for Pilotflow, I spent a day researching what it would actually cost to publish it on the Google Workspace Marketplace. What I found changed the entire product architecture.
The Number Everyone Repeats
Search for “CASA certification cost Gmail add-on” and you’ll find the same figure everywhere: $50,000 to $75,000. Developer forums, blog posts, startup advice threads — the number is repeated with such confidence that it starts to feel like established fact.
It isn’t.
What CASA Actually Is
CASA (Cloud Application Security Assessment) is Google’s required security review for Workspace Marketplace apps that use restricted OAuth scopes — specifically scopes that access the full contents of a user’s Gmail inbox or Google Drive.
The certification exists for good reason. If an app can read your entire email history, the security posture of that app matters enormously. Google wants independent verification that the app handles that access responsibly.
The certification is handled by Google-approved security assessors — third-party firms that conduct the actual review. This is where the cost confusion lives.
The Corrected Number
After tracing the $50K figure back to its sources, I found that it reflected either outdated pricing or the cost for the most comprehensive assessment tier from premium providers.
Through TAC Security — one of Google’s approved CASA assessment partners — the actual pricing range for Tier 2 certification is $540 to $1,800 per year.
That’s a completely different business decision.
At $50,000, you design your entire feature set around scope avoidance. You remove features, accept worse UX, and architect the product defensively — because the certification is a project-ending number for any pre-revenue product.
At $540–$1,800, you make a normal cost-benefit calculation: does the feature that requires restricted scope generate enough value (and eventually revenue) to justify the annual certification cost?
Why the Distinction Changes Everything
Here’s the practical impact for Pilotflow:
| Assumption | Product Decision |
|---|---|
| CASA costs $50K | Remove all restricted-scope features. Ship a limited product. |
| CASA costs $540–$1,800/yr | Keep full functionality. Validate with 100 test users first. Decide certification later. |
The first path produces a product hobbled from launch. The second path produces a product that can be properly validated before making the certification investment.
The Correct Decision Framework
Making the right decision about CASA requires two steps that most developers skip:
Step 1: Identify which scopes your add-on actually needs. Not “what scopes sound useful” — what your specific feature set genuinely requires. A Gmail add-on that works with the currently open email uses different scopes than one that processes your entire inbox history.
Step 2: Know what each scope category costs you. Restricted scopes require CASA. Sensitive scopes require OAuth verification (free, 4–6 weeks). Public scopes require nothing. The category your add-on falls into is determined entirely by which scopes you request.
I cover the full scope classification system — and the specific distinction that most developers get wrong — in the next post.
The key lesson: The $50K number is widely repeated and wrong. Verify your assumptions from primary sources before letting them constrain your architecture.
Key Takeaways
- Google’s CASA Tier 2 certification is required for restricted-scope Gmail add-ons — but the actual cost ($540–$1,800/yr through TAC Security) is far lower than the widely-cited $50K figure.
- The cost difference between the myth and reality changes the product architecture decision entirely.
- Don’t let unverified numbers constrain your design. Trace claims to their sources before acting on them.
What’s Next
Understanding CASA costs is only half the equation. The other half is understanding which scopes trigger it — and the specific technical distinction that determines whether your add-on needs certification at all.
→ Next: Gmail OAuth Scopes Decoded
— Kékéli
