Browser popup callback for the Gmail email-provider OAuth flow. Google redirects here with an authorization code and state. The handler decodes the state to find the tenant and email provider, exchanges the code for Google access and refresh tokens, stores them on the provider configuration, marks the provider connected, and may provision Gmail watch/Pub/Sub resources. This endpoint is public and protected by the OAuth state parameter; it always responds with text/html that posts the success or error payload to the opener window rather than returning JSON.
Query parameters
codestringOptional
OAuth 2.0 authorization code. Required unless the provider returned error.
statestringOptional
Base64-encoded JSON state object generated when the OAuth flow was initiated. It carries tenant context, providerId, redirectUri, timestamp, and nonce values used to complete the callback.
errorstringOptional
OAuth error code returned by the provider, such as access_denied.
error_descriptionstringOptional
Human-readable OAuth error description returned by the provider.
Response codes
200
HTML popup callback page. The embedded postMessage payload reports success, provider=google, token expiry, and echoed code/state, or an OAuth/configuration/token-exchange error.