I tried to give an AI agent its own email account three different ways. The first two took most of an afternoon. The third took 28 seconds. This is the migration story. The first instinct: just create a Gmail. Free, familiar, works everywhere. Forty-five minutes in: Created a new Google account with a phone number Google would accept (the agent does not have a phone) Configured 2FA, generated an app password (Gmail no longer accepts plain passwords for IMAP) Hit the "less secure apps" wall, learned it has been retired Set up OAuth 2.0 client in Google Cloud Console Configured the consent screen, reviewed scopes, marked it "Internal" Realised Internal apps cannot be created on free Workspace, so I made it External Filled in the privacy policy URL, terms URL, app domain — for an agent I had not sent a single message yet. "Just use [email protected]" is the popular shortcut. It works for receiving (Gmail routes + aliases to the same inbox), but: The "From" address on outbound is still the parent account The agent's mail mixes with mine, so my filters break Compromise of the agent's credentials = compromise of my personal mail Audit logs cannot tell us apart Two hours later I gave up on this path. The mixing problem is fatal once you have more than one agent. nylas agent account create $ nylas agent account create [email protected] ✓ Agent account created successfully! Email: [email protected] Provider: nylas Status: valid Twenty-eight seconds wall-clock. No OAuth, no Workspace seat, no shared mailbox. Three things, in this order: The CLI auto-creates the nylas connector on your application if it does not exist. This is a one-time, idempotent setup. It provisions a managed mailbox under your application's *.nylas.email zone. The mailbox lives entirely on Nylas — no Gmail, no Workspace, no third-party IMAP. It stores the new grant locally so subsequent CLI commands resolve it without an explicit --grant. The grant is provider=nylas, which means: no OAuth handshake, no token refresh, no client-secret rotation. The identity is managed end-to-end. Step Gmail OAuth Agent account Create the identity ~5 min (account, 2FA, app password) One command Configure OAuth client ~12 min (Cloud Console, scopes, consent) Not applicable Wire up auth in your app ~10 min (refresh token plumbing) One nylas auth config Setup time total ~45 min ~30 sec Per-month cost Workspace seat $6 None Token refresh Yours to manage Not applicable Multi-provider reach Gmail only Gmail, Outlook, Exchange, Yahoo, iCloud, IMAP, agent If you have already wired up an agent to a Gmail account, the migration is mechanical: # 1. Provision the agent's new identity nylas agent account create [email protected] # 2. Optional: enable IMAP/SMTP (if your agent uses a stock library) nylas agent account update [email protected] \ --app-password 'ValidAgentPass123ABC!' # 3. Send a test nylas email send --to [email protected] \ --subject "test from new agent identity" \ --body "Hi from the managed inbox." # 4. Update the agent's prompt / config to use the new address That is the whole migration. The hardest part is finding everywhere the old address is hard-coded. Three lessons from the misadventure: Phone number requirement: Gmail's signup will demand a phone for verification. Agents do not have phones. Burn an OTP-friendly number and accept Google may flag the account later. OAuth refresh tokens expire: a Gmail OAuth refresh token is not infinite. Tokens for unverified Cloud apps expire after 7 days; production verification is its own multi-week project. Per-seat costs scale: if your team runs 5 agents, that is 5 Workspace seats at $6 each = $30/mo just to give them mail. Be honest about the trade. If the agent must read or send from an existing inbox at @yourcompany.com (your real domain), and your company is on Workspace, you do not want a separate Nylas address. In that case, OAuth Gmail and pay the setup cost. The agent identity model is for new agent inboxes, not for migrating your CEO's mailbox. For everything else — testing, signup automation, agent-to-agent messaging, ephemeral inboxes, managed bots — the agent account wins on every dimension I can measure. Create an AI agent email identity — the full setup walkthrough Why AI agents need email — the case before the setup Email as identity for AI agents — the deeper argument about agent identity Full command reference