Docs

Log into read the version of docs relevant to your site.

OAuth Authentication for SMTP

OAuth authentication provides a more secure way to connect your email provider to Chargebee for sending email notifications. Instead of storing passwords, OAuth uses secure tokens that can be revoked at any time and don't expose your actual credentials.

Overview

Chargebee supports OAuth authentication for the following email providers:

ProviderDescription
Microsoft 365Connect your Microsoft 365 (Outlook, Office 365) business email account
Google WorkspaceConnect your Google Workspace (Gmail) business email account

Note:

OAuth authentication is available for business accounts only. Personal email accounts (such as personal Gmail or Outlook.com accounts) may have limitations based on your email provider's policies.

Benefits of OAuth vs Password Authentication

FeatureOAuth AuthenticationPassword Authentication
SecurityUses secure tokens; password never sharedPassword stored and transmitted
Token RefreshAutomatic token refresh; no manual interventionPassword changes require reconfiguration
RevocationCan revoke access anytime from email providerMust change password to revoke access
MFA CompatibilityWorks seamlessly with MFA-enabled accountsRequires app passwords for MFA accounts
ComplianceMeets modern security standardsMay not comply with strict security policies

Prerequisites

Before configuring OAuth authentication, ensure you have:

For Microsoft 365

  • A Microsoft 365 business or enterprise account
  • Admin consent for the Chargebee application (may be required by your organization)
  • The email account you want to use for sending notifications

For Google Workspace

  • A Google Workspace business account
  • Admin approval for third-party app access (if required by your organization)
  • The email account you want to use for sending notifications

Connecting via OAuth

Follow these steps to connect your email provider using OAuth authentication:

Step 1: Navigate to SMTP Settings

  1. Go to Settings > Configure Chargebee > Email Notifications > Change SMTP settings
  2. Click Configure SMTP server

Step 2: Select OAuth Authentication

  1. In the SMTP configuration modal, click on the OAuth tab
  2. You will see the available OAuth providers (Microsoft and Google)

Step 3: Choose Your Provider

Select the email provider you want to connect:

  • Click on Microsoft to connect a Microsoft 365 account
  • Click on Google to connect a Google Workspace account

Step 4: Authenticate with Your Provider

  1. A popup window will open, redirecting you to your email provider's login page
  1. Sign in with your email account credentials
  2. Review the permissions requested by Chargebee
  3. Click Accept or Allow to grant access

Note:

  • Ensure your browser allows popups from Chargebee.
  • If the popup is blocked, check your browser's popup blocker settings.
  • The popup must complete the authentication flow; do not close it manually.

Step 5: Verify Connection

Once authentication is successful:

  1. The popup will close automatically
  2. You will see a confirmation showing the connected email address
  3. The connection status will display "Connected" with a timestamp

Managing OAuth Connections

Viewing Connection Details

After connecting via OAuth, you can view:

  • Connected Email: The email address used for sending notifications
  • Provider: Microsoft or Google
  • Connected At: The time when the OAuth connection was established

Disconnecting OAuth

To disconnect an OAuth connection:

  1. Go to Settings > Configure Chargebee > Email Notifications > Change SMTP Settings
  2. Click Manage SMTP server
  3. Click Disconnect
  1. Confirm the disconnection when prompted

Warning

Disconnecting OAuth will immediately stop all email notifications from being sent through this connection. Ensure you have an alternative SMTP configuration ready before disconnecting.

Reconnecting OAuth after Disconnection

If you need to reconnect:

  1. Follow the same steps as the initial connection
  2. You may need to re-authorize Chargebee in your email provider's settings

How OAuth Works

When you connect via OAuth:

  1. Authorization: You authorize Chargebee to send emails on your behalf
  2. Token Exchange: Chargebee receives secure access and refresh tokens
  3. Email Sending: Chargebee uses these tokens to authenticate with your email provider's SMTP server
  4. Token Refresh: Tokens are automatically refreshed before expiration

Token Expiration and Refresh

  • OAuth tokens have a limited lifespan (typically 1 hour for access tokens)
  • Chargebee automatically refreshes tokens before they expire
  • If a refresh fails (e.g., due to revoked access), you will need to reconnect

Troubleshooting

Popup Blocked

Problem: The authentication popup doesn't appear or is blocked.

Solution:

  1. Check your browser's popup blocker settings
  2. Allow popups from your Chargebee site domain
  3. Try using a different browser
  4. Disable browser extensions that might block popups

Connection Failed

Problem: The OAuth connection fails after authentication.

Solution:

  1. Ensure you're using a business email account (not a personal account)
  2. Check if your organization requires admin consent for third-party apps
  3. Verify your email account has the necessary permissions
  4. Contact your IT administrator if your organization has restrictions

Admin Consent Required (Microsoft 365)

Problem: Microsoft shows "Admin consent required" or "Need admin approval" message.

Solution:

  1. Contact your Microsoft 365 administrator
  2. Request approval for the Chargebee application
  3. The admin can approve the app from the Azure Active Directory admin center
  4. Once approved, retry the connection

Emails Not Being Sent

Problem: OAuth is connected but emails are not being delivered.

Solution:

  1. Verify the connection status in SMTP settings
  2. Check if the OAuth token needs to be refreshed (try disconnecting and reconnecting)
  3. Verify the connected email account is active and not suspended
  4. Check your email provider's sending limits

Token Expired or Revoked

Problem: Previously working OAuth connection stops sending emails.

Solution:

  1. The OAuth access may have been revoked from your email provider
  2. Disconnect the current OAuth connection in Chargebee
  3. Reconnect following the standard OAuth flow
  4. Check your email provider's connected apps settings

Security Considerations

Permissions Granted

When you authorize Chargebee via OAuth, the following permissions are typically requested:

Microsoft 365:

  • Send mail as you (SMTP.Send)
  • Maintain access to data you have given it access to (offline_access)

Google Workspace:

  • Send email on your behalf (gmail.send)
  • View your email address (userinfo.email)

Revoking Access

You can revoke Chargebee's access at any time:

For Microsoft 365:

  1. Go to Microsoft Account - App Permissions
  2. Find Chargebee in the list of apps
  3. Click Remove to revoke access

For Google Workspace:

  1. Go to Google Account - Third-party apps
  2. Find Chargebee in the list of apps
  3. Click Remove Access

Note:

Revoking access will immediately disable email sending through OAuth. Make sure to configure an alternative SMTP method before revoking access if you need uninterrupted email delivery.

Frequently Asked Questions (FAQs)

1. Can I use OAuth with a personal Gmail or Outlook account?

OAuth is primarily designed for business accounts (Google Workspace and Microsoft 365). Personal accounts may have restrictions. We recommend using business accounts for reliable email delivery.

2. What happens if my organization's admin revokes the OAuth consent?

If admin consent is revoked, Chargebee will no longer be able to send emails through your account. You will need to reconnect after the admin re-approves the application.

3. Do I need to update my SMTP configuration when my password changes?

No! This is one of the key benefits of OAuth. Since OAuth doesn't use your password, password changes don't affect your email configuration.

4. Can I have both OAuth and password-based SMTP configured?

No, you can only have one active SMTP configuration at a time. You can switch between OAuth and password-based authentication, but only one will be active.

5. How do I know if my emails are being sent successfully?

Check the Email Logs in Chargebee to monitor email delivery status. Navigate to Settings > Configure Chargebee > Email Notifications > Email Logs.

6. Is OAuth more reliable than password-based SMTP?

OAuth is generally more reliable because:

  • It's not affected by password changes
  • It works seamlessly with MFA-enabled accounts
  • Tokens are automatically refreshed

7. What scopes does Chargebee request for OAuth?

Chargebee requests only the minimum permissions needed to send emails:

  • Microsoft: SMTP.Send and offline_access
  • Google: gmail.send and userinfo.email

Related Articles

Articles & FAQs

What is an SMTP server?
When would I use my own SMTP Server instead of Chargebee's?
What happens when the SMTP server is down?
Office365- "Please check whether your email address is authorized/verified / blocked by your SMTP server" error

Show more

Was this article helpful?