+1. Push notification is the only way to notify about new emails. The trade-off is that you are gonna have to store user credentials on server. That's the reason why Sparrow didn't implement push notification.
Looks good. So you can store oauth on server, which should be safer. Is it possible for an oauth client to "suicide" on its permission? I'm thinking, in case a third-party service is comprised, they can just ask the oauth server to abandon their permission to avoid further loss for users.