[andrewroycarter]

And even then, I bet they're using https://developers.google.com/google-apps/gmail/oauth_overvi... which means you could revoke the oauth token at any time from your Google account!

[songgao]

Looks good. So you can store oauth on server, which should be safer. Is it possible for an oauth client to "suicide" on its permission? I'm thinking, in case a third-party service is comprised, they can just ask the oauth server to abandon their permission to avoid further loss for users.