My organization maintains an app that has the https://www.googleapis.com/auth/gmail.send scope. Today, when attempting send Gmail messages on behalf of our users, we received a 403 error from the Gmail API saying we had Insufficient Permission. We were still able to make other requests to the Gmail API on their behalf, such as users.settings.sendAs.
Only some users of our app experienced this issue. All users who experienced the issue belong to the same Google workspace. But not all users of our app who belong to that workspace experienced the issue, though - only about half did.
This was solved by the users revoking permission for our app altogether and then regranting permission, despite no change in the actual scopes granted to our application.
We would like an explanation of why these errors happened, and what we can do in the future to avoid them. Anyone have a clue?
I am embarrassed to admit this, but the answer was quite simple - our users said they were granting all the permissions we requested, but they were mistaken (we confirmed looking at our logs). Fixed it by just getting them to grant the permissions!