Skip to main content

Gmail Pub/Sub -> OpenClaw

Goal: Gmail watch -> Pub/Sub push -> gog gmail watch serve -> OpenClaw webhook.

Prereqs

  • gcloud installed and logged in (install guide).
  • gog (gogcli) installed and authorized for the Gmail account (gogcli.sh).
  • OpenClaw hooks enabled (see Webhooks).
  • tailscale logged in (tailscale.com). Supported setup uses Tailscale Funnel for the public HTTPS endpoint. Other tunnel services can work, but are DIY/unsupported and require manual wiring. Right now, Tailscale is what we support.
Example hook config (enable Gmail preset mapping):
To deliver the Gmail summary to a chat surface, override the preset with a mapping that sets deliver + optional channel/to:
If you want a fixed channel, set channel + to. Otherwise channel: "last" uses the last delivery route (falls back to WhatsApp). To force a cheaper model for Gmail runs, set model in the mapping (provider/model or alias). If you enforce agents.defaults.models, include it there. To set a default model and thinking level specifically for Gmail hooks, add hooks.gmail.model / hooks.gmail.thinking in your config:
Notes:
  • Per-hook model/thinking in the mapping still overrides these defaults.
  • Fallback order: hooks.gmail.modelagents.defaults.model.fallbacks → primary (auth/rate-limit/timeouts).
  • If agents.defaults.models is set, the Gmail model must be in the allowlist.
  • Gmail hook content is wrapped with external-content safety boundaries by default. To disable (dangerous), set hooks.gmail.allowUnsafeExternalContent: true.
To customize payload handling further, add hooks.mappings or a JS/TS transform module under ~/.openclaw/hooks/transforms (see Webhooks). Use the OpenClaw helper to wire everything together (installs deps on macOS via brew):
Defaults:
  • Uses Tailscale Funnel for the public push endpoint.
  • Writes hooks.gmail config for openclaw webhooks gmail run.
  • Enables the Gmail hook preset (hooks.presets: ["gmail"]).
Path note: when tailscale.mode is enabled, OpenClaw automatically sets hooks.gmail.serve.path to / and keeps the public path at hooks.gmail.tailscale.path (default /gmail-pubsub) because Tailscale strips the set-path prefix before proxying. If you need the backend to receive the prefixed path, set hooks.gmail.tailscale.target (or --tailscale-target) to a full URL like http://127.0.0.1:8788/gmail-pubsub and match hooks.gmail.serve.path. Want a custom endpoint? Use --push-endpoint <url> or --tailscale off. Platform note: on macOS the wizard installs gcloud, gogcli, and tailscale via Homebrew; on Linux install them manually first. Gateway auto-start (recommended):
  • When hooks.enabled=true and hooks.gmail.account is set, the Gateway starts gog gmail watch serve on boot and auto-renews the watch.
  • Set OPENCLAW_SKIP_GMAIL_WATCHER=1 to opt out (useful if you run the daemon yourself).
  • Do not run the manual daemon at the same time, or you will hit listen tcp 127.0.0.1:8788: bind: address already in use.
Manual daemon (starts gog gmail watch serve + auto-renew):

One-time setup

  1. Select the GCP project that owns the OAuth client used by gog.
Note: Gmail watch requires the Pub/Sub topic to live in the same project as the OAuth client.
  1. Enable APIs:
  1. Create a topic:
  1. Allow Gmail push to publish:

Start the watch

Save the history_id from the output (for debugging).

Run the push handler

Local example (shared token auth):
Notes:
  • --token protects the push endpoint (x-gog-token or ?token=).
  • --hook-url points to OpenClaw /hooks/gmail (mapped; isolated run + summary to main).
  • --include-body and --max-bytes control the body snippet sent to OpenClaw.
Recommended: openclaw webhooks gmail run wraps the same flow and auto-renews the watch.

Expose the handler (advanced, unsupported)

If you need a non-Tailscale tunnel, wire it manually and use the public URL in the push subscription (unsupported, no guardrails):
Use the generated URL as the push endpoint:
Production: use a stable HTTPS endpoint and configure Pub/Sub OIDC JWT, then run:

Test

Send a message to the watched inbox:
Check watch state and history:

Troubleshooting

  • Invalid topicName: project mismatch (topic not in the OAuth client project).
  • User not authorized: missing roles/pubsub.publisher on the topic.
  • Empty messages: Gmail push only provides historyId; fetch via gog gmail history.

Cleanup