What Kura-chan can access

Every permission Kura-chan requests against your Google account is read-only, and there are only three of them. Nothing else.

The exact scopes

Display name	OAuth scope	Can do	Cannot do
Gmail (read)	`https://www.googleapis.com/auth/gmail.readonly`	Read message bodies, attachments, labels	Send, draft, delete, mark read / unread
Calendar (read)	`https://www.googleapis.com/auth/calendar.readonly`	Read events, attendees, locations, descriptions	Create / edit / delete events, respond to invites
Drive (read)	`https://www.googleapis.com/auth/drive.readonly`	Read file metadata + content	Upload, edit, change sharing, delete

When you accept the OAuth consent screen, Google describes these scopes using the same “read-only” wording. If anything other than the three above appears in the prompt, it’s the wrong app — bail out.

Where tokens live

The OAuth access token and refresh token returned by Google are stored only on the device Kura-chan runs on (your NAS, Mac, or Linux server), encrypted:

Location: a local file under the Kura-chan config directory
Encryption: the OS keychain (macOS Keychain / GNOME Keyring / Windows DPAPI)
Egress: none — tokens never leave the device

Cached data (mail bodies, events, file content) lives in the same local storage.

You can revoke at any time

There are two ways to disconnect, and both take effect immediately.

From Kura-chan

Dashboard → “External Service Integrations” tab → click Disconnect on the account.

Stored tokens are deleted immediately
Cached data is dropped along with them

From your Google account

Open myaccount.google.com/permissions → “Apps you created” (this is the OAuth client you make in Step 4) → Remove Access.

All Google-issued tokens are invalidated
Reconnecting will trigger the OAuth consent screen again

Permissions clear? Head to Start the Google integration. Setup takes about 15 minutes.