Oh yes, this is a bit of a different use case to Nylan. I was thinking of it more for just sending outbound emails, a sort of sendgrid where you dont need to spend an hour configuring it just to end up with a blacklisted IP when you chose the lower tiers.
For tokens its been fine so far, but i found Entra ID to actually be easier to work with then the gmail oauth implementation. Are you using oauth or are the customers adding the client in their own tenant?
Yep we created our own oAuth integration
Another option I would recommend is to use something like Vault by Hashicorp. When working with different people with different levels of access who need to test locally, i would suggest always using Vault, Azure Keyvault or another similiar service where users can authenticate with their own unique credentials in order to access security credentials for other services. This also means it's very easy to refresh security credentials as everyone retrieves it from the same place (including your services) and makes it easy to restrict an individuals access or remove them completely and limiting the risk of them causing any damage. (you should do both, regularly change tokens, and limit user access for it to be considered secure)
In general any security credentials, tokens, etc, should never be in the source code or checked in as part of the source code. While early on in a small project it's fine, security credentials in source code is a very common cause of hacks.
Oh, well i'll let you know if i come across issues and figure out the cause. But thankfully no issues yet :)