Thanks for following up Kim - that make me happy and reinforces the impression that Auth0 rock!
So for Gmail I think those 2 were the main issues I hit while trying to figure it out.
- I needed to enable access in the Google panel which is not documented at all AFAICS
- Where finer grained scopes are available it’s not clear what your check boxes actually provide and how do we user others.
The other issue I hit was how to get the Google token via the Admin API which was undocumented at the time. I did guest post for you on that after chatting to support and I see you have documented it now.
One remaining issue there is you recently rate limited the Management API which leaves us in a bit of a dodgy position when getting provider tokens. As a serverless app I don’t really want to cache it in external storage.
One thing I need to do an I do not see documented at all is how to handle refresh tokens with gmail (and other providers) My architecture is SPA front end that calls the hosted Lock pages  and with a node back end. The front end logs in and the back end gets the google token. You quite clearly and sensibly state SPAs should not store refresh tokens (well at least in one of several places where they are mentioned). YOu docement ways to get Refresh tokens but the exact architectural context is not always clear.
So how do I improve the user experience so they don;t keep needing to log in when the shortlived access token expires. It will no doubt involve the backend getting a refresh token, but I could not find an example that obviously fits my architecture. Plus, again. as a serverless i’d need ot cach it somewhere - where would be good? Probably the Auth0 User DB.
In general your docs are fantastic. It’s great that you continuously improve them even if that equires frequent re-reads to check for new stuff. One comment is I think I find some topics listed in various places with different emphasis or details and that gets confusing. For example, Lock, AuthJS Hosted pages, custom hosted pages have very similar docs and overlap in ways that can get missed or cofuse and some assertions only apply to some contexts. I’m not complaining; I understand it’s a touch job
Thanks again for a great service and support (and I’m not even paying, yet).