update

backend/app/auth_routes.py

@@ -247,12 +247,18 @@ async def auth_me(request: Request, db: Session = Depends(get_db)):
         cur_tid = int(t0.id)
         current_role = m0.role
 
+    urow = db.query(User).filter(User.id == uid).first()
+    gmail_invites_ready = bool(
+        urow and getattr(urow, "google_refresh_token", None) and str(urow.google_refresh_token).strip()
+    )
+
     return {
         **profile,
         "user_id": uid,
         "tenants": tenants_out,
         "current_tenant_id": int(cur_tid) if cur_tid is not None else None,
         "current_role": current_role,
+        "gmail_invites_ready": gmail_invites_ready,
     }
 
 
@@ -285,8 +291,16 @@ async def auth_switch_tenant(
     return {"ok": True, "tenant_id": body.tenant_id, "role": m.role}
 
 
+# Scopes: profile + send email on behalf of the signed-in user (workspace invite messages).
+GOOGLE_OAUTH_SCOPES = "openid email profile https://www.googleapis.com/auth/gmail.send"
+
+
 @router.get("/google")
-async def google_login(request: Request, invite: str | None = None):
+async def google_login(
+    request: Request,
+    invite: str | None = None,
+    reauth_gmail: str | None = None,
+):
     if not _client_configured():
         raise HTTPException(
             status_code=503,
@@ -303,11 +317,14 @@ async def google_login(request: Request, invite: str | None = None):
         "client_id": client_id,
         "redirect_uri": redirect_uri,
         "response_type": "code",
-        "scope": "openid email profile",
+        "scope": GOOGLE_OAUTH_SCOPES,
         "state": state,
-        "access_type": "online",
+        "access_type": "offline",
         "include_granted_scopes": "true",
     }
+    # Force consent so Google returns a refresh_token when (re)adding gmail.send for existing users.
+    if reauth_gmail and reauth_gmail.strip() not in ("0", "false", "no"):
+        params["prompt"] = "consent"
     return RedirectResponse(url=f"{GOOGLE_AUTH_URI}?{urlencode(params)}")
 
 
@@ -391,6 +408,9 @@ async def google_callback(
             "picture": id_info.get("picture"),
             "email_verified": id_info.get("email_verified"),
         }
+        rt = tokens.get("refresh_token")
+        if rt and isinstance(rt, str) and rt.strip():
+            user.google_refresh_token = rt.strip()
         db.commit()
     except Exception:
         db.rollback()

backend/app/database.py

@@ -33,6 +33,7 @@ class User(Base):
     email = Column(String, index=True)
     name = Column(String, nullable=True)
     picture = Column(String, nullable=True)
+    google_refresh_token = Column(Text, nullable=True)  # for Gmail send (invite emails); treat as secret
     created_at = Column(DateTime, default=datetime.utcnow)
 
 
@@ -245,6 +246,12 @@ def run_migrations(connection_engine):
                 {"tid": default_tid},
             )
 
+        insp = inspect(connection_engine)
+        if insp.has_table("users"):
+            ucols = [c["name"] for c in insp.get_columns("users")]
+            if "google_refresh_token" not in ucols:
+                conn.execute(text("ALTER TABLE users ADD COLUMN google_refresh_token TEXT"))
+
 
 # Create tables then migrate legacy SQLite schemas
 Base.metadata.create_all(bind=engine)

backend/app/gmail_invite.py

@@ -0,0 +1,71 @@
+"""Send messages via Gmail API using a stored OAuth refresh token (gmail.send scope)."""
+
+from __future__ import annotations
+
+import base64
+import os
+from email.message import EmailMessage
+
+import httpx
+
+GOOGLE_TOKEN_URI = "https://oauth2.googleapis.com/token"
+GMAIL_SEND_URL = "https://gmail.googleapis.com/gmail/v1/users/me/messages/send"
+
+
+async def refresh_access_token(refresh_token: str) -> str:
+    client_id = os.environ.get("GOOGLE_CLIENT_ID", "").strip()
+    client_secret = os.environ.get("GOOGLE_CLIENT_SECRET", "").strip()
+    if not client_id or not client_secret:
+        raise ValueError("Google OAuth is not configured")
+    async with httpx.AsyncClient() as client:
+        r = await client.post(
+            GOOGLE_TOKEN_URI,
+            data={
+                "client_id": client_id,
+                "client_secret": client_secret,
+                "refresh_token": refresh_token,
+                "grant_type": "refresh_token",
+            },
+            headers={"Content-Type": "application/x-www-form-urlencoded"},
+            timeout=30.0,
+        )
+    if r.status_code != 200:
+        raise ValueError(f"Token refresh failed ({r.status_code}): {r.text[:500]}")
+    data = r.json()
+    at = data.get("access_token")
+    if not at:
+        raise ValueError("No access_token in refresh response")
+    return str(at)
+
+
+def _rfc822_raw(sender: str, to: str, subject: str, body: str) -> str:
+    msg = EmailMessage()
+    msg["Subject"] = subject
+    msg["From"] = sender
+    msg["To"] = to
+    msg.set_content(body)
+    return base64.urlsafe_b64encode(msg.as_bytes()).decode()
+
+
+async def send_invite_email_via_gmail(
+    refresh_token: str,
+    from_email: str,
+    to_email: str,
+    subject: str,
+    body: str,
+) -> None:
+    """Raises ValueError on configuration or API errors."""
+    if not from_email or "@" not in from_email:
+        raise ValueError("Inviter has no email address for Gmail send")
+    access = await refresh_access_token(refresh_token)
+    raw = _rfc822_raw(from_email, to_email, subject, body)
+    async with httpx.AsyncClient() as client:
+        r = await client.post(
+            GMAIL_SEND_URL,
+            headers={"Authorization": f"Bearer {access}"},
+            json={"raw": raw},
+            timeout=30.0,
+        )
+    if r.status_code not in (200, 201):
+        err = r.text[:1500] if r.text else ""
+        raise ValueError(f"Gmail send failed ({r.status_code}): {err}")

backend/app/tenant_routes.py

@@ -14,6 +14,7 @@ from sqlalchemy.orm import Session
 from sqlalchemy import func
 
 from .database import Invitation, Tenant, TenantMembership, User, get_db
+from .gmail_invite import send_invite_email_via_gmail
 from .tenant_deps import TenantContext, require_tenant_admin
 
 
@@ -39,6 +40,22 @@ def _invite_link(raw_token: str) -> str:
     return f"/?invite={raw_token}"
 
 
+def _invite_email_body(
+    inviter_name: str,
+    inviter_email: str,
+    workspace_name: str,
+    invite_url: str,
+    invitee_email: str,
+) -> str:
+    by = inviter_name or inviter_email or "Your teammate"
+    return (
+        f"{by} invited you to join the workspace \"{workspace_name}\" on SequenceAI.\n\n"
+        f"Accept the invitation by opening this link while signed in with Google as {invitee_email}:\n"
+        f"{invite_url}\n\n"
+        f"This link expires in 7 days.\n"
+    )
+
+
 @router.get("")
 def list_my_workspaces(request: Request, db: Session = Depends(get_db)):
     uid = request.session.get("user_id")
@@ -66,7 +83,7 @@ def list_my_workspaces(request: Request, db: Session = Depends(get_db)):
 
 
 @router.post("/invite")
-def create_invitation(body: InviteBody, tc: TenantContext = Depends(require_tenant_admin)):
+async def create_invitation(body: InviteBody, tc: TenantContext = Depends(require_tenant_admin)):
     db = tc.db
     email_n = body.email.strip().lower()
     if not email_n or "@" not in email_n:
@@ -98,11 +115,48 @@ def create_invitation(body: InviteBody, tc: TenantContext = Depends(require_tena
     )
     db.add(inv)
     db.commit()
+
+    invite_url = _invite_link(raw)
+    tenant_row = db.query(Tenant).filter(Tenant.id == tc.tenant_id).first()
+    workspace_name = tenant_row.name if tenant_row else "Workspace"
+    inviter = db.query(User).filter(User.id == tc.user_id).first()
+
+    email_sent = False
+    email_error: str | None = None
+    rt = (inviter.google_refresh_token or "").strip() if inviter else ""
+    if not rt:
+        email_error = (
+            "Gmail is not connected for your account. Use “Reconnect Google for invites” below, "
+            "then try again."
+        )
+    elif inviter:
+        try:
+            subject = f'Invitation to join "{workspace_name}" on SequenceAI'
+            body_text = _invite_email_body(
+                inviter.name or "",
+                inviter.email or "",
+                workspace_name,
+                invite_url,
+                email_n,
+            )
+            await send_invite_email_via_gmail(
+                rt,
+                inviter.email or "",
+                email_n,
+                subject,
+                body_text,
+            )
+            email_sent = True
+        except Exception as e:
+            email_error = str(e)
+
     return {
         "ok": True,
-        "invite_url": _invite_link(raw),
+        "invite_url": invite_url,
         "expires_at": exp.isoformat() + "Z",
         "email": email_n,
+        "email_sent": email_sent,
+        "email_error": email_error,
     }
 
 

frontend/src/pages/Settings.jsx

@@ -128,8 +128,14 @@ export default function Settings() {
                 });
                 return;
             }
-            setInviteResult({ url: data.invite_url });
+            setInviteResult({
+                url: data.invite_url,
+                emailSent: !!data.email_sent,
+                emailError: data.email_error || null,
+                inviteeEmail: data.email,
+            });
             setInviteEmail('');
+            loadMe();
         } catch (e) {
             setInviteResult({ error: String(e) });
         } finally {
@@ -257,8 +263,21 @@ export default function Settings() {
                         Invite people
                     </div>
                     <p className="text-sm text-slate-600 mb-4">
-                        Invite a Google user by email. They must sign in with that Google account.
+                        We email an invitation from your Google account. The invitee must sign in with the
+                        same email address.
                     </p>
+                    {me?.gmail_invites_ready === false ? (
+                        <p className="text-xs text-amber-900 bg-amber-50 border border-amber-200 rounded-lg px-3 py-2 mb-4">
+                            Connect Gmail once so &quot;Send invite&quot; can send mail from your address:{' '}
+                            <a
+                                href="/api/auth/google?reauth_gmail=1"
+                                className="font-medium text-violet-700 underline"
+                            >
+                                Reconnect Google for invites
+                            </a>
+                            .
+                        </p>
+                    ) : null}
                     <div className="flex flex-col sm:flex-row gap-2 max-w-xl">
                         <Input
                             type="email"
@@ -276,16 +295,26 @@ export default function Settings() {
                             {inviteBusy ? (
                                 <Loader2 className="h-4 w-4 animate-spin" />
                             ) : (
-                                'Create invite'
+                                'Send invite'
                             )}
                         </Button>
                     </div>
                     {inviteResult?.error ? (
                         <p className="text-sm text-red-600 mt-3">{inviteResult.error}</p>
                     ) : null}
+                    {inviteResult?.emailSent ? (
+                        <p className="text-sm text-green-700 mt-3">
+                            Invitation email sent to {inviteResult.inviteeEmail}.
+                        </p>
+                    ) : null}
+                    {inviteResult?.emailError ? (
+                        <p className="text-sm text-amber-800 mt-3">{inviteResult.emailError}</p>
+                    ) : null}
                     {inviteResult?.url ? (
                         <div className="mt-4 space-y-2">
-                            <p className="text-xs text-slate-600">Invite link (7 days):</p>
+                            <p className="text-xs text-slate-600">
+                                Invite link (copy if email did not arrive; expires in 7 days):
+                            </p>
                             <Input readOnly value={inviteResult.url} className="text-xs h-9 font-mono" />
                         </div>
                     ) : null}