@Reinis Varavs Totally get it, Reinis [if you’ve ticked all those boxes and it’s still 401’ing, here are the next things I’d check (these are the ones that usually catch even seasoned folks)]: 1) Verify the exact client ID + scopes actually landed in Admin Console Security → API Controls → Domain-wide delegation → click your entry → confirm: - Client ID matches the SA’s unique numeric client ID (not project number). - Scopes are comma-separated, no spaces. - It shows a recent “Last authorized” timestamp (if not, re-save). 2) Gmail API is enabled on the SA’s project Cloud Console → APIs & Services → Library → Gmail API = Enabled. 3) The impersonated user is a real primary mailbox - Same Workspace domain, has a Gmail license, and you’re using the primary address (not an alias/group). - Org policy isn’t restricting the Gmail API for that OU. 4) Private key formatting - In n8n credentials, the private_key must keep real newlines. If you pasted an env var with \n, replace with actual line breaks. 5) Server time skew - JWTs are time-sensitive. Make sure your n8n host clock is correct (NTP). A few minutes off can trigger 401. 6) n8n credential type alignment - Gmail node → “Service Account” (not Google OAuth2). - Impersonate a user = ON, and Subject = that user’s email. 60-second proof inside n8n (bypasses the Gmail node to isolate auth): 1. Create Credentials → Google (Service Account) using the same SA JSON. 2. Add an HTTP Request node: Method: POST URL: https://oauth2.googleapis.com/token Body (x-www-form-urlencoded): grant_type: urn:ietf:params:oauth:grant-type:jwt-bearer assertion: <JWT> If your credential supports SA JWT automatically (newer n8n), you can instead select the SA credential and set OAuth2 → Google SA (JWT) with Impersonated Email. If this returns a token (200 with access_token), auth is fine → the issue is node config; if this still 401s, it’s a DWD/scopes mismatch.