Start the audit from /mailbox-audit/<UUID>/start/. Pick Google Workspace and you are redirected to Google's consent screen.
What you see on the consent screen
Google displays the exact scopes requested. All are read-only and limited to mailbox metadata. Approve to continue.
If your org blocks third-party OAuth apps
Google Workspace admins can restrict third-party OAuth. If you see "Access blocked: This app's request is invalid," your Workspace admin must add LeakTrace to the allowed app list. Forward them the consent screen URL — they can approve from the Google Admin Console.
Personal Gmail accounts
BEC Mailbox Audit is intended for business use. Personal @gmail.com accounts work but lack the corporate context that makes findings actionable (no shared mailboxes, no admin policies to harden).