elastic · lorenabalan · Feb 4, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 10, 2026
diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS
@@ -2371,6 +2371,10 @@ x-pack/platform/plugins/shared/inference_endpoint @elastic/search-kibana
 /x-pack/platform/test/fixtures/es_archives/alerting/8_2_0 @elastic/response-ops
 /x-pack/solutions/**/test/serverless/**/test_suites/rules/ @elastic/response-ops
 
+# EARS
+/x-pack/platform/plugins/shared/actions/server/lib/ears @elastic/workchat-eng
+/src/platform/packages/shared/kbn-connector-specs/src/auth_types/ears.ts @elastic/workchat-eng
+
 # Connector Specs
 src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
 src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts
@@ -2382,6 +2386,7 @@ src/platform/packages/shared/kbn-connector-specs/src/specs/amazon_s3/** @elastic
 src/platform/packages/shared/kbn-connector-specs/src/specs/atlassian/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/brave_search/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/github/** @elastic/workflows-eng
+src/platform/packages/shared/kbn-connector-specs/src/specs/gmail/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/google_calendar/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/google_drive/** @elastic/workchat-eng
 src/platform/packages/shared/kbn-connector-specs/src/specs/greynoise/** @elastic/workflows-eng

@@ -74,6 +74,10 @@ uiSettings.overrides.defaultRoute: /app/elasticsearch
 # Specify in telemetry the project type
 telemetry.labels.serverless: search
 
+# Alerts and LLM config
+xpack.actions.enabledActionTypes:
+  ['.email', '.index', '.slack', '.slack_api', '.jira', '.jira-cloud', '.webhook', '.teams', '.gen-ai', '.bedrock', '.gemini', '.inference', '.mcp', '.notion', '.github', '.gmail', '.google_drive', '.google_calendar', '.sharepoint-online']
+
 # Customize empty page state for analytics apps
 no_data_page.analyticsNoDataPageFlavor: 'serverless_search'
 
@@ -111,6 +115,9 @@ xpack.searchQueryRules.enabled: true
 ## Search Connectors in stack management
 xpack.contentConnectors.ui.enabled: false
 
+## OAuth with Elastic-owned apps
+xpack.actions.ears.url: https://elastic-auth-redirect-service.eu-west-1.aws.svc.qa.elastic.cloud
+
 # Elastic Managed LLMs
 xpack.actions.preconfigured:
   Anthropic-Claude-Sonnet-3-7:
@@ -293,3 +300,15 @@ xpack.actions.preconfigured:
       inferenceId: ".google-gemini-3.0-flash-chat_completion"
       providerConfig:
         model_id: "google-gemini-3.0-flash"
+
+
+uiSettings:
+  overrides:
+    'workflows:ui:enabled': true
+
+logging:
+  loggers:
+    - name: plugins.actions
+      level: debug
+      appenders: [default]
+
@@ -294,3 +294,10 @@ xpack.genAiSettings:
   showAiBreadcrumb: false
   showSpacesIntegration: false
   showAiAssistantsVisibilitySetting: false
+
+# Debug-level logging
+logging:
+  loggers:
+    - name: plugins.actions
+      level: debug
+      appenders: [default]
@@ -5,6 +5,7 @@
 * [Figma](/reference/connectors-kibana/figma-action-type.md): Browse design files, inspect structure, render nodes as images, and explore team projects in Figma.
 * [Jina Reader](/reference/connectors-kibana/jina-action-type.md): Convert web pages into markdown from their URL and search the web for better LLM grounding.
 * [GitHub](/reference/connectors-kibana/github-action-type.md): Search code, issues, and pull requests, and access repository contents and metadata from GitHub.
+* [Gmail](/reference/connectors-kibana/gmail-action-type.md): Search and read emails from Gmail.
 * [Google Calendar](/reference/connectors-kibana/google-calendar-action-type.md): Search and access events and calendars in Google Calendar.
 * [Google Drive](/reference/connectors-kibana/google-drive-action-type.md): Search and access files and folders in Google Drive.
 * [Jira Cloud](/reference/connectors-kibana/jira-cloud-action-type.md): Search issues with JQL, retrieve project and issue details, and look up users in Jira Cloud.

@@ -0,0 +1,58 @@
+---
+navigation_title: "Gmail"
+mapped_pages:
+  - https://www.elastic.co/guide/en/kibana/current/gmail-action-type.html
+applies_to:
+  stack: preview 9.4
+  serverless: preview
+---
+
+# Gmail connector [gmail-action-type]
+
+The Gmail connector enables searching and reading emails from Gmail via the Gmail API.
+
+## Create connectors in {{kib}} [define-gmail-ui]
+
+You can create connectors in **{{stack-manage-app}} > {{connectors-ui}}**.
+
+### Connector configuration [gmail-connector-configuration]
+
+Gmail connectors use the following configuration:
+
+Bearer Token
+:   A Google OAuth 2.0 access token with Gmail API scopes. See [Get API credentials](#gmail-api-credentials) for instructions.
+
+## Test connectors [gmail-action-configuration]
+
+You can test connectors when creating or editing the connector in {{kib}}. The test verifies connectivity by fetching the authenticated user's profile from the Gmail API.
+
+The Gmail connector has the following actions:
+
+Search messages
+:   Search for messages using Gmail search syntax.
+    - **query** (optional): Gmail search query (e.g. `from:user@example.com`, `is:unread`, `subject:report`, `after:2024/01/01`, `has:attachment`).
+    - **maxResults** (optional): Maximum number of messages to return (1–100). Defaults to 50.
+    - **pageToken** (optional): Pagination token from a previous response.
+
+Get message
+:   Retrieve a single message by ID with full headers and body.
+    - **messageId** (required): The ID of the message to retrieve.
+    - **format** (optional): `minimal` (headers only), `full` (default), or `raw` (RFC 2822).
+
+List messages
+:   List messages, optionally filtered by label.
+    - **maxResults** (optional): Maximum number of messages to return (1–100). Defaults to 50.
+    - **pageToken** (optional): Pagination token from a previous response.
+    - **labelIds** (optional): Array of label IDs (e.g. INBOX, SENT).
+
+## Get API credentials [gmail-api-credentials]
+
+To use the Gmail connector, you need a Google OAuth 2.0 access token with Gmail API scopes. You can obtain one using the [Google OAuth 2.0 Playground](https://developers.google.com/oauthplayground/):
+
+1. Open the OAuth 2.0 Playground and ensure **Use your own OAuth credentials** is checked if you have a project.
+2. In **Step 1 - Select & authorize APIs**, select the Gmail API v1 scope: `https://www.googleapis.com/auth/gmail.readonly` (or `https://www.googleapis.com/auth/gmail.metadata` for metadata only; use `https://mail.google.com/` for full access).
+3. Click **Authorize APIs** and sign in with your Google account.
+4. In **Step 2 - Exchange authorization code for tokens**, click **Exchange authorization code for tokens**.
+5. Copy the **Access token** and use it as the Bearer token when creating or activating the Gmail data source in Kibana.
+
+The token expires after a short time (e.g. one hour). For long-lived access, use a refresh token flow or re-authorize as needed.
@@ -77,10 +77,11 @@ toc:
           - file: connectors-kibana/alienvault-otx-action-type.md
           - file: connectors-kibana/amazon-s3-action-type.md
           - file: connectors-kibana/brave-search-action-type.md
+          - file: connectors-kibana/figma-action-type.md
           - file: connectors-kibana/firecrawl-action-type.md
           - file: connectors-kibana/github-action-type.md
+          - file: connectors-kibana/gmail-action-type.md
           - file: connectors-kibana/google-calendar-action-type.md
-          - file: connectors-kibana/figma-action-type.md
           - file: connectors-kibana/google-drive-action-type.md
           - file: connectors-kibana/greynoise-action-type.md
           - file: connectors-kibana/jina-action-type.md

@@ -183,6 +183,7 @@ const previouslyRegisteredTypes = [
   'uptime-dynamic-settings',
   'synthetics-dynamic-settings',
   'uptime-synthetics-api-key',
+  'user_connector_token',
   'url',
   'usage-counter', // added in 8.16.0: richer mappings, located in .kibana_usage_counters
   'usage-counters', // deprecated in favor of 'usage-counter'

@@ -11,6 +11,7 @@ export * as connectorsSpecs from './src/all_specs';
 export type * from './src/connector_spec';
 
 export * as authTypeSpecs from './src/all_auth_types';
+export { EARS_PROVIDERS } from './src/auth_types/ears';
 
 export { getConnectorSpec } from './src/get_connector_spec';
 export { getWorkflowTemplatesForConnector } from './src/get_workflow_templates';
@@ -14,6 +14,7 @@ export * from './auth_types/basic';
 export * from './auth_types/none';
 export * from './auth_types/oauth';
 export * from './auth_types/oauth_authorization_code';
+export { Ears } from './auth_types/ears';
 
 // Skipping PFX and CRT exports for now as they will require updates to
 // the formbuilder to support file upload fields.

diff --git a/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts b/src/platform/packages/shared/kbn-connector-specs/src/all_specs.ts
@@ -31,3 +31,4 @@ export * from './specs/firecrawl/firecrawl';
 export * from './specs/zoom/zoom';
 export * from './specs/zendesk/zendesk';
 export * from './specs/amazon_s3/amazon_s3';
+export * from './specs/gmail/gmail';
@@ -0,0 +1,74 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { z } from '@kbn/zod/v4';
+import type { AxiosInstance } from 'axios';
+import type { AuthContext, AuthTypeSpec } from '../connector_spec';
+import * as i18n from './translations';
+
+export const EARS_PROVIDERS = ['google', 'microsoft', 'slack'] as const;
+
+const authSchema = z
+  .object({
+    provider: z.enum(EARS_PROVIDERS).meta({ hidden: true }),
+    scope: z.string().meta({ label: i18n.OAUTH_SCOPE_LABEL }).optional(),
+  })
+  .meta({ label: i18n.EARS_LABEL });
+
+type AuthSchemaType = z.infer<typeof authSchema>;
+
+/**
+ * EARS (Elastic Authentication Redirect Service) OAuth Flow
+ *
+ * EARS is an OAuth proxy that manages client credentials (clientId/clientSecret)
+ * on behalf of the user. Instead of users creating their own OAuth apps for each
+ * 3rd party, they can rely on the Elastic-owned apps for simplicity.
+ * Therefore, connectors using EARS don't require users to input any
+ * client credentials — EARS already knows them.
+ *
+ * EARS Redirect Flow:
+ * 1. On `/_start_oauth_flow`, Kibana builds EARS authorize URL with callback_uri, state, scope, pkce_challenge, pkce_method, and redirects to it
+ * 2. User visits EARS authorize URL → EARS redirects to OAuth provider and shows auth screen to user, in order for them to enter their credentials and authorize scopes
+ * 3. OAuth provider redirects back to EARS with authz code & state
+ * 4. EARS redirects to callback_uri (Kibana's `/_oauth_callback`) with authz code & state
+ * 5. Kibana then exchanges code via EARS token endpoint: POST {earsTokenUrl} with code & pkce_verifier in the JSON body
+ * 6. Tokens are auto-refreshed when expired during connector execution
+ */
+export const Ears: AuthTypeSpec<AuthSchemaType> = {
+  id: 'ears',
+  schema: authSchema,
+  authMode: 'per-user',
+  configure: async (
+    ctx: AuthContext,
+    axiosInstance: AxiosInstance,
+    secret: AuthSchemaType
+  ): Promise<AxiosInstance> => {
+    let token;
+    try {
+      token = await ctx.getToken({
+        authType: 'ears',
+        provider: secret.provider,
+        scope: secret.scope,
+      });
+    } catch (error) {
+      throw new Error(
+        `Unable to retrieve/refresh the access token. User may need to re-authorize: ${error.message}`
+      );
+    }
+
+    if (!token) {
+      throw new Error(`No access token available. User must complete OAuth authorization flow.`);
+    }
+
+    // set global defaults
+    axiosInstance.defaults.headers.common.Authorization = token;
+
+    return axiosInstance;
+  },
+};
@@ -47,6 +47,7 @@ export const OAuth: AuthTypeSpec<AuthSchemaType> = {
     let token;
     try {
       token = await ctx.getToken({
+        authType: 'oauth',
         tokenUrl: secret.tokenUrl,
         scope: secret.scope,
         clientId: secret.clientId,

@@ -94,6 +94,7 @@ export const OAuthAuthorizationCode: AuthTypeSpec<AuthSchemaType> = {
     let token;
     try {
       token = await ctx.getToken({
+        authType: 'oauth',
         tokenUrl: secret.tokenUrl,
         scope: secret.scope,
         clientId: secret.clientId,

@@ -219,3 +219,7 @@ export const AWS_SECRET_ACCESS_KEY_REQUIRED_MESSAGE = i18n.translate(
     defaultMessage: 'Secret Access Key is required',
   }
 );
+
+export const EARS_LABEL = i18n.translate('connectorSpecs.ears.label', {
+  defaultMessage: 'OAuth via Elastic-owned apps',
+});
diff --git a/src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts b/src/platform/packages/shared/kbn-connector-specs/src/connector_icons_map.ts
@@ -147,4 +147,5 @@ export const ConnectorIconsMap: Map<
     '.amazon_s3',
     lazy(() => import(/* webpackChunkName: "connectorIconAmazons3" */ './specs/amazon_s3/icon')),
   ],
+  ['.gmail', lazy(() => import(/* webpackChunkName: "connectorIconGmail" */ './specs/gmail/icon'))],
 ]);
@@ -78,7 +78,8 @@ export interface ConnectorMetadata {
 // OAuth2, SSL/mTLS, AWS SigV4 → Phase 2 (see connector_rfc.ts)
 
 // Auth schemas defined in ./auth_types
-export interface GetTokenOpts {
+export interface OAuthGetTokenOpts {
+  authType: 'oauth';
   tokenUrl: string;
   scope?: string;
   clientId: string;
@@ -87,6 +88,14 @@ export interface GetTokenOpts {
   tokenEndpointAuthMethod?: 'client_secret_post' | 'client_secret_basic';
 }
 
+export interface EarsGetTokenOpts {
+  authType: 'ears';
+  provider: string;
+  scope?: string;
+}
+
+export type GetTokenOpts = OAuthGetTokenOpts | EarsGetTokenOpts;
+
 export interface AuthContext {
   getCustomHostSettings: (url: string) => CustomHostSettings | undefined;
   getToken: (opts: GetTokenOpts) => Promise<string | null>;

@@ -0,0 +1,28 @@
+/*
+ * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one
+ * or more contributor license agreements. Licensed under the "Elastic License
+ * 2.0", the "GNU Affero General Public License v3.0 only", and the "Server Side
+ * Public License v 1"; you may not use this file except in compliance with, at
+ * your election, the "Elastic License 2.0", the "GNU Affero General Public
+ * License v3.0 only", or the "Server Side Public License, v 1".
+ */
+
+import { GmailConnector } from './gmail';
+
+describe('GmailConnector', () => {
+  it('has required metadata', () => {
+    expect(GmailConnector.metadata.id).toBe('.gmail');
+    expect(GmailConnector.metadata.displayName).toBe('Gmail');
+    expect(GmailConnector.metadata.supportedFeatureIds).toContain('workflows');
+  });
+
+  it('exposes searchMessages, getMessage, listMessages actions', () => {
+    expect(GmailConnector.actions.searchMessages).toBeDefined();
+    expect(GmailConnector.actions.getMessage).toBeDefined();
+    expect(GmailConnector.actions.listMessages).toBeDefined();
+  });
+
+  it('has a test handler', () => {
+    expect(GmailConnector.test?.handler).toBeDefined();
+  });
+});