How a 3-line code mistake killed my launch conversions (and what fixed it)
I launched BriefMe, got real traffic from HN and Product Hunt, and watched most of it bounce. The culprit wasn't the product — it was a Google OAuth warning I accidentally caused myself.
The launch
BriefMe is a tool that reads your Google Calendar and generates AI-powered briefs before every meeting. I launched it and got my first real traffic spike — visitors from Google, Hacker News, and Product Hunt. 171 visitors in a week.
Almost none of them signed up. 64% bounce rate on the login page.
Every single new user was hitting this screen:
Google hasn't verified this app
The app is requesting access to sensitive info in your Google Account. You should not use this app until the developer has verified it with Google.
What I thought the problem was
I was requesting three Google OAuth scopes: calendar.readonly, gmail.readonly, and drive.readonly. I knew Gmail and Drive were sensitive scopes that require Google verification, so I went into Google Cloud Console and removed them from the Data Access page.
Problem solved, right?
Wrong. Users kept seeing the warning.
What the problem actually was
The scopes listed in Google Cloud Console don't control what your app requests. They're just metadata for Google's review process.
What actually triggers the unverified app warning is the scopes your app sends in the OAuth request itself — in the code. And in my login-button.tsx, I still had:
scopes: [
'https://www.googleapis.com/auth/calendar.readonly',
'https://www.googleapis.com/auth/gmail.readonly', // ← still here
'https://www.googleapis.com/auth/drive.readonly', // ← still here
].join(' '),I had removed Gmail and Drive from the Cloud Console, but the code was still requesting those scopes on every sign-in. Google sees the request, sees sensitive scopes, and shows the warning — regardless of what the console says.
The fix was a 2-line delete:
scopes: [
'https://www.googleapis.com/auth/calendar.readonly',
].join(' '),The verification process
Even with only calendar.readonly, I still needed Google verification — it's a sensitive scope. I submitted through the Google Auth Platform Verification Center with a demo video showing exactly how I use the calendar data.
The checklist:
- Branding review — Approved quickly
- Privacy policy review — Under review
- App functionality — Pending
- Appropriate data access — Pending
I got verified within days. The warning is gone.
What I'd do differently
The Cloud Console and your code are two separate things. Removing a scope from the console does nothing if your code still requests it.
I had Gmail and Drive in there from early prototyping and never cleaned it up. Scope creep in your OAuth request is an invisible conversion killer.
The official timeline is 4–6 weeks. If you're already live and unverified, you're bleeding users the whole time.
Google Cloud → Audience → Test users bypasses the warning for specific emails. Use this to unblock real users while verification is in progress.
The silver lining
The traffic was real. The product was getting seen. It was purely a trust problem at the door — not a product problem.
If you're building anything that touches Google APIs, audit your scopes in code before you launch. It's a 5-minute check that can save you weeks of lost signups.