How to Generate an App Password for Gmail (Complete Tutorial)

App passwords for Gmail are crucial in 2026 for apps not supporting OAuth 2.0. Keep your account secure with 2-Step Verification.

Why Generating an App Password for Gmail Still Matters in 2026

Some email tools and devices do not support OAuth 2.0, which is a secure authentication protocol required by Gmail. As a result, these devices and apps cannot authenticate with your regular password alone. In such cases, an app password bridges this gap. This unique 16-character code is designed for use with a single app or device, allowing you to keep 2-Step Verification enabled without exposing your main Google password to less-secure software.

Remember, while app passwords offer a solution for devices and applications not supporting OAuth 2.0, you should always use OAuth 2.0 whenever your software permits it for stronger security and better control.

As of March 2026, Google still provides app passwords for accounts with 2-Step Verification enabled.

Prerequisites for Generating an App Password for Gmail with 2-Step Verification

Enable 2-Step Verification on your Google or Workspace account.
Sign in to your account using a web browser. Note that the Gmail mobile app does not provide an app password generator.
If you have a Workspace account, ensure your Google Workspace admin allows app passwords for your organization.
Do not enroll your account in Advanced Protection, as this feature disables app passwords.
For mail clients, make sure IMAP is enabled in your Gmail settings.

Please note that menu labels might receive slight updates occasionally, so follow the intent and context of each step described below, in addition to the exact wording. The step-by-step guide reflects the March 2026 Gmail web interface.

How to Generate an App Password for Gmail on Desktop: Step by Step

Open your Google Account and navigate to Security.
Under How you sign in to Google, ensure that 2-Step Verification is On.
Click on App passwords. You may need to re-authenticate at this stage.
In the Select app menu, choose Mail, or select Other (Custom name) and enter a meaningful label for your app/device.
In the Select device section, pick your device or select Other if it’s not listed.
Click Generate. Google will display your 16-character app password.
Carefully copy the access code without spaces, and consider saving it somewhere secure and easily accessible. Depending on your needs and privacy concerns, options include offline password software, encrypted online password managers, or a trusted secure note-keeping system.
Click Done. Retain the generated label so you can easily identify this app password for future reviews or revocation.

The code appears only once. If you close the window without saving, you’ll need to generate a new one.

How to Create a Gmail App Password from a Phone

To do this from your phone, use a web browser, app passwords cannot be created through the Gmail app.

Sign in to your Google Account using Chrome or Safari on your mobile device.
Open the Security section and confirm that 2-Step Verification is enabled.
Tap App passwords. Approve any authentication prompt if requested.
Select your app and device, then tap Generate.
Copy the code and store it in a secure location as described above.

If the settings page appears simplified or limited, use your browser’s menu to request the desktop version of the site for full options.

Configure Your Gmail App Password with SMTP, IMAP, or POP Correctly

When setting up your email client, be sure to use your full Gmail address as the username and the newly created app password as the password.

SMTP server: smtp.gmail.com Port: 587 with STARTTLS (or 465 with SSL/TLS) Auth: Normal password Username: your full Gmail or Workspace address Password: your 16-character app passwordIMAP server: imap.gmail.com Port: 993 with SSL/TLSAuth: Normal password Username: full address Password: app password POP server: pop.gmail.com Port: 995 with SSL/TLS Auth: Normal password Username: full address Password: app password

For IMAP, enable it in Gmail Settings under Forwarding and POP/IMAP. After adjusting settings, restart your email client to apply changes.

Troubleshooting Gmail App Password Creation and Sign-in Issues

“App passwords” is missing: Make sure 2-Step Verification is enabled. Note that Workspace admins might restrict this feature.
“This setting is managed by your organization”: Consult your admin about allowing app passwords for your organizational unit (OU).
Advanced Protection is on: App passwords won’t be available. You must disable Advanced Protection or use OAuth 2.0 where supported.
Authentication fails in your client: Verify the username is your full email address, and re-paste the 16-character app password with no spaces.
Wrong port or TLS mode: For SMTP, use 587 with STARTTLS or 465 with SSL/TLS. For IMAP, use 993.
IMAP disabled in Gmail: Turn on IMAP in Gmail settings, then wait a minute and try again.
Multiple app passwords for one device: Revoke older or unused app passwords to reduce confusion and improve security.
Security alert email received: Confirm the authenticity of the client you authorized. If something looks unfamiliar, revoke the app password without delay.

Whenever possible, prefer OAuth 2.0 for supported apps, its tighter, revocable scope offers better security than app passwords.

Deliverability and Reputation Checklist When Using Gmail with App Passwords

Your choice of authentication method (app password versus OAuth 2.0) does not directly impact inbox placement, but consistent authentication and responsible sending practices do. Always follow these best practices:

Set up SPF, sign emails using DKIM, and implement DMARC for protecting your sending domain.
Respect Gmail’s sending limits and gradually increase volume for new mailboxes.
Ensure your SMTP EHLO/HELO string matches a valid, authenticated domain. For background, see this explanation of HELO and sender reputation.
Regularly monitor for hard bounces and adhere to mailbox provider guidelines. See the 2026 bounce rule guide for evolving requirements.
Before sending large-scale outreach emails, start with a warm-up process involving real interactions, as discussed in this overview of email warm-up for inbox placement.

Maintain varied, regular interactions reflective of normal email activity. Avoid sudden spikes in sent email volume or using identical email templates repeatedly, as such behaviors may trigger spam filters. High complaint rates can also adversely affect your sender reputation, so focus on delivering quality content that minimizes spam complaints.

Safely Warming a Gmail Sender After Generating an App Password

A newly created or previously inactive mailbox should gradually build up positive and consistent activity before you start major outreach. A technical warm-up sequence generates authentic replies, cleans out spam placements, and keeps threads active. This is an operational, reputation-building process rather than a marketing exercise, the objective is strong sender signals, not marketing data.

Mailwarm automates this process across a network of over fifty thousand active and regularly updated mailboxes. By February 2026, Mailwarm introduced advanced features such as centralized management for multiple accounts, thorough monitoring of email reputation, broad provider compatibility (including Gmail, Microsoft, Yahoo), and detailed spam score tracking, all to deliver scalable performance.

During warm-up, the tool mimics genuine mailbox activity, including opening and replying to emails, and pulling messages from spam folders. These interactions serve as technical reputation signals, not marketing distribution.

Governance Tips for App Passwords in Teams and Agencies

Generate a unique app password for each tool and device, and use clearly descriptive labels for easy identification.
Securely store app passwords using an organization-approved secrets manager or other secure method.
Revoke app passwords immediately when staff or vendors depart the organization.
Implement regular credential rotation schedules based on your risk model and security policy.
Review your App passwords page monthly to remove unused or outdated entries.
Prioritize OAuth 2.0 wherever possible, especially for long-term integrations.

Final Checks After Creating Your Gmail App Password

Send a test email using SMTP with TLS on port 587 to confirm delivery.
Verify that IMAP connectivity and folder synchronization are fully operational.
Check that DKIM signatures and SPF records pass on an outgoing test email.
Begin a gentle warm-up phase before attempting any cold outreach or bulk campaigns.

Next step: Generate your app password, test your SMTP and IMAP setup, and commence a gradual warm-up routine to optimize deliverability and reputation before scaling up your sending activity.

FAQ

Why might I still need an app password for Gmail in 2026?

Many devices and legacy apps don't support OAuth 2.0, making app passwords necessary for secure access. Without it, your main Google password is exposed to less-secure applications.

What are the prerequisites for generating a Gmail app password?

First, enable 2-Step Verification on your Google account. Avoid enrolling in Advanced Protection, as it disables app passwords. Also, ensure your email client has IMAP enabled.

Can I generate a Gmail app password from the mobile app?

No, you must use a web browser to create an app password. The Gmail mobile app does not support app password generation.

What should I do if the 'App passwords' option is missing?

Ensure 2-Step Verification is enabled on your account. If you're using Workspace, your admin may have restricted this feature. Contact them to adjust permissions.

How does using an app password impact email deliverability and reputation?

The authentication method itself doesn't impact inbox placement, but insecure practices can harm reputation. Always use SPF, DKIM, and DMARC to safeguard your domain.

How should I manage app passwords in a team setting?

Assign unique app passwords for each device and securely store them. Revoke passwords when team members leave, and regularly review and rotate credentials.

What is the best practice for starting an outreach campaign with a new Gmail account?

Implement a warm-up process gradually to build a positive sender reputation before launching major campaigns. Mailwarm provides automated solutions to simulate authentic email interactions and boost reputation.

Some spam issues?