ShuttleClous uses the OAuth “Consumer Key” and “Secret” for each domain involved in a migration. Also, “Enable Oauth” and “Allow access to all APIs” boxes must be checked for each domain to permit the necessary level of access to the domain data.
Please note that opening firewalls is not required. We access your Google Apps data directly.
For more information on accessing your email and other data through oauth, please read this post on Google’s blog. Quoting from the post:
While it is possible for a user to authorize this access by disclosing their Google Account password to the third party app, it is more secure for the app developer to use the industry standard protocol called OAuth which enables the user to give their consent for specific access without sharing their password. Most Google APIs support this OAuth standard, and starting today it is also available for the IMAP/SMTP feature of Gmail.