Improve Security With Authentication Scopes for Google and Microsoft Accounts

Sync only what you need; use Granular Authentication Scopes! This security feature gives you even more control over the types of data you sync.

Improve Email Security with Authentication Scopes - Nylas

At Nylas, security is our #1 priority, which is why we’re excited to announce that our core platform has been updated to give you even more control over the data you access.

Today, we’re releasing a first big milestone for improving security with your email integrations: Authentication Scopes for Google/GSuite and Microsoft Accounts.

This new feature allows you to control the types of user data you sync at a more granular level. With Authentication Scopes, you can:

  • Sync data at a granular level for specific actions (like read, edit & send)
  • Empower users with more specificity around authentication
  • Increase security on your platform by syncing only the data users need

If your application syncs Google data, Authentication Scopes will also help you meet Google’s new user data policy.

The following authentication scopes are available today:

  • email.modify: Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.
  • email.read_only: Read all messages, threads, file attachments, drafts, and email metadata like headers—no write operations.
  • email.send: Send messages only. No read or modify privileges on users’ emails.
  • email.folders_and_labels: Read and modify folders or labels, depending on the account type.
  • email.drafts: Read and modify drafts. Does not include send.
  • calendar: Read and modify calendars and events.
  • calendar.read_only: Read calendars and events.
  • contacts: Read and modify contacts.
  • contacts.read_only: Read contacts.

Authentication Scopes for Gmail/GSuite:

Here’s an example of the new Authentication Scopes in action from our Ruby SDK:

require 'nylas' 

api =, config.nylas_client_secret, nil) 
nylas_token = api.authenticate(
  name: 'Ben Bitdiddle', 
  email_address: '', 
  provider: :gmail, settings: { 
    google_client_id: ENV['GOOGLE_CLIENT_ID'], 
    google_client_secret: ENV['GOOGLE_CLIENT_SECRET'], 
    google_refresh_token: auth_hash[:credentials][:refresh_token] 
  scopes: ['email.read_only,email.send'] 
api_as_user =

If you request access to data that’s outside of what your users have authorized, then the endpoint will return a 403 error like the one below:

  "message": "You do not have access to the required scopes. You provided a token which has the following scopes ['email.read_only', 'email.send']. You would need a token with at least one of the following scopes: ['email.modify']", 
  "type": "api_error" 

You can learn more about the new scopes in our docs, and access them through our Python, Ruby, and NodeJS SDKs.

There’s never been a better time to use the Nylas platform to improve the security of your connection to email providers. We’re excited to continue to help our customers create the most secure integrations for their applications by removing the complexity of building, managing, and maintaining direct integrations.

You May Also Like

Safeguard Your Users’ Data With a Secure Email API
How to Safeguard Your Users’ Data With a Secure Email API
the importance of cybersecurity
Why Skirting on Cybersecurity Will Be Your Costliest Mistake in 2023
How We Secure APIs at Nylas Using JSON Web Tokens

Subscribe for our updates

Please enter your email address and receive the latest updates.