Improve Email Security with Authentication Scopes - Nylas

Secure Your Email, Contacts, and Calendar Sync Integration with Authentication Scopes

Nylas has released granular Authentication Scopes – a substantial update that gives you even more control over the data you access via the Nylas API.

Tasia Potasinski | June 11, 2019

At Nylas, security is our #1 priority, which is why we’re excited to announce that our core platform has been updated to give you even more control over the data you access.

Today, we’re releasing a first big milestone for improving security with your email integrations: Authentication Scopes.

This new feature allows you to control the types of user data you sync at a more granular level. With Authentication Scopes, you can:

  • Sync data at a granular level for specific actions (like read, edit & send)
  • Empower users with more specificity around authentication
  • Increase security on your platform by syncing only the data users need

If your application syncs Google data, Authentication Scopes will also help you meet Google’s new user data policy.

The following authentication scopes are available today:

  • email.modify: Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.
  • email.read_only: Read all messages, threads, file attachments, drafts, and email metadata like headers—no write operations.
  • email.send: Send messages only. No read or modify privileges on users’ emails.
  • email.folders_and_labels: Read and modify folders or labels, depending on the account type.
  • email.drafts: Read and modify drafts. Does not include send.
  • calendar: Read and modify calendars and events.
  • calendar.read_only: Read calendars and events.
  • contacts: Read and modify contacts.
  • contacts.read_only: Read contacts.

Here’s an example of the new Authentication Scopes in action from our Ruby SDK:


require 'nylas' 

api =, config.nylas_client_secret, nil) 
nylas_token = api.authenticate(
  name: 'Ben Bitdiddle', 
  email_address: '[email protected]', 
  provider: :gmail, settings: { 
    google_client_id: ENV['GOOGLE_CLIENT_ID'], 
    google_client_secret: ENV['GOOGLE_CLIENT_SECRET'], 
    google_refresh_token: auth_hash[:credentials][:refresh_token] 
  scopes: ['email.read_only,email.send'] 
api_as_user =

If you request access to data that’s outside of what your users have authorized, then the endpoint will return a 403 error like the one below:

  "message": "You do not have access to the required scopes. You provided a token which has the following scopes ['email.read_only', 'email.send']. You would need a token with at least one of the following scopes: ['email.modify']", 
  "type": "api_error" 

You can learn more about the new scopes in our docs, and access them through our Python, Ruby, and NodeJS SDKs.

There’s never been a better time to use the Nylas platform to improve the security of your connection to email providers. We’re excited to continue to help our customers create the most secure integrations for their applications by removing the complexity of building, managing, and maintaining direct integrations.

About the Author

Tasia is the Head of Marketing at Nylas. In her free time, she enjoys discovering new running trails in the Marin Headlands and exploring the best vegan bakeries in San Francisco.

Ready to Start Building?

Connect up to 10 accounts for free today. No credit card required.