Improve Security With Authentication Scopes for Google and Microsoft Accounts

Sync only what you need; use Granular Authentication Scopes! This security feature gives you even more control over the types of data you sync.

Improve Email Security with Authentication Scopes - Nylas

At Nylas, security is our #1 priority, which is why we’re excited to announce that our core platform has been updated to give you even more control over the data you access.

Today, we’re releasing a first big milestone for improving security with your email integrations: Authentication Scopes for Google/GSuite and Microsoft Accounts.

This new feature allows you to control the types of user data you sync at a more granular level. With Authentication Scopes, you can:

  • Sync data at a granular level for specific actions (like read, edit & send)
  • Empower users with more specificity around authentication
  • Increase security on your platform by syncing only the data users need

If your application syncs Google data, Authentication Scopes will also help you meet Google’s new user data policy.

The following authentication scopes are available today:

  • email.modify: Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.
  • email.read_only: Read all messages, threads, file attachments, drafts, and email metadata like headers—no write operations.
  • email.send: Send messages only. No read or modify privileges on users’ emails.
  • email.folders_and_labels: Read and modify folders or labels, depending on the account type.
  • email.drafts: Read and modify drafts. Does not include send.
  • calendar: Read and modify calendars and events.
  • calendar.read_only: Read calendars and events.
  • contacts: Read and modify contacts.
  • contacts.read_only: Read contacts.

Authentication Scopes for Gmail/GSuite:

Here’s an example of the new Authentication Scopes in action from our Ruby SDK:

require 'nylas' 

api =, config.nylas_client_secret, nil) 
nylas_token = api.authenticate(
  name: 'Ben Bitdiddle', 
  email_address: '[email protected]', 
  provider: :gmail, settings: { 
    google_client_id: ENV['GOOGLE_CLIENT_ID'], 
    google_client_secret: ENV['GOOGLE_CLIENT_SECRET'], 
    google_refresh_token: auth_hash[:credentials][:refresh_token] 
  scopes: ['email.read_only,email.send'] 
api_as_user =

If you request access to data that’s outside of what your users have authorized, then the endpoint will return a 403 error like the one below:

  "message": "You do not have access to the required scopes. You provided a token which has the following scopes ['email.read_only', 'email.send']. You would need a token with at least one of the following scopes: ['email.modify']", 
  "type": "api_error" 

You can learn more about the new scopes in our docs, and access them through our Python, Ruby, and NodeJS SDKs.

There’s never been a better time to use the Nylas platform to improve the security of your connection to email providers. We’re excited to continue to help our customers create the most secure integrations for their applications by removing the complexity of building, managing, and maintaining direct integrations.

You May Also Like

How we secure APIs at Nylas using JSON Web Tokens
Data Residency
Announcing Data Residency: US, EU, and Australian Data Centers
Log4j Vulnerability Response
Nylas’ Response to the Log4j Vulnerability