New Features: Revoke All Tokens and Whitelisted IPs

We’re excited to announce two new features today: Revoke All Tokens and Whitelisted IPs!

Tasia Potasinski | March 20, 2019

In every part of our API design, we strive to help you build the most secure inbox connection to your application. Which is why today, we’re excited to announce two new features that further enhance security on our platform:

  1. Revoke All Tokens
  2. Whitelist IPs

You can start using both features today by directly integrating with our API, or through our SDKs (currently available for the Revoke All Tokens feature).

Here, we’ll break out a few examples of how to use these new features. When you’re ready, check out the documentation for Revoke All Tokens and Whitelisted IPs to start building it yourself!


In order to improve security, we’ve enhanced the level of control customers have over Nylas access tokens.

An access token is what allows our customers to make calls to the various Nylas endpoints. Each time our customer’s authenticate new users (for example, Fountain adds more recruiters to their platform), access is granted through the access token.

Our customers can now revoke all tokens in bulk, drastically reducing risk by eliminating unused tokens from living on indefinitely, especially if those tokens were no longer stored in your database.

How do you use it?

Make a simple POST request to the revoke-all endpoint. Here’s a simple example of what this looks like:

curl -X POST{client_id}/accounts/{account_id}/revoke-all -H 'Authorization: Bearer access_token_here' -d { "keep_access_token": "1234asdf4321fdsa" }

If you specify the keep_access_token parameter, that access token will remain active and all other tokens will be revoked.

If you don’t specify the keep_access_token all tokens will be revoked. You can always re-authenticate the account after this to get a new access token.

Get started with our Python, Node, or Ruby SDKs!


Nylas provides a dynamic list of IP addresses to sync data from security minded companies that whitelist access to their mail, calendar, and contacts data.

Using the /ip_addresses endpoint, customers can now limit access to their mail server without interrupting ongoing data sync. This new feature helps improve both security and performance.

How do you use it?

Using Nylas’ Account Management endpoints, all you need to do is perform a GET request to our /ip_addresses endpoint like so:

curl -X GET{client_id}/ip_addresses -H 'Authorization: Bearer access_token_here'

Example Response:

  "ip_addresses": [ 
  "updated_at": 1545682983 

*Note: this can only be done from paid applications. Additionally, this endpoint has specific rate limiting of 10 requests/hr/application.

Log in to your account here to give both of these features a try!

About the Author

Tasia is the Head of Marketing at Nylas. In her free time, she enjoys discovering new running trails in the Marin Headlands and exploring the best vegan bakeries in San Francisco.

Ready to Start Building?