New Features: Revoke All Tokens and Whitelisted IPs

We’re excited to announce two new features today: Revoke All Tokens and Whitelisted IPs!

New Features: Revoke All Tokens and Whitelisted IPs

In every part of our API design, we strive to help you build the most secure inbox connection to your application. Which is why today, we’re excited to announce two new features that further enhance security on our platform:

  1. Revoke All Tokens
  2. Whitelist IPs

You can start using both features today by directly integrating with our API, or through our SDKs (currently available for the Revoke All Tokens feature).

Here, we’ll break out a few examples of how to use these new features. When you’re ready, check out the documentation for Revoke All Tokens and Whitelisted IPs to start building it yourself!


In order to improve security, we’ve enhanced the level of control customers have over Nylas access tokens.

An access token is what allows our customers to make calls to the various Nylas endpoints. Each time our customer’s authenticate new users (for example, Fountain adds more recruiters to their platform), access is granted through the access token.

Our customers can now revoke all tokens in bulk, drastically reducing risk by eliminating unused tokens from living on indefinitely, especially if those tokens were no longer stored in your database.

How do you use it?

Make a simple POST request to the revoke-all endpoint. Here’s a simple example of what this looks like:

curl -X POST{client_id}/accounts/{account_id}/revoke-all -H 'Authorization: Bearer access_token_here' -d { "keep_access_token": "1234asdf4321fdsa" }

If you specify the keep_access_token parameter, that access token will remain active and all other tokens will be revoked.

If you don’t specify the keep_access_token all tokens will be revoked. You can always re-authenticate the account after this to get a new access token.

Get started with our Python, Node, or Ruby SDKs!


Nylas provides a dynamic list of IP addresses to sync data from security minded companies that whitelist access to their mail, calendar, and contacts data.

Using the /ip_addresses endpoint, customers can now limit access to their mail server without interrupting ongoing data sync. This new feature helps improve both security and performance.

How do you use it?

Using Nylas’ Account Management endpoints, all you need to do is perform a GET request to our /ip_addresses endpoint like so:

curl -X GET{client_id}/ip_addresses -H 'Authorization: Bearer access_token_here'

Example Response:

  "ip_addresses": [ 
  "updated_at": 1545682983 

*Note: this can only be done from paid applications. Additionally, this endpoint has specific rate limiting of 10 requests/hr/application.

Log in to your account here to give both of these features a try!


You May Also Like

How we secure APIs at Nylas using JSON Web Tokens
Data Residency
Announcing Data Residency: US, EU, and Australian Data Centers
Log4j Vulnerability Response
Nylas’ Response to the Log4j Vulnerability