Manage access tokens in Nylas API v2
In this guide, you'll learn how to create new access tokens.
Generate an access token from the Accounts page in v2
You can generate a new token in the Nylas Dashboard. Click on Accounts on the left, select the account you want to generate a token for, and click Generate a new token.
Good to know: Generating a new token doesn't delete any previous access tokens. See Revoking access tokens (below) for more information.
Revoking access tokens in v2
The Nylas v2 <ACCESS_TOKEN> never expires. If you want to stop using it or stop others from using it, you must revoke it. If you ever need to re-authenticate an account, you can have more than one access token for an account.
Even though a Nylas v2 access token never expires, they can become invalid or de-authenticated, for example when a user changes their password.
Revoking Tokens
Since Nylas access tokens never expire, you should revoke any previous Nylas access tokens when you re-authenticate an account. You can use the Account Management /revoke-all endpoint with the keep_access_token body parameter to ensure former access tokens are revoked. An example workflow is described below:
- Authenticate a Google account and get the initial
<ACCESS_TOKEN>. - The user changes their password and the account becomes invalidated. However, the initial Nylas
<ACCESS_TOKEN>is still active. - Re-authenticate the Google account and receive a new
<ACCESS_TOKEN>for the account. - Call the
/revoke-allendpoint withkeep_access_token=<ACCESS_TOKEN>using the new access token from Step 3.
Gmail Limitations
The Gmail refresh_token is also revoked if you use the /revoke-all endpoint and omit the keep_access_token parameter.