Nylas security best practices
The Nylas platform handles a lot of sensitive information, and was built from the ground up with security in mind. Nylas implements strict access controls and auditing to make sure we’re doing everything we can to protect sensitive user data and credentials. Nylas does a lot of the work of implementing a secure process for you, especially when you use Hosted Authentication. This prevents you from directly handling and storing either credentials or OAuth tokens for accounts.
When you integrate with Nylas, you gain access to some of this sensitive data through Nylas access tokens. These tokens grant access to all of your end users’ account data via the Nylas API, so the security of these tokens is critical for your application. This section lists some recommendations for maintaining a secure environment.
If you operate in a cloud environment, your cloud infrastructure provider probably provides a secret management service that you should use. Some examples would be:
When you use Nylas’ hosted authentication, you should focus on protecting the following secrets:
- Nylas Client ID and Secret.
- Nylas access tokens.
- Google Cloud application OAuth Client ID/Secret.
- Microsoft 365 application OAuth Client ID/Secret.
If you use native authentication, you need to protect all of the above secrets, and user passwords, and OAuth refresh and access tokens.
If you are not using a secret manager to store these values, you should encrypt them both at rest and in transit. All requests to Nylas must be made over an encrypted TLS connection (HTTPS). You should try to design your application so you don't send secrets outside your infrastructure. If you need to transmit these secrets, use an encrypted connection.
Many databases have encryption options built in, so you don’t have to encrypt these secrets on your own. If you do decide to encrypt the secrets in your application code, use a well-known library such as libsodium or a secure library included in your programming language’s standard library.
We do not recommend integrating Nylas on the client-side of your application, as this gives more opportunities for credentials to be intercepted.
Nylas access tokens don’t expire. When you detect that an account has re-authenticated, you should revoke unused tokens to minimize the number of active tokens.
You should use the use the revoke tokens endpoint to revoke any existing Nylas access tokens for the user when re-authenticating, disconnecting, or cancelling accounts. At any given time, your application should only hold one access token per account.
If your application stores sensitive data from the Nylas API on its servers, you should implement some disk and/or database-level encryption so that all of the data is encrypted at rest. You should also important ensure that the data is encrypted whenever it's in transit. This can usually be done by using TLS connections.
These key management and cryptographic storage cheat sheets provide a good overview of how you can protect Nylas client secrets and access tokens:
The guide to encryption key management is an easy to follow high-level guide on the basics of encryption that explains the concepts required to build a secure application.
Some general security advice we can give is that you should double-check any libraries or encryption algorithms you use to make sure they’re actually secure. Cryptographic libraries can have vulnerabilities in their implementations, even though they’re based on a secure algorithm. This applies to bindings for different languages as well because most encryption libraries are implemented in low-level languages such as C or C++.
If you’re unsure how to properly secure any information, contact Nylas Support so we can provide guidance.