Skip to content

Auth and Nylas

This page explains the different authentication methods available in Nylas v3, so you can choose the best one for your project. The basic steps to set up authentication are described below, but you should choose the type of authentication for your project first.

Choose an authentication method

When you know what type of authentication you want to use, go on to the steps below.

Setting up authentication in v3

Follow these steps to set up authentication in Nylas v3:

  1. If you haven’t already, log in to the v3 Dashboard and create a Nylas application.
  2. Generate an API key for your application in the v3 Dashboard.
  3. Create a provider auth app in the provider’s console or application.
    • See the detailed instructions for creating a provider auth app in Google and Azure.
  4. Create a connector for the provider you want to authenticate with.
  5. Add your project’s callback URIs (“redirect URIs”) in the Nylas Dashboard.
  6. Authenticate end users and create grants.

Adding the “Sign in with Google” button

Your Google application must have a “Sign in with Google” button that meets Google’s branding guidelines. This applies to the OAuth flow for both personal Gmail (@gmail.com) and Workspace email addresses.

For Hosted authentication in v3, Nylas recommends you do one of the following:

  • Configure the OAuth login prompt by setting the prompt parameter with select_provider or detect,select_provider. For more information, see Configuring the OAuth login prompt.
    • If you add a login_hint that is a personal Gmail or Workspace email address and you don’t configure a prompt during the Hosted auth flow, the end user is immediately directed to the Google OAuth screen, without clicking the “Sign in with Google” button. This can result in delays or failure in verification.
  • Use the pre-approved “Sign in with Google” button with the “Connect your account” button or other provider login buttons in your application. For more information, see Google’s official Sign in with Google branding guidelines.

For Custom auth, use the pre-approved “Sign in with Google” button with the “Connect your account” button or other provider login buttons in your application.

Learn more about the Google verification and security assessment process.

Create a connector

A connector stores information about external services you connect to your Nylas application, so you don’t need to include them manually in all API calls. You cannot create grants without a connector. You only need to create one connector per provider for each Nylas application, and you can create them either using the v3 Dashboard, or the POST /v3/connectors/ endpoint.

In Nylas v3, you can configure default scopes for each connector. This is a good way to simplify your calls later if you know that all users using a specific connector will require the same scopes. You can also override these default scopes by specifying different scopes when you create a grant.

The example below shows a POST /v3/connectors request, and the result that Nylas returns.

You can also create a connector using the Nylas SDKs, as in the following examples.

Creating grants

See the instructions for each authentication method for details on creating grants:

Bulk auth grants and connector credentials

In v3, Nylas also supports Bulk authentication grants (sometimes called “Service Accounts” or “app permissions”) which you can use to do bulk re-authentication and other backend tasks.

Referencing grants in API requests

You can locate grants authenticated to your application in any of the following ways:

  • Using the grant_id. This is the simplest method, and the format that you see throughout the docs.

  • Using the /me/ construction and an access token in your API call. Nylas uses the access token to find the grant it’s associated with, and uses the grant_id internally.

    curl --request GET \
    --url https://api.us.nylas.com/v3/grants/me/messages/ \
    --header 'Accept: application/json, application/gzip' \
    --header 'Authorization: Bearer <NYLAS_ACCESS_TOKEN>' \
    --header 'Content-Type: application/json'
  • Using an authenticated email address in place of the grant ID.

    curl --request GET \
    --url https://api.us.nylas.com/v3/grants/[email protected]/messages/ \
    --header 'Accept: application/json, application/gzip' \
    --header 'Authorization: Bearer <NYLAS_API_KEY>' \
    --header 'Content-Type: application/json'