A bulk authentication grant (also called a “Service Account”) is a type of grant that allows Nylas applications or compute workloads access to permitted resources. Nylas applications use bulk authentication grants to make authorized API calls.
Nylas supports two types of bulk auth grants: Microsoft and Google. For more information about Service Accounts, see Microsoft’s official documentation and Google’s official documentation.
Before you begin
Ensure that your Nylas application has a working Google or Microsoft connector. You can check this on the Nylas Dashboard, or make a Get all connectors request to get a list of connectors associated with your application.
If you don’t have a connector, create one from the Dashboard or make a Create Connector request.
Create Google bulk authentication grants
Make a Custom Authentication request that uses your Google connector’s id.
{ "provider": "google", #REQUIRED "settings": { "credential_id": "e19f8e1a-eb1c-41c0-b6a6-d2e59daf7f47", #REQUIRED "scopes" : ["https://www.googleapis.com/auth/gmail.readonly"] #REQUIRED } }{ "request_id": "171cac55-10b6-4989-9e03-8f4a9795ca61", "data": { "id": "1138fb47-6be6-451c-ab79-576933dfda9c", "grant_status": "valid", "provider": "google", "scope": [ "openid", "https://www.googleapis.com/auth/userinfo.email", "https://www.googleapis.com/auth/userinfo.profile", "https://www.googleapis.com/auth/gmail.readonly" ], "settings": { "app_permission": true, "credential_id": "6c40d1e8-b1b4-4a58-a92a-93a34b666a0f", "credential_type": "serviceaccount", "scopes": [ "https://www.googleapis.com/auth/gmail.readonly" ] }, "ip": "192.168.65.1", "user_agent": "sensitive_data", "created_at": 1749053226, "updated_at": 1749053226, "blocked": false }}Create Microsoft bulk authentication grants
To create Microsoft bulk auth grants, you need to do the following tasks:
- Create and configure an Azure auth app.
- Set up Microsoft Admin Consent flow.
- Create a Microsoft bulk auth grant.
Create and configure Azure auth app
First, you need to create an Azure auth app, then configure it as follows:
- From the Authentication tab, click Add a platform.
- Set the Platform to Web and enter the Custom Auth URI.
- In the Certificates & secrets tab, click New client secret and add a client secret.
Be sure to save the client secret somewhere secure, like a secrets manager. The Microsoft Azure Dashboard shows the
client_secretvalue only once. If you lose it, you’ll need to create a new one. - In the API permissions tab, click Add a permission and select Microsoft Graph from the list of APIs.
- Select Application permissions and add all the Microsoft Graph scopes that your project needs access to, including
User.Read.All. This gives your bulk auth grant the access it needs.
You don’t need to select Grant admin consent. You can add this later using an authorization request.
Set up Microsoft Admin Consent flow
Make a Create Credential request to create a unique connector credential for the bulk auth grant. The request body must include the provider’s client_id and client_secret, and can include the tenant.
curl --request POST \ --url 'https://api.us.nylas.com/v3/connectors/microsoft/creds' \ --header 'Content-Type: application/json' \ --header 'Accept: application/json, application/gzip' \ --header 'Authorization: Bearer <NYLAS_API_KEY>' \ --data '{ "name": "Test Microsoft credential", "credential_type": "adminconsent", "credential_data": { "client_id": "<MICROSOFT_CLIENT_ID>", "client_secret": "<MICROSOFT_CLIENT_SECRET>", "tenant": "<MICROSOFT_TENANT>" } }'{ "request_id": "1", "data": { "id": "<NYLAS_CONNECTOR_CREDENTIAL_ID>", "credential_type": "adminconsent", "name": "Test Microsoft credential", "created_at": 1656082371, "updated_at": 1656082371 }}You can set the tenant to common in your bulk auth requests instead of creating custom admin consent URLs for each of your customers. When you do this, you grant your project access to the Microsoft Graph scopes set by your Azure auth app, but you can’t specify scopes in the admin consent URL. If you want to set custom scopes in the admin consent URL, you need to specify your customer’s Azure tenant ID in your API requests.
If you don’t define the client_id and client_secret, Nylas uses the credentials from your application’s Microsoft connector.
Create Microsoft bulk auth grant
First, make an OAuth Authorization request using the admin profile of the Microsoft Azure OAuth app to request administrator approval for the scopes that you requested when you created the app.
https://api.us.nylas.com/v3/connect/auth?provider=microsoft&redirect_uri=<REDIRECT_URI>&response_type=adminconsent&state=<STATE>&credential_id=<NYLAS_CONNECTOR_CREDENTIAL_ID>&client_id=<NYLAS_CLIENT_ID>https://api.us.nylas.com/v3/connect/auth?provider=microsoft&redirect_uri=<REDIRECT_URI>&response_type=adminconsent&state=<STATE>&credential_id=<NYLAS_CONNECTOR_CREDENTIAL_ID>&client_id=<NYLAS_CLIENT_ID>&scope=https%3A%2F%2Fgraph.microsoft.com%2FCalendars.Read%20https%3A%2F%2Fgraph.microsoft.com%2FCalendars.Read.SharedNylas redirects the Service Account to the redirect_uri. The response URL contains admin_consent:true and the contents of the state parameter (if you set one). If the flow fails, Nylas returns a normal OAuth 2.0 error that includes the state, error, error_description, and error_uri.
If your administrator approves an updated set of scopes in your Authorization request, you need to wait at least 5 minutes before creating a grant. This allows Microsoft to update its cached scopes.
Next, make a Custom Auth request to create an application permission grant. This is a Microsoft app permission account within the Nylas platform that has access to the authorized scopes and an email address used to access Microsoft Azure.
curl --request POST --url 'https://api.us.nylas.com/v3/connect/custom' \ --header 'Accept: application/json, application/gzip' \ --header 'Authorization: Bearer <NYLAS_API_KEY>'\ --header 'Content-Type: application/json' \ --data '{ "provider": "microsoft", "settings": { "credential_id": "<NYLAS_CONNECTOR_CREDENTIAL_ID>", "email_address": "[email protected]" } }'{ "request_id": "251cac55-10b6-4989-9e03-8f4a9795ca61", "data": { "id": "d080aee0-68e8-43ac-9cd5-5ff048177bdb", "grant_status": "valid", "provider": "microsoft", "scope": [ "Directory.Read.All", "User.Read.All", "Mail.Read", "AccessReview.Read.All", "Application.Read.All", "Mail.ReadWrite", "Calendars.Read", "AccessReview.ReadWrite.All", "Calendars.ReadWrite", "Mail.Send" ], "settings": { "app_permission": true, "app_permission_scopes": [ "Directory.Read.All", "User.Read.All", "Mail.Read", "AccessReview.Read.All", "Application.Read.All", "Mail.ReadWrite", "Calendars.Read", "AccessReview.ReadWrite.All", "Calendars.ReadWrite", "Mail.Send" ], "credential_id": "50f7fb25-8af7-49be-a35b-94e1d07c842b", "credential_type": "adminconsent" }, "ip": "192.168.65.1", "user_agent": "sensitive_data", "created_at": 1749053636, "updated_at": 1749053636, "provider_user_id": "b16f171c-6640-4edd-a598-e507b546d841", "blocked": false }}