As you work with Nylas, you’ll need to use authentication scopes to control the level of access Nylas has to your users’ data. This page explains those scopes and how to use them.
What are scopes?
Authentication scopes represent sets of permissions you request from your users, on a per-provider basis. Each provider has its own set of scopes, and your users either approve or reject them when they authenticate with your Nylas application.
You set the scopes that you want to request when you create your provider auth app and any connectors. For more information, see the following documentation:
You can also overwrite the default scopes associated with a connector on a per-request basis. To do this, make a GET /v3/connect/auth
request and include the scope
string.
Nylas scopes
Each of the Nylas APIs and notification sets requires different scopes to function. The tables in the following sections list the Google and Microsoft scopes you need to work with specific Nylas features.
All scopes must include the fully qualified URI path for the provider. The table shortens the full scope URI for space reasons, so add the prefix for the provider when requesting scopes.
The ☑️ in each column indicates the most restrictive scope you can request for each provider and still use that API. More permissive scopes appear under the minimum option. If you’re already using one of the permissive scopes, you don’t need to add the more restrictive scope.
Calendar and Events API scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
GET |
|
|
POST |
|
|
|
| |
|
| |
POST |
|
|
|
| |
Automatic conferencing creation | Microsoft Teams: |
Calendar and Events notification scopes
Notification trigger | Google Scopeshttps://www.googleapis.com/auth/... | Microsoft Scopeshttps://graph.microsoft.com/... |
|
| |
|
|
Email API scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
|
| |
|
| |
|
| |
POST |
|
|
POST |
|
|
|
| |
|
| |
|
| |
|
| |
POST |
|
|
|
| |
GET | No scopes are required because scheduled messages are stored with Nylas. To send scheduled messages, you need |
Email scopes for Yahoo OAuth
If you use Yahoo OAuth to connect to your users’ email inboxes, you must include the following scopes in your Yahoo provider auth app.
📝 Note: All Email notifications require the Yahoo email
and mail-r
scopes.
Email notification scopes
Notification trigger | Google Scopeshttps://www.googleapis.com/auth/... | Microsoft Scopeshttps://graph.microsoft.com/... |
|
| |
|
| |
|
| |
|
| |
|
|
Order Consolidation API scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
GET |
|
|
ExtractAI webhook scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
|
|
|
Contacts API scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
GET |
|
|
POST |
|
|
To access contacts with the |
Contacts notification scopes
Notification trigger | Google Scopeshttps://www.googleapis.com/auth/... | Microsoft Scopeshttps://graph.microsoft.com/... |
|
|
Scheduler API scopes
Endpoint |
Google Scopes
https://www.googleapis.com/auth/...
|
Microsoft Scopes
https://graph.microsoft.com/...
|
---|---|---|
POST |
|
|
|
| |
POST |
|
|
Google OAuth verification
If your application accesses Google user data with the Google APIs and requests certain scopes, you might have to complete the Google verification process and a separate security assessment process. Which process or processes you need to complete depends on whether your application requests sensitive scopes or restricted scopes.
Scope type | Required processes | Google policy and requirements |
---|---|---|
Sensitive | Google verification | Your application must follow Google’s API Services User Data Policy. |
Restricted | Google verification and security assessment | Your application must follow Google’s API Services User Data Policy and meet additional requirements for specific scopes. |
For more information, see the Google verification and security assessment guide.