Only show these results:

Nylas Glossary

This page lists some terms that you'll encounter when working with Nylas, explains what they mean.

ℹ️ Have a suggestion for the glossary?
Let us know!

Access token

A short-lived token associated with a specific grant or connected account. An application uses an access token to authenticate with the service provider and make data requests on your behalf. In OAuth 2.0 and later, access tokens expire after one hour and can be refreshed.

API key

A unique identifier that an application uses to authenticate with the Nylas API. You can find your API key in the Nylas Dashboard. API keys are used in place of client secrets in Nylas v3.


Refers to one of three concepts in the Nylas docs: the "provider auth application" used to connect to your authentication provider, the Nylas application which contains connections to your project and your connectors, and sometimes "your application" which refers to your actual code project for the application you're working on. For clarity, we may call it "your project" instead.


The process of proving who you are, and that you have the right to make decisions about an account and its data. This is different from the authorization header that you use in API requests to pass a token or other credential. The token is like a backstage pass: it authorizes you to make requests. Different types of API authorization headers are known as "authentication" types. Both of these are sometimes shortened to "auth".

Authentication token

A short-lived token that the end user receives from the authentication system (the OAuth provider or IDP) which proves that they successfully authenticated (provided account credentials and passed any confirmation steps). The application uses this to retrieve an access token. Unlike an access token, you cannot use authentication tokens to make requests on an end user's behalf, or access data.


The process of deciding whether you have the right to do something. This is different from "authentication", which is the process of proving who you are, and that you have the right to make decisions about an account and its data. When you make API requests, you use an authorization header to to pass a token or other credential. The token is like a backstage pass: it authorizes you to make requests. Different types of API authorization headers are known as "authentication" types. Both of these are sometimes shortened to "auth".


A protocol for working with calendar and schedule information on a remote server. It uses the iCalendar data format, and is used by iCloud and Google Calendar.

Callback URL

The URL that the OAuth provider sends an end user back to after they authenticate using Hosted OAuth. You must define this in your Nylas application's settings. This is similar to the "redirect URI", which you specify in your provider auth app.

Client ID

A unique identifier for your Nylas application, used to identify your application when it connects to the Nylas API. You can find your client ID in the Nylas Dashboard.

Client secret

Usually, this refers to a unique secret key for your Nylas application. As of Nylas v3, however, any field labeled "client secret" takes an API key instead.


Any code that runs in the end user's browser or device, as opposed to server-side code which runs on a server. Client-side code is often written in JavaScript, and is used to create interactive web pages. Client-side applications require special security considerations for secrets management, such as PKCE verification.


A data structure that stores information about how your Nylas application connects to a third-party service provider, such as an email provider, calendar provider, or other data source. Connectors are sometimes called "integrations" or "channels", and might include another term that describes what the connector does (for example, an "auth connector" or a "notification connector").


An acronym for "Create, Read, Update, Delete". These are the four basic operations that you can perform on data.

Custom authentication

An authentication flow that is sometimes called "bring your own token". You provide the OAuth refresh token for the end user, and Nylas uses it to create a grant and request access tokens as needed to access the end user's data.

Data center

Nylas offers two data center options — U.S. and E.U. — to accommodate customers around the world. See the Data residency documentation for more details.


An acronym for "Email Service Provider". See service provider.


An acronym for "Google Cloud Platform". This is the portal where you create a provider auth app to allow your project to connect to Google resources.


A record of permissions ("scopes") that an end user "granted" to your application to access their data. Nylas creates a grant when an end user successfully authenticates, and generates an access token.


"Internet Calendar Scheduling". This is the file format behind iCalendar and CalDav, used by Apple and Google. Each ICS file represents an individual event on a calendar.


"Internet Message Access Protocol". This is a protocol for receiving email that allows end users to access their email messages from different devices.


An external service connected to your Nylas application. This could be an authentication provider, data source, or another tool like Zoom Meetings. In most cases, these are now called "connectors".


"Large Language Model". A model of artificial intelligence that can complete natural language processing tasks. Nylas uses LLMs to power various features, including the Clean Conversation endpoint.


The process of transitioning end users and data from an older Nylas implementation to a newer one. This is the last part of the upgrade process.

Native authentication

See Custom authentication.


An authentication protocol that allows you to approve one application interacting with another on your behalf, without providing your password. See the OAuth specification website for more information.


The person who creates and schedules a specific calendar event.


A person who is invited to a calendar event. Each event might have more than one participant.


"Proof Key for Code Exchange". A shared secret used in OAuth 2.0 as an additional layer of validation to ensure that the authorization code exchange is secure. This is especially important for client-side applications.


See service provider.

Provider application

See provider auth application.

Provider auth application

Sometimes called a "provider integration application" or "provider application". An application that connects the service provider's infrastructure and your Nylas application.

Provider integration application

See provider auth application.

Redirect URI

The URL that the OAuth provider sends an end user back to after they authenticate. This URI must be registered with the OAuth provider through your provider auth app, and must match the URI that the end user is redirected to after they authenticate. These are similar to the "callback URL" that you specify in your Nylas application.

Refresh token

A long-lived token that you can use to request new access tokens when they expire. Used to keep end users authenticated without requiring them to log in again.


Permissions which determine what data your application can access on a specific procider. Your end users approve your requested scopes when they authenticate with your application. Scopes must be included in either the connector for the provider, or in the OAuth request.


Any code that runs on a server, and handles requests from client-side code. Often written in languages like Python, Ruby, or Node.js.

Service provider

The company that maintains the email systems, and sometimes the calendaring and contacts tools, which you connect to using Nylas. Sometimes called an "email service provider" or "ESP", or just "provider".


"Simple Mail Transfer Protocol". The underlying protocol used by IMAP providers to send email messages from email clients to servers, and back. Technically, all IMAP providers are also SMTP providers.


"Server-sent events". A push technology that allows your project to receive automatic updates from Nylas. Used in the Smart Compose endpoints to provide AI responses without requiring your application to constantly poll for new information.

Time slots

Periods of time returned by the Calendar API's Availability endpoint, when Nylas has determined that an end user is available to meet. These can include additional constraints such as buffer time, a time interval, and other options that you might have specified.


The process of transitioning an older version of Nylas to a newer version (for example, v2.x to v3.x), including updating your systems and any SDKs you use.


A string that identifies the application (browser) that the end user is using to access the web. This can be useful along with their IP address for identifying traffic from the same person. Nylas does not maintain a list of useragents, but you can find a list of common useragents online.

Webhook challenge

When you create or activate a webhook endpoint, Nylas verifies that the endpoint is working by making a GET request to it with a challenge query parameter. Your application must return the exact value of the challenge in the response body within 10 seconds.

Webhook endpoint

The URL that Nylas sends webhook payloads to when an event occurs on the provider. Sometimes called a "webhook receiver" or "webhook URL".

Webhook payload

The data or message that Nylas sends to your webhook endpoint when an event occurs on the provider.

Webhook signature

Included in webhook payloads sent from Nylas. These allow you to verify that the webhook data really did originate from Nylas.