Skip to content

Using webhooks with Nylas

Webhooks let your project receive notifications in real time when certain events occur. They use a push notification protocol to notify you of events, rather than you having to periodically request (“poll for”) the latest changes from Nylas.

Because they’re lightweight, webhooks are a good way to get notifications about changes to your application’s grants. You can integrate them into your project easily, and they scale as you grow.

The term “webhook” can refer to any of three component parts: a location where you receive notifications (the “webhook URL” or “webhook endpoint”), a subscription to events that you want notifications for (“webhook triggers”), or the information payload that Nylas sends when a trigger condition is met (the “webhook notification”).

When you set up a webhook, you specify a URL that Nylas sends HTTP POST requests to and subscribe it to the specific triggers that you want notifications for. When a webhook triggers, Nylas sends a notification with details about the affected object to your application. Your project can then use that data to respond to the event that triggered the notification.

For example, when a user receives a message, Nylas can make a POST request to your webhook endpoint that includes the JSON Message object. Your project can then parse the object data and decide to react, and how.

You can create multiple webhooks in each of your Nylas applications, but each must have its own unique endpoint.

Make a Create Webhook Destination request that includes the following information:

  • The full webhook_url. This must link to an HTTPS endpoint that’s accessible from the public internet.
  • A list of trigger_types that you want Nylas to listen for.

If you want to set up a webhook from the Nylas Dashboard instead, select Notifications in the left navigation and click Create webhook. Enter your webhook URL and select the triggers you want to be notified for, then click Create webhook.

Nylas allows you to specify the fields you want to receive in message.created, message.updated, event.created, and event.updated webhook notifications. This reduces the notification payload size and lets you receive only the information you need.

Nylas always includes ID fields in webhook notifications. For message.* notifications, these fields are id, grant_id, and application_id. For event.* notifications, they’re id, grant_id, application_id, calendar_id, and master_event_id.

You can customize the fields Nylas returns by navigating to Customizations in the Nylas Dashboard and updating the settings. Nylas applies these settings across all webhook subscriptions of the defined type in your Nylas application.

When Nylas sends a customized webhook notification, it adds the .transformed suffix to the notification type (for example, message.updated becomes message.updated.transformed). You don’t need to subscribe to triggers with the .transformed suffix, but you do need to create logic in your project to handle this notification type.

The first time you set up a webhook or set an existing webhook’s state to active, Nylas automatically checks that it’s valid by sending a GET request to your webhook endpoint. The request includes a challenge query parameter that your project must return in a 200 OK response as part of the verification process.

Your webhook endpoint needs to send a 200 OK response within 10 seconds of receiving the request. It must return the exact value of the challenge in the body of its response.

If you’re using a low- or no-code webhook endpoint, your project might not receive the challenge query parameter. If this happens, reach out for support.

After your project verifies the webhook endpoint, Nylas generates a webhook_secret.

Nylas automatically sends a GET request to your webhook endpoint containing a challenge query parameter when you first set up or activate a webhook.

curl -X 'GET' '<WEBHOOK_URL>?challenge=bc609b38-c81f-47fb-a275-1d9bd61a968b'

When your Nylas application receives this request, it’s subject to the following requirements:

  • Your project has up to 10 seconds to respond to the request with a 200 OK.
    • Nylas won’t try to verify the webhook endpoint again if your project fails the first check.
    • If your project doesn’t respond to the verification request, Nylas returns a 400 BAD REQUEST error.
  • Your project must include the exact value of the challenge query parameter in the body of its response. It shouldn’t return any other data — not even quotation marks.
  • Your project can’t use chunked encoding for its response to Nylas’ verification request.

When your project verifies your webhook endpoint, Nylas automatically generates a webhook_secret. Nylas includes this value in every webhook notification to indicate that it’s genuine. We strongly recommend setting up your project so that it verifies the webhook_secret and the contents of the x-nylas-signature or X-Nylas-Signature header for each notification you receive. This helps to prevent data breaches and unauthorized access to your webhooks.

After you set up and verify a webhook, Nylas starts sending it notifications about updates. Your project must respond to webhook notifications with a 200 OK to prevent Nylas from marking it as failing or failed.

Every webhook notification Nylas sends includes either the x-nylas-signature or X-Nylas-Signature header, with its capitalization depending on the coding language or SDK you’re using to integrate. This header includes a hex-encoded HMAC-SHA256 signature of the request body and uses the endpoint’s webhook_secret as the signing key. The signature is for the exact content of the request body, so make sure that your processing code doesn’t modify the body before checking the signature.

Nylas sends webhook notifications as JSON payloads containing the object that triggered the notification, up to a maximum payload size of 1 MB. If a notification exceeds the size limit, Nylas truncates the payload by removing its body content and adds the .truncated suffix to the notification type (for example, message.created.truncated). This reduces the size of the payload and improves performance.

Nylas only sends truncated webhook notifications for message.* triggers. For any other notification type, Nylas always sends the full payload.

When you receive a truncated notification, you need to re-query the Nylas APIs to get the object data. For example, if you receive a message.updated.truncated notification, make a Get Message request that includes the specified message_id.

You don’t need to subscribe to *.truncated webhook triggers, but you do need to make sure your project can handle this notification type.

Nylas includes two utility API endpoints to help you test your webhook configuration:

If Nylas doesn’t receive a 200 OK response to a webhook notification, it tries to deliver the notification two more times for a total of three attempts, backing off exponentially. The final delivery attempt occurs between 10–20 minutes after the first.

Retries are based on the HTTP response status code Nylas receives.

Nylas only retries webhook notifications if the response indicates a temporary issue that might be solved by trying to deliver the notification again. For all other status codes, Nylas doesn’t try sending the notification again. This is because the status codes indicate permanent failures (authentication errors, invalid requests, and so on) or issues that are unlikely to resolve by trying to deliver the notification again.

If Nylas can’t deliver a notification after three attempts, it skips the affected notification type. It continues to send others in case there’s a problem that prevents your project from acknowledging the specific notification.

By default, Nylas marks webhooks as active when you create them. When you deactivate a webhook, Nylas stops sending all events associated with it to your endpoint.

You can deactivate a webhook by making an Update Webhook Destination request that sets the status to inactive, or by navigating to Notifications in the Nylas Dashboard, finding the webhook you want to update, and selecting Disable in its options menu.

If you reactivate a webhook, Nylas starts sending data from the time that it was reactivated. Nylas doesn’t send notifications for events that occurred while a webhook was inactive.

Nylas marks a webhook endpoint as failing when it receives 95% non-200 responses or non-responses from it over a period of 15 minutes. While the endpoint is in the failing state, Nylas continues delivering webhook notifications to it for 72 hours, backing off exponentially.

If Nylas receives 95% non-200 responses or non-responses from a webhook endpoint over 72 hours, it marks the endpoint as failed.

When a webhook endpoint’s state changes to either failing or failed, Nylas sends you an email notification about the change.

Sometimes, the message notifying you that a webhook endpoint is failing or failed might end up in your Spam folder. Be sure to add [email protected] to your allowlist to avoid this.

Nylas doesn’t automatically restart or reactivate failed webhook endpoints – you need to reactivate them either through the Nylas Dashboard or using the Webhooks API. Nylas doesn’t send notifications for events that occurred while the endpoint was marked as failed.

  • Nylas guarantees “at least once” delivery of webhook notifications. You might receive duplicate notifications because of the provider’s behavior (for example, when Google and Microsoft Graph send upserts).
  • It might take up to two minutes for your project to receive notifications about newly authenticated grants.
  • Changes to webhook settings apply to all grants for future sync. However, Nylas doesn’t load any data from the past. For example, if you subscribe to the event.updated trigger, you’ll only receive notifications for events updated from the moment you apply the new settings.
  • Nylas blocks requests to Ngrok testing URLs because of throughput limiting concerns. We recommend using Visual Studio Code port forwarding, Hookdeck, or a similar webhook tool instead.

Nylas sends message.created.metadata and message.updated.metadata notifications for Google grants that include the /gmail.metadata scope. These notifications include a limited amount of data because of the restrictive scope.

Even if a grant requests more permissive scopes, Google falls back to the /gmail.metadata permissions.

You don’t need to subscribe to message.*.metadata webhook triggers, but you do need to make sure your project can handle this notification type.