The first agent you give an inbox to is easy. You set a send cap, maybe a spam policy, attach a couple of inbound rules, and you're done. The trouble starts at the tenth agent. And the fiftieth. Because the obvious way to apply limits — configure each grant when you create it — doesn't have an "all of them" button. You end up writing a loop that re-applies the same policy to every new account, hoping nobody provisions one out of band, and discovering three weeks later that the support fleet and the sales fleet drifted into two slightly different configurations nobody can fully account for.
Configuring limits grant-by-grant doesn't scale past a handful of agents. That's the whole reason workspaces exist. A workspace is a container that groups Agent Accounts and carries exactly one policy plus a list of rules. Set the policy once on the workspace, and every account inside inherits it — including accounts that don't exist yet. Move the boundary up one level, from "configure each grant" to "configure the group," and the fleet manages itself.
I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. Every one is checked against nylas
v3.1.27, and every curl
call against the published OpenAPI spec. The two-angle tour — API and CLI side by side — is here because half of this work happens in a provisioning script and the other half happens at 2am when you're poking at a misbehaving fleet by hand.
If you've used Agent Accounts, you already know the spine: an Agent Account is a grant. It carries a grant_id
and works with every grant-scoped endpoint — Messages, Drafts, Threads, Folders, Contacts, Calendars, Events, Webhooks. There's nothing new to learn on the data plane. Sending mail from an agent is POST /v3/grants/{grant_id}/messages/send
, same as any grant.
Workspaces add one field to that picture. Every grant carries a workspace_id
, and the workspace it points at holds a policy_id
(limits and spam settings) and a rule_ids
array (inbound and outbound mail filtering). The chain is short:
List → holds values (domains, TLDs, addresses)
Rule → match conditions + actions; references lists via in_list
Policy→ send caps, storage, retention, spam detection
Workspace → one policy_id + an array of rule_ids
Grant → carries workspace_id → inherits all of the above
Change the policy on the workspace and you've reconfigured every account in it at once. That's the leverage. You're not editing fifty grants; you're editing one workspace that fifty grants point at.
This is the part that makes the fleet self-organizing, and it's worth getting exactly right. When a new Agent Account is created, Nylas runs a three-step decision to pick its workspace:
POST /v3/connect/custom
payload includes a workspace_id
, the grant joins that workspace immediately. No guessing.workspace_id
was passed, Nylas looks for a custom workspace whose domain
matches the new account's email domain auto_group
is true
. If one matches, the grant joins it.Step 2 is the interesting one. auto_group
is a boolean on the workspace, and the spec describes it plainly: when true
, "newly created grants in the application are automatically assigned to the workspace if their email address' domain matches the domain
." So if you create a workspace with domain: "support.yourcompany.com"
and auto_group: true
, then every account you later provision as triage@support.yourcompany.com
or escalations@support.yourcompany.com
joins that workspace and inherits its policy without you passing a single extra field. The CLI agent account create
command deliberately has no --workspace
flag — auto-group is meant to carry that weight. You set the domain rule once and let provisioning be dumb.
That's the design choice I like as an SRE: the policy decision lives in the infrastructure, not in every caller. A teammate writing a provisioning script doesn't need to know which policy a @sales.yourcompany.com
agent should get. They create the account; the domain match routes it.
You'll need:
https://api.us.nylas.com
and Authorization: Bearer <NYLAS_API_KEY>
.*.nylas.email
trial subdomain. Workspaces key off this domain, so it has to be one you actually provision accounts under. New domains warm over roughly four weeks.nylas init
) if you want to follow the terminal half.New to Agent Accounts? Start with the Agent Accounts overview and the provisioning guide to create your first account, then come back here to organize them.
A workspace create takes two required fields — name
and domain
— plus three optional ones: auto_group
, policy_id
, and rule_ids
. The domain
ties the workspace to one email domain, and auto_group
(which defaults to true
) decides whether matching accounts join automatically.
Here's the full version: a workspace scoped to a domain, with a policy and a rule attached in the same call.
curl --request POST \
--url "https://api.us.nylas.com/v3/workspaces" \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <NYLAS_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
"name": "Support fleet",
"domain": "support.yourcompany.com",
"auto_group": true,
"policy_id": "<POLICY_ID>",
"rule_ids": ["<RULE_ID>"]
}'
The response returns a Workspace object whose workspace_id
is the value you'll store on grants. From the terminal, the same thing:
nylas workspace create \
--name "Support fleet" \
--domain support.yourcompany.com \
--auto-group \
--policy-id <POLICY_ID>
A couple of honest caveats on that CLI form. nylas workspace create
accepts --name
, --domain
, --auto-group
, and --policy-id
. It does not take a --rule-ids
flag at create time — to attach rules you run an update afterward (shown below). And the --auto-group
flag is a switch: include it to enable auto-grouping, leave it off otherwise. Both --name
and --domain
are required by the CLI, matching the API.
One field you can't undo: the domain is immutable once the workspace is created. The spec is explicit — "You can't change the domain after the workspace is created." That's a deliberate guardrail, but it means you should decide your domain-to-workspace map before you start provisioning, not after. If you scope a workspace to the wrong domain, you delete it and make a new one; you don't edit the domain in place.
You also don't have to attach a policy at creation. A workspace with no policy_id
runs its accounts at your billing plan's maximum limits. So a perfectly reasonable order of operations is: create the grouping first, get accounts flowing into it, then attach a policy once you know the limits you want. Attaching narrows the maximums down to whatever the policy defines.
This is the payoff. You build a policy and some rules once, attach them to the workspace, and every member inherits them — including the ones auto-group hasn't created yet.
A policy bundles the limits (daily send cap, storage, inbox/spam retention, attachment caps) and spam detection. A rule matches inbound or outbound mail and runs actions like block
or assign_to_folder
. Rules are inert on their own — a rule does nothing until a workspace references it through rule_ids. That's the activation step, and it's easy to forget: you can
POST /v3/rules
all day and nothing happens to your mail until the rule's ID lands in a workspace's array.To attach or change either, PATCH
the workspace and include only the fields you're changing:
curl --request PATCH \
--url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE_ID>" \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <NYLAS_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
"policy_id": "<POLICY_ID>",
"rule_ids": ["<RULE_ID_1>", "<RULE_ID_2>"]
}'
The PATCH semantics are worth internalizing because they're how you swap configuration across a fleet without churn:
policy_id
takes one UUID string; rule_ids
takes an array.null
policy_id: null
detaches the policy (the fleet drops back to plan maximums); rule_ids: null
removes every rule.From the terminal, the same update:
nylas workspace update <WORKSPACE_ID> \
--policy-id <POLICY_ID> \
--rules-ids rule-id-1,rule-id-2
The CLI flag is --rules-ids
(comma-separated, note the plural), and --policy-id
with an empty string — --policy-id ""
— detaches the policy, the terminal equivalent of sending null
. To see what you've got across the whole application, list every workspace and inspect one:
curl --request GET \
--url "https://api.us.nylas.com/v3/workspaces" \
--header 'Authorization: Bearer <NYLAS_API_KEY>'
curl --request GET \
--url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE_ID>" \
--header 'Authorization: Bearer <NYLAS_API_KEY>'
The CLI mirrors both:
nylas workspace list
nylas workspace get <WORKSPACE_ID>
Every account whose workspace_id
points at this workspace is now governed by that one policy and that one rule set. Provision a new @support.yourcompany.com
agent tomorrow and it inherits both the moment auto-group routes it in. You never touch the new grant directly.
Auto-group handles new accounts. For existing ones — say an account that was created before you set up its domain workspace, or one you want to reassign — you move it.
The API path is the manual-assign endpoint, POST /v3/workspaces/{workspace_id}/manual-assign
. Send grant IDs in assign_grants
, remove_grants
, or both, up to 500 IDs per list. Assigning a grant moves it into the target workspace even if it currently belongs to another one:
curl --request POST \
--url "https://api.us.nylas.com/v3/workspaces/<TARGET_WORKSPACE_ID>/manual-assign" \
--header 'Accept: application/json' \
--header 'Authorization: Bearer <NYLAS_API_KEY>' \
--header 'Content-Type: application/json' \
--data '{
"assign_grants": ["<GRANT_ID_1>", "<GRANT_ID_2>"]
}'
That bulk endpoint is how you reorganize a fleet in one shot — pull a batch of grants out of the default workspace and drop them into a domain-scoped one. The 500-per-list cap is generous enough that most reorganizations are a single request.
For a single account, the CLI has a dedicated verb that's the one I actually reach for:
nylas agent account move support@yourapp.nylas.email --workspace <WORKSPACE_ID>
You can pass the agent's email or its ID. Under the hood agent account move
calls the same manual-assign API, so "the target workspace's policy and rules govern the account immediately" — the move is the reconfiguration. There's no separate apply step.
If you'd rather move a grant by editing it directly, PATCH /v3/grants/{grant_id}
with a new workspace_id
also works, and POST /v3/connect/custom
accepts a workspace_id
to place an account explicitly at creation time. Three paths to the same field; pick the one that fits where you are.
A few things that'll save you a confused afternoon:
The default workspace is special. Every application has exactly one, created automatically, and it's where any unassigned, non-auto-grouped account lands. You can update its policy_id
and rule_ids
— so attaching a policy there covers all your stragglers in one place — but its name
, domain
, and auto_group
are locked, and you can't delete it. Treat it as the catch-all, and attach a sensible default policy to it early.
Manual-assign needs auto_group: false. The manual-assign endpoint operates on workspaces whose
auto_group
is false
. Auto-grouped workspaces are meant to fill by domain match, not by hand, so the two assignment models stay separate by design.One workspace per archetype, not per account. The temptation is to over-segment. Resist it. A sales-outreach fleet and a support-triage fleet have genuinely different send limits and spam tolerances, so they each deserve their own workspace and policy. But ten near-identical support agents share one. The right granularity is "groups that need different rules," not "every individual."
Plan the domain map first. Because domain
is immutable, sketch which sending domains map to which workspaces before you provision anything. Getting this wrong isn't catastrophic — you delete and recreate — but it's friction you can avoid with five minutes of planning.
auto_group
.nylas workspace
and nylas agent account
command reference.The mental shift is small but it compounds: stop thinking about configuring agents, start thinking about configuring the groups agents belong to. Scope a workspace to a domain, attach a policy once, and the fleet inherits — today's accounts and tomorrow's alike.