# Organize your agents into workspaces by domain > Source: > Published: 2026-06-26 17:38:45+00:00 The first agent you give an inbox to is easy. You set a send cap, maybe a spam policy, attach a couple of inbound rules, and you're done. The trouble starts at the tenth agent. And the fiftieth. Because the obvious way to apply limits — configure each grant when you create it — doesn't have an "all of them" button. You end up writing a loop that re-applies the same policy to every new account, hoping nobody provisions one out of band, and discovering three weeks later that the support fleet and the sales fleet drifted into two slightly different configurations nobody can fully account for. Configuring limits grant-by-grant doesn't scale past a handful of agents. *That's the whole reason workspaces exist.* A **workspace** is a container that groups Agent Accounts and carries exactly one policy plus a list of rules. Set the policy once on the workspace, and every account inside inherits it — including accounts that don't exist yet. Move the boundary up one level, from "configure each grant" to "configure the group," and the fleet manages itself. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. Every one is checked against `nylas` v3.1.27, and every `curl` call against the published OpenAPI spec. The two-angle tour — API and CLI side by side — is here because half of this work happens in a provisioning script and the other half happens at 2am when you're poking at a misbehaving fleet by hand. If you've used Agent Accounts, you already know the spine: an Agent Account *is* a grant. It carries a `grant_id` and works with every grant-scoped endpoint — Messages, Drafts, Threads, Folders, Contacts, Calendars, Events, Webhooks. There's nothing new to learn on the data plane. Sending mail from an agent is `POST /v3/grants/{grant_id}/messages/send` , same as any grant. Workspaces add one field to that picture. Every grant carries a `workspace_id` , and the workspace it points at holds a `policy_id` (limits and spam settings) and a `rule_ids` array (inbound and outbound mail filtering). The chain is short: ``` List → holds values (domains, TLDs, addresses) Rule → match conditions + actions; references lists via in_list Policy→ send caps, storage, retention, spam detection Workspace → one policy_id + an array of rule_ids Grant → carries workspace_id → inherits all of the above ``` Change the policy on the workspace and you've reconfigured every account in it at once. That's the leverage. You're not editing fifty grants; you're editing one workspace that fifty grants point at. This is the part that makes the fleet self-organizing, and it's worth getting exactly right. When a new Agent Account is created, Nylas runs a three-step decision to pick its workspace: `POST /v3/connect/custom` payload includes a `workspace_id` , the grant joins that workspace immediately. No guessing.`workspace_id` was passed, Nylas looks for a custom workspace whose `domain` matches the new account's email domain `auto_group` is `true` . If one matches, the grant joins it.Step 2 is the interesting one. `auto_group` is a boolean on the workspace, and the spec describes it plainly: when `true` , "newly created grants in the application are automatically assigned to the workspace if their email address' domain matches the `domain` ." So if you create a workspace with `domain: "support.yourcompany.com"` and `auto_group: true` , then every account you later provision as `triage@support.yourcompany.com` or `escalations@support.yourcompany.com` joins that workspace and inherits its policy without you passing a single extra field. The CLI `agent account create` command deliberately has no `--workspace` flag — auto-group is meant to carry that weight. You set the domain rule once and let provisioning be dumb. That's the design choice I like as an SRE: the policy decision lives in the infrastructure, not in every caller. A teammate writing a provisioning script doesn't need to know which policy a `@sales.yourcompany.com` agent should get. They create the account; the domain match routes it. You'll need: `https://api.us.nylas.com` and `Authorization: Bearer ` .`*.nylas.email` trial subdomain. Workspaces key off this domain, so it has to be one you actually provision accounts under. New domains warm over roughly four weeks.`nylas init` ) if you want to follow the terminal half.New to Agent Accounts? Start with the [Agent Accounts overview](https://developer.nylas.com/docs/v3/agent-accounts/) and the [provisioning guide](https://developer.nylas.com/docs/v3/agent-accounts/provisioning/) to create your first account, then come back here to organize them. A workspace create takes two required fields — `name` and `domain` — plus three optional ones: `auto_group` , `policy_id` , and `rule_ids` . The `domain` ties the workspace to one email domain, and `auto_group` (which defaults to `true` ) decides whether matching accounts join automatically. Here's the full version: a workspace scoped to a domain, with a policy and a rule attached in the same call. ``` curl --request POST \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "name": "Support fleet", "domain": "support.yourcompany.com", "auto_group": true, "policy_id": "", "rule_ids": [""] }' ``` The response returns a Workspace object whose `workspace_id` is the value you'll store on grants. From the terminal, the same thing: ``` nylas workspace create \ --name "Support fleet" \ --domain support.yourcompany.com \ --auto-group \ --policy-id ``` A couple of honest caveats on that CLI form. `nylas workspace create` accepts `--name` , `--domain` , `--auto-group` , and `--policy-id` . It does *not* take a `--rule-ids` flag at create time — to attach rules you run an update afterward (shown below). And the `--auto-group` flag is a switch: include it to enable auto-grouping, leave it off otherwise. Both `--name` and `--domain` are required by the CLI, matching the API. One field you can't undo: **the domain is immutable once the workspace is created.** The spec is explicit — "You can't change the domain after the workspace is created." That's a deliberate guardrail, but it means you should decide your domain-to-workspace map before you start provisioning, not after. If you scope a workspace to the wrong domain, you delete it and make a new one; you don't edit the domain in place. You also don't have to attach a policy at creation. A workspace with no `policy_id` runs its accounts at your billing plan's maximum limits. So a perfectly reasonable order of operations is: create the grouping first, get accounts flowing into it, then attach a policy once you know the limits you want. Attaching narrows the maximums down to whatever the policy defines. This is the payoff. You build a policy and some rules once, attach them to the workspace, and every member inherits them — including the ones auto-group hasn't created yet. A policy bundles the limits (daily send cap, storage, inbox/spam retention, attachment caps) and spam detection. A rule matches inbound or outbound mail and runs actions like `block` or `assign_to_folder` . Rules are inert on their own — *a rule does nothing until a workspace references it through rule_ids.* That's the activation step, and it's easy to forget: you can `POST /v3/rules` all day and nothing happens to your mail until the rule's ID lands in a workspace's array.To attach or change either, `PATCH` the workspace and include only the fields you're changing: ``` curl --request PATCH \ --url "https://api.us.nylas.com/v3/workspaces/" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "policy_id": "", "rule_ids": ["", ""] }' ``` The PATCH semantics are worth internalizing because they're how you swap configuration across a fleet without churn: `policy_id` takes one UUID string; `rule_ids` takes an array.`null` `policy_id: null` detaches the policy (the fleet drops back to plan maximums); `rule_ids: null` removes every rule.From the terminal, the same update: ``` nylas workspace update \ --policy-id \ --rules-ids rule-id-1,rule-id-2 ``` The CLI flag is `--rules-ids` (comma-separated, note the plural), and `--policy-id` with an empty string — `--policy-id ""` — detaches the policy, the terminal equivalent of sending `null` . To see what you've got across the whole application, list every workspace and inspect one: ``` curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Authorization: Bearer ' curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces/" \ --header 'Authorization: Bearer ' ``` The CLI mirrors both: ``` nylas workspace list nylas workspace get ``` Every account whose `workspace_id` points at this workspace is now governed by that one policy and that one rule set. Provision a new `@support.yourcompany.com` agent tomorrow and it inherits both the moment auto-group routes it in. You never touch the new grant directly. Auto-group handles new accounts. For existing ones — say an account that was created before you set up its domain workspace, or one you want to reassign — you move it. The API path is the manual-assign endpoint, `POST /v3/workspaces/{workspace_id}/manual-assign` . Send grant IDs in `assign_grants` , `remove_grants` , or both, up to 500 IDs per list. Assigning a grant moves it into the target workspace even if it currently belongs to another one: ``` curl --request POST \ --url "https://api.us.nylas.com/v3/workspaces//manual-assign" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer ' \ --header 'Content-Type: application/json' \ --data '{ "assign_grants": ["", ""] }' ``` That bulk endpoint is how you reorganize a fleet in one shot — pull a batch of grants out of the default workspace and drop them into a domain-scoped one. The 500-per-list cap is generous enough that most reorganizations are a single request. For a single account, the CLI has a dedicated verb that's the one I actually reach for: ``` nylas agent account move support@yourapp.nylas.email --workspace ``` You can pass the agent's email or its ID. Under the hood `agent account move` calls the same manual-assign API, so "the target workspace's policy and rules govern the account immediately" — the move is the reconfiguration. There's no separate apply step. If you'd rather move a grant by editing it directly, `PATCH /v3/grants/{grant_id}` with a new `workspace_id` also works, and `POST /v3/connect/custom` accepts a `workspace_id` to place an account explicitly at creation time. Three paths to the same field; pick the one that fits where you are. A few things that'll save you a confused afternoon: **The default workspace is special.** Every application has exactly one, created automatically, and it's where any unassigned, non-auto-grouped account lands. You can update its `policy_id` and `rule_ids` — so attaching a policy there covers all your stragglers in one place — but its `name` , `domain` , and `auto_group` are locked, and you can't delete it. Treat it as the catch-all, and attach a sensible default policy to it early. **Manual-assign needs auto_group: false.** The manual-assign endpoint operates on workspaces whose `auto_group` is `false` . Auto-grouped workspaces are meant to fill by domain match, not by hand, so the two assignment models stay separate by design.**One workspace per archetype, not per account.** The temptation is to over-segment. Resist it. A sales-outreach fleet and a support-triage fleet have genuinely different send limits and spam tolerances, so they each deserve their own workspace and policy. But ten near-identical support agents share one. The right granularity is "groups that need different rules," not "every individual." **Plan the domain map first.** Because `domain` is immutable, sketch which sending domains map to which workspaces before you provision anything. Getting this wrong isn't catastrophic — you delete and recreate — but it's friction you can avoid with five minutes of planning. `auto_group` .`nylas workspace` and `nylas agent account` command reference.The mental shift is small but it compounds: stop thinking about configuring agents, start thinking about configuring the *groups* agents belong to. Scope a workspace to a domain, attach a policy once, and the fleet inherits — today's accounts and tomorrow's alike.