Organize your agents into workspaces by domain

Nylas introduces workspaces to manage agent accounts at scale, grouping grants under a single policy and rule set. Workspaces allow automatic assignment of new accounts based on email domain, eliminating the need to configure each grant individually. The system uses auto-grouping to ensure consistent policy inheritance across fleets.

The first agent you give an inbox to is easy. You set a send cap, maybe a spam policy, attach a couple of inbound rules, and you're done. The trouble starts at the tenth agent. And the fiftieth. Because the obvious way to apply limits — configure each grant when you create it — doesn't have an "all of them" button. You end up writing a loop that re-applies the same policy to every new account, hoping nobody provisions one out of band, and discovering three weeks later that the support fleet and the sales fleet drifted into two slightly different configurations nobody can fully account for. Configuring limits grant-by-grant doesn't scale past a handful of agents. That's the whole reason workspaces exist. A workspace is a container that groups Agent Accounts and carries exactly one policy plus a list of rules. Set the policy once on the workspace, and every account inside inherits it — including accounts that don't exist yet. Move the boundary up one level, from "configure each grant" to "configure the group," and the fleet manages itself. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. Every one is checked against nylas v3.1.27, and every curl call against the published OpenAPI spec. The two-angle tour — API and CLI side by side — is here because half of this work happens in a provisioning script and the other half happens at 2am when you're poking at a misbehaving fleet by hand. If you've used Agent Accounts, you already know the spine: an Agent Account is a grant. It carries a grant id and works with every grant-scoped endpoint — Messages, Drafts, Threads, Folders, Contacts, Calendars, Events, Webhooks. There's nothing new to learn on the data plane. Sending mail from an agent is POST /v3/grants/{grant id}/messages/send , same as any grant. Workspaces add one field to that picture. Every grant carries a workspace id , and the workspace it points at holds a policy id limits and spam settings and a rule ids array inbound and outbound mail filtering . The chain is short: List → holds values domains, TLDs, addresses Rule → match conditions + actions; references lists via in list Policy→ send caps, storage, retention, spam detection Workspace → one policy id + an array of rule ids Grant → carries workspace id → inherits all of the above Change the policy on the workspace and you've reconfigured every account in it at once. That's the leverage. You're not editing fifty grants; you're editing one workspace that fifty grants point at. This is the part that makes the fleet self-organizing, and it's worth getting exactly right. When a new Agent Account is created, Nylas runs a three-step decision to pick its workspace: POST /v3/connect/custom payload includes a workspace id , the grant joins that workspace immediately. No guessing. workspace id was passed, Nylas looks for a custom workspace whose domain matches the new account's email domain auto group is true . If one matches, the grant joins it.Step 2 is the interesting one. auto group is a boolean on the workspace, and the spec describes it plainly: when true , "newly created grants in the application are automatically assigned to the workspace if their email address' domain matches the domain ." So if you create a workspace with domain: "support.yourcompany.com" and auto group: true , then every account you later provision as triage@support.yourcompany.com or escalations@support.yourcompany.com joins that workspace and inherits its policy without you passing a single extra field. The CLI agent account create command deliberately has no --workspace flag — auto-group is meant to carry that weight. You set the domain rule once and let provisioning be dumb. That's the design choice I like as an SRE: the policy decision lives in the infrastructure, not in every caller. A teammate writing a provisioning script doesn't need to know which policy a @sales.yourcompany.com agent should get. They create the account; the domain match routes it. You'll need: https://api.us.nylas.com and Authorization: Bearer <NYLAS API KEY . .nylas.email trial subdomain. Workspaces key off this domain, so it has to be one you actually provision accounts under. New domains warm over roughly four weeks. nylas init if you want to follow the terminal half.New to Agent Accounts? Start with the Agent Accounts overview https://developer.nylas.com/docs/v3/agent-accounts/ and the provisioning guide https://developer.nylas.com/docs/v3/agent-accounts/provisioning/ to create your first account, then come back here to organize them. A workspace create takes two required fields — name and domain — plus three optional ones: auto group , policy id , and rule ids . The domain ties the workspace to one email domain, and auto group which defaults to true decides whether matching accounts join automatically. Here's the full version: a workspace scoped to a domain, with a policy and a rule attached in the same call. curl --request POST \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <NYLAS API KEY ' \ --header 'Content-Type: application/json' \ --data '{ "name": "Support fleet", "domain": "support.yourcompany.com", "auto group": true, "policy id": "<POLICY ID ", "rule ids": "<RULE ID " }' The response returns a Workspace object whose workspace id is the value you'll store on grants. From the terminal, the same thing: nylas workspace create \ --name "Support fleet" \ --domain support.yourcompany.com \ --auto-group \ --policy-id <POLICY ID A couple of honest caveats on that CLI form. nylas workspace create accepts --name , --domain , --auto-group , and --policy-id . It does not take a --rule-ids flag at create time — to attach rules you run an update afterward shown below . And the --auto-group flag is a switch: include it to enable auto-grouping, leave it off otherwise. Both --name and --domain are required by the CLI, matching the API. One field you can't undo: the domain is immutable once the workspace is created. The spec is explicit — "You can't change the domain after the workspace is created." That's a deliberate guardrail, but it means you should decide your domain-to-workspace map before you start provisioning, not after. If you scope a workspace to the wrong domain, you delete it and make a new one; you don't edit the domain in place. You also don't have to attach a policy at creation. A workspace with no policy id runs its accounts at your billing plan's maximum limits. So a perfectly reasonable order of operations is: create the grouping first, get accounts flowing into it, then attach a policy once you know the limits you want. Attaching narrows the maximums down to whatever the policy defines. This is the payoff. You build a policy and some rules once, attach them to the workspace, and every member inherits them — including the ones auto-group hasn't created yet. A policy bundles the limits daily send cap, storage, inbox/spam retention, attachment caps and spam detection. A rule matches inbound or outbound mail and runs actions like block or assign to folder . Rules are inert on their own — a rule does nothing until a workspace references it through rule ids. That's the activation step, and it's easy to forget: you can POST /v3/rules all day and nothing happens to your mail until the rule's ID lands in a workspace's array.To attach or change either, PATCH the workspace and include only the fields you're changing: curl --request PATCH \ --url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE ID " \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <NYLAS API KEY ' \ --header 'Content-Type: application/json' \ --data '{ "policy id": "<POLICY ID ", "rule ids": "<RULE ID 1 ", "<RULE ID 2 " }' The PATCH semantics are worth internalizing because they're how you swap configuration across a fleet without churn: policy id takes one UUID string; rule ids takes an array. null policy id: null detaches the policy the fleet drops back to plan maximums ; rule ids: null removes every rule.From the terminal, the same update: nylas workspace update <WORKSPACE ID \ --policy-id <POLICY ID \ --rules-ids rule-id-1,rule-id-2 The CLI flag is --rules-ids comma-separated, note the plural , and --policy-id with an empty string — --policy-id "" — detaches the policy, the terminal equivalent of sending null . To see what you've got across the whole application, list every workspace and inspect one: curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Authorization: Bearer <NYLAS API KEY ' curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE ID " \ --header 'Authorization: Bearer <NYLAS API KEY ' The CLI mirrors both: nylas workspace list nylas workspace get <WORKSPACE ID Every account whose workspace id points at this workspace is now governed by that one policy and that one rule set. Provision a new @support.yourcompany.com agent tomorrow and it inherits both the moment auto-group routes it in. You never touch the new grant directly. Auto-group handles new accounts. For existing ones — say an account that was created before you set up its domain workspace, or one you want to reassign — you move it. The API path is the manual-assign endpoint, POST /v3/workspaces/{workspace id}/manual-assign . Send grant IDs in assign grants , remove grants , or both, up to 500 IDs per list. Assigning a grant moves it into the target workspace even if it currently belongs to another one: curl --request POST \ --url "https://api.us.nylas.com/v3/workspaces/<TARGET WORKSPACE ID /manual-assign" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <NYLAS API KEY ' \ --header 'Content-Type: application/json' \ --data '{ "assign grants": "<GRANT ID 1 ", "<GRANT ID 2 " }' That bulk endpoint is how you reorganize a fleet in one shot — pull a batch of grants out of the default workspace and drop them into a domain-scoped one. The 500-per-list cap is generous enough that most reorganizations are a single request. For a single account, the CLI has a dedicated verb that's the one I actually reach for: nylas agent account move support@yourapp.nylas.email --workspace <WORKSPACE ID You can pass the agent's email or its ID. Under the hood agent account move calls the same manual-assign API, so "the target workspace's policy and rules govern the account immediately" — the move is the reconfiguration. There's no separate apply step. If you'd rather move a grant by editing it directly, PATCH /v3/grants/{grant id} with a new workspace id also works, and POST /v3/connect/custom accepts a workspace id to place an account explicitly at creation time. Three paths to the same field; pick the one that fits where you are. A few things that'll save you a confused afternoon: The default workspace is special. Every application has exactly one, created automatically, and it's where any unassigned, non-auto-grouped account lands. You can update its policy id and rule ids — so attaching a policy there covers all your stragglers in one place — but its name , domain , and auto group are locked, and you can't delete it. Treat it as the catch-all, and attach a sensible default policy to it early. Manual-assign needs auto group: false. The manual-assign endpoint operates on workspaces whose auto group is false . Auto-grouped workspaces are meant to fill by domain match, not by hand, so the two assignment models stay separate by design. One workspace per archetype, not per account. The temptation is to over-segment. Resist it. A sales-outreach fleet and a support-triage fleet have genuinely different send limits and spam tolerances, so they each deserve their own workspace and policy. But ten near-identical support agents share one. The right granularity is "groups that need different rules," not "every individual." Plan the domain map first. Because domain is immutable, sketch which sending domains map to which workspaces before you provision anything. Getting this wrong isn't catastrophic — you delete and recreate — but it's friction you can avoid with five minutes of planning. auto group . nylas workspace and nylas agent account command reference.The mental shift is small but it compounds: stop thinking about configuring agents, start thinking about configuring the groups agents belong to. Scope a workspace to a domain, attach a policy once, and the fleet inherits — today's accounts and tomorrow's alike.