MailgentMailgent
Concepts

Scopes

Permission scopes for API access

Scopes control what an identity's API key can do. They are set when creating an identity and cannot be changed after creation.

Available Scopes

ScopeAllowsAPI Endpoints
mail:readRead messages and threadsGET /v0/messages, GET /v0/threads
mail:sendSend and reply to emailsPOST /v0/messages/send, POST /v0/messages/:id/reply
mail:manageUpdate message labelsPATCH /v0/messages/:id

Scope Enforcement

If an API key attempts an action outside its scopes, the API returns 403 Forbidden:

{
  "error": "forbidden",
  "message": "Missing required scope: mail:send",
  "status": 403
}

MCP Tool Visibility

When using the MCP server, only tools matching the identity's scopes are available. An identity with only mail:read will only see:

  • mail.list_messages
  • mail.get_message
  • mail.list_threads
  • mail.get_thread

The mail.send, mail.reply, and mail.update_labels tools won't appear.

Recommendations

Use CaseRecommended Scopes
Read-only monitoring agentmail:read
Agent that reads and respondsmail:read, mail:send, mail:manage
Notification sender onlymail:send
Full access agentAll scopes

Labels

Organize messages with labels

Vault

Encrypted credential store for agent secrets

On this page

Available ScopesScope EnforcementMCP Tool VisibilityRecommendations