Aurinko supports granular authentication scopes to improve security for your end-users. You can limit the permissions and data Aurinko requests during authentication by using the  scopes parameter with the /auth/authorize endpoint.

To remain secure, Aurinko strongly recommends passing only the scopes that your application needs when authenticating a user. Please reference the table below when updating your authentication code to make sure your application requests the minimal amount of access necessary for your app's functionality.

Aurinko scope
Description
Mail.ReadWrite
Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.
Mail.Read
Read all messages, threads, file attachments, drafts, and email metadata like headers - no write operations.
Mail.Send
Send messages only. No read or modify privileges on users' emails.
Mail.Drafts
Create, read, update, and delete drafts. Send messages and drafts.
Calendar.ReadWrite
Read and modify calendars and events.
Calendar.Read
Read calendars and events.
Contacts.ReadWrite
Read and modify contacts.
Contacts.Read
Read contacts.
Tasks.ReadWrite
Read and modify tasks.
Tasks.Read
Read tasks.


Example

To give an example, if your app has functionality for users to send and read messages, but not modify messages, you would use the following scopes:  Mail.ReadOnly,Mail.Send.

Here is an example request showing how your app might pass these scopes:

curl -X GET https:/api.aurinko.io/v1/auth/authorize \
	-d clientId='a8b7c6d5e4f3g2h1' \
	-d serviceType='Office365' \
	-d scopes='Mail.Read,Mail.Send' \
	-d returnUrl='https://yourapp.com/aurinko-redirect' \
	-d state='CustomStateString'
	
Any tokens obtained this way have a limited scope, so you won't be able to access out-of-scope endpoints with them.