# Authentication scopes Aurinko supports granular authentication scopes to improve security for your end-users. You can limit the permissions and data Aurinko requests during authentication by using the `scopes` parameter with the `/auth/authorize` endpoint. To remain secure, Aurinko strongly recommends passing only the scopes that your application needs when authenticating a user. Please reference the table below when updating your authentication code to make sure your application requests the minimal amount of access necessary for your app's functionality.

Aurinko scope	Description
`Mail.ReadWrite`	Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.
`Mail.Read`	Read all messages, threads, file attachments, drafts, and email metadata like headers - no write operations.
`Mail.Send`	Send messages only. No read or modify privileges on users' emails.
`Mail.Drafts`	Create, read, update, and delete drafts. Send messages and drafts.
`Calendar.ReadWrite`	Read and modify calendars and events.
`Calendar.Read`	Read calendars and events.
`Contacts.ReadWrite`	Read and modify contacts.
`Contacts.Read`	Read contacts.
`Tasks.ReadWrite`	Read and modify tasks.
`Tasks.Read`	Read tasks.

### Example *** To give an example, if your app has functionality for users to send and read messages, but not modify messages, you would use the following scopes: `Mail.ReadOnly`, `Mail.Send`. Here is an example request showing how your app might pass these scopes: ```bash curl -X GET https:/api.aurinko.io/v1/auth/authorize -d clientId='a8b7c6d5e4f3g2h1' -d serviceType='Office365' -d scopes='Mail.Read,Mail.Send' -d returnUrl='https://yourapp.com/aurinko-redirect' -d state='CustomStateString' ``` Any tokens obtained this way have a limited scope, so you won't be able to access out-of-scope endpoints with them.