# Authentication scopes

Aurinko supports granular authentication scopes to improve security for your end-users. You can limit the permissions and data Aurinko requests during authentication by using the  <mark style="color:red;">`scopes`</mark> parameter with the <mark style="color:red;">`/auth/authorize`</mark> endpoint.

To remain secure, Aurinko strongly recommends passing only the scopes that your application needs when authenticating a user. Please reference the table below when updating your authentication code to make sure your application requests the minimal amount of access necessary for your app's functionality.

<table><thead><tr><th width="242">Aurinko scope</th><th>Description</th></tr></thead><tbody><tr><td><code>Mail.ReadWrite</code></td><td>Read and modify all messages, threads, file attachments, and read email metadata like headers. Does not include send.</td></tr><tr><td><code>Mail.Read</code></td><td>Read all messages, threads, file attachments, drafts, and email metadata like headers - no write operations.</td></tr><tr><td><code>Mail.Send</code></td><td>Send messages only. No read or modify privileges on users' emails.</td></tr><tr><td><code>Mail.Drafts</code></td><td>Create, read, update, and delete drafts. Send messages and drafts.</td></tr><tr><td><code>Calendar.ReadWrite</code></td><td>Read and modify calendars and events.</td></tr><tr><td><code>Calendar.Read</code></td><td>Read calendars and events.</td></tr><tr><td><code>Contacts.ReadWrite</code></td><td>Read and modify contacts.</td></tr><tr><td><code>Contacts.Read</code></td><td>Read contacts.</td></tr><tr><td><code>Tasks.ReadWrite</code></td><td>Read and modify tasks.</td></tr><tr><td><code>Tasks.Read</code></td><td>Read tasks.</td></tr></tbody></table>

### Example

***

To give an example, if your app has functionality for users to send and read messages, but not modify messages, you would use the following scopes:  <mark style="color:red;">`Mail.ReadOnly`</mark>, <mark style="color:red;">`Mail.Send`</mark>.

Here is an example request showing how your app might pass these scopes:

```bash
curl -X GET https:/api.aurinko.io/v1/auth/authorize
    -d clientId='a8b7c6d5e4f3g2h1'
    -d serviceType='Office365'
    -d scopes='Mail.Read,Mail.Send'
    -d returnUrl='https://yourapp.com/aurinko-redirect'
    -d state='CustomStateString'
```

Any tokens obtained this way have a limited scope, so you won't be able to access out-of-scope endpoints with them.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.aurinko.io/authentication/authentication-scopes.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.