Why do we need the full calendar scope to create events for Gmail calendar?

Requesting the calendar scope for a Gmail account results in the auth screen below, which is off putting to some customers.


Nylas uses the Google Calendar API to connect to Gmail calendars and therefore are subject to the rules and limitations of their API. In order to create an event through the Google Calendar API, you must use the full calendar scope according to their documentation, which inherently asks for permission to “See, edit, share, and permanently delete all calendars you can access using Google calendar” during authorization.

Nylas will not add, delete or modify events or calendars without explicit POST, PUT or DELETE calls to our /events or /calendars endpoints.

If this permission is resulting in pushback from users attempting to connect to your application, we recommend providing an explanation for the use of the scope and why you are unable to limit the scope further (required by Google) before directing the user into authorization flow. The explanation can include points such as

  • We only use these permission to create events on your behalf and for your benefit
  • We will not sell or reveal your data to third party vendors
  • We will not delete or modify calendars or events without your consent