API Scopes and Plan Permissions
Full reference of API scopes, what each one controls, and which plans unlock them.
Article details
Type, difficulty, plans, and last updated info.
▼
Article details
Type, difficulty, plans, and last updated info.
- Type
- Reference
- Difficulty
- Intermediate
- Plans
- Starter · Pro · Agency
- Last updated
- Apr 29, 2026
Scopes control exactly what an API token can do. Each token carries a set of scopes, and the API checks them on every request.
How scopes work
When you create a token, you select which scopes to include. The API enforces scopes at two levels:
- Token creation — You can only select scopes allowed by your plan.
- Every API request — The middleware checks the token's scopes against the endpoint's requirements.
If a token lacks the required scope, the API returns 403 with an insufficient_scope error code.
Scope reference
Account & Billing
| Scope | What it does | Plans |
|---|---|---|
account:read |
View account info, plan, limits, and usage | Starter · Pro · Agency |
billing:read |
View billing status and invoice history | Starter · Pro · Agency |
Domains
| Scope | What it does | Plans |
|---|---|---|
domains:read |
List and view domain details, spam metrics | Starter · Pro · Agency |
domains:create |
Add new domains to the account | Pro · Agency |
domains:write |
Update catch-all, DKIM, notes | Pro · Agency |
domains:delete |
Delete domains (dangerous) | Pro · Agency |
domains:dns:read |
View DNS requirements and check results | Starter · Pro · Agency |
domains:dns:recheck |
Trigger a new DNS verification | Pro · Agency |
Mailboxes
| Scope | What it does | Plans |
|---|---|---|
mailboxes:read |
List and view mailbox details | Starter · Pro · Agency |
mailboxes:create |
Create new mailboxes | Pro · Agency |
mailboxes:delete |
Delete mailboxes (via delete intents) | Pro · Agency |
mailboxes:invites:create |
Send mailbox setup invites | Pro · Agency |
mailboxes:forwarding:read |
View forwarding configuration | Starter · Pro · Agency |
mailboxes:write |
Change password, update notes, pause/resume | Pro · Agency |
mailboxes:forwarding:write |
Create and modify forwarding rules | Pro · Agency |
mailboxes:rules:read |
View mail filters | Pro · Agency |
mailboxes:rules:write |
Create, update, and delete mail filters | Pro · Agency |
mailboxes:auto-reply:read |
View auto-reply settings | Starter · Pro · Agency |
mailboxes:auto-reply:write |
Update auto-reply settings | Starter · Pro · Agency |
mailboxes:message-tokens:manage |
Create, list, and revoke message tokens | Pro · Agency |
Messages (message token)
| Scope | What it does | Plans |
|---|---|---|
messages:read |
Read access to the full webmail surface — list/read messages, list folders, download attachments, get raw source, list scheduled messages, list contacts, export contacts, list calendar events, get reply/forward data, list identities, list templates, list blocked senders | Pro · Agency |
messages:write |
Write access — update flags, delete/move messages, report spam/ham, bulk actions, create/rename/delete folders, empty Trash/Junk, save/update drafts, cancel scheduled messages, create/update/delete contacts, import contacts, create/update/delete calendar events, create/update/delete contact groups, manage group members, create/update/delete identities, create/update/delete templates, block/unblock senders | Pro · Agency |
messages:send |
Send email from the mailbox (daily limit: 500 per token) — also covers scheduling new messages and cancelling scheduled sends | Pro · Agency |
Message scopes are carried by message tokens (tm_msg_ prefix), not ops tokens (tm_live_ prefix). Message tokens are created via the API using an ops token with the mailboxes:message-tokens:manage scope. Message tokens have their own scopes and rate limits, independent of ops tokens. A daily read limit per token (default 5,000) prevents mailbox scraping, and a daily send limit (default 500) prevents abuse.
All new webmail API endpoints (contacts, calendar, identities, templates, blocked senders, drafts, scheduled send, folders, attachments) map to the existing three message scopes — no new scopes were added. Existing tokens continue to work without any changes.
Note: Existing tokens with
messages:readautomatically includemessages:writefor backward compatibility.
Support Tickets
| Scope | What it does | Plans |
|---|---|---|
tickets:read |
List and view support tickets and messages | Starter · Pro · Agency |
tickets:write |
Create tickets, reply to tickets, close tickets | Starter · Pro · Agency |
SMTP Configuration
| Scope | What it does | Plans |
|---|---|---|
smtp:read |
View SMTP mode and connection details | Pro · Agency |
smtp:write |
Update SMTP config, test connections, delete connections | Pro · Agency |
Migrations
| Scope | What it does | Plans |
|---|---|---|
migrations:read |
List and view migration details | Starter · Pro · Agency |
migrations:write |
Start, cancel, retry, and delete migrations | Starter · Pro · Agency |
Migration scopes are carried by ops tokens (tm_live_ prefix). The migration tool must be available on your plan (Starter and above). All paid plans can start and manage migrations via API.
Cloudflare
| Scope | What it does | Plans |
|---|---|---|
cloudflare:read |
Validate tokens, list zones, preview DNS changes | Pro · Agency |
cloudflare:write |
Connect domains and apply DNS changes via Cloudflare | Pro · Agency |
cloudflare:delete |
Delete Cloudflare tokens (dangerous) | Pro · Agency |
Drive
| Scope | What it does | Plans |
|---|---|---|
drive:account:read |
Browse Account Drive, view folders/files/trash/share-link metadata, request download URLs | Paid plans or active Drive Add-on |
drive:account:write |
Upload, create folders, rename, move, trash, and restore Account Drive items | Paid plans or active Drive Add-on |
drive:account:share |
Create, list, and revoke public share links for Account Drive files | Paid plans or active Drive Add-on |
drive:account:purge |
Permanently purge trashed Account Drive files/folders and empty trash | Paid plans or active Drive Add-on; high-risk |
drive:mailbox:read |
Browse allowed mailbox Drive spaces | Paid plans or active Drive Add-on |
drive:mailbox:write |
Upload and mutate files/folders in allowed mailbox Drive spaces | Paid plans or active Drive Add-on |
drive:mailbox:share |
Create, list, and revoke public links for allowed mailbox Drive files | Paid plans or active Drive Add-on |
drive:mailbox:purge |
Permanently purge trashed mailbox Drive items | Paid plans or active Drive Add-on; high-risk |
drive:addon:read |
Read Drive Storage Add-on status, pricing, and cancellation preview | Nano · Starter · Pro · Agency when add-on/Drive context exists |
Drive scopes are ops-token scopes. A token can be limited to selected mailboxes, and Drive will hide other mailbox spaces from that token. Drive Add-on purchase, resize, and cancel are not API/MCP write operations; billing changes stay in the dashboard.
Email Verifier
| Scope | What it does | Plans |
|---|---|---|
verify:read |
Check credits, list jobs, view job status and results | Nano · Starter · Pro · Agency |
verify:write |
Submit verifications, cancel jobs, delete jobs (also grants read access) | Nano · Starter · Pro · Agency |
Email Verifier scopes are available on all plans, including Nano. The only limitation is your credit balance. See Email Verifier API for the full endpoint reference.
Plan access levels
| Plan | API Access | Available Scopes |
|---|---|---|
| Nano | Email Verifier only | verify:read, verify:write |
| Starter | Read + limited write + Email Verifier | account:read, billing:read, domains:read, domains:dns:read, mailboxes:read, mailboxes:forwarding:read, migrations:read, migrations:write, tickets:read, tickets:write, verify:read, verify:write |
| Pro | Full access | All ops scopes + Drive scopes + message scopes + migration scopes + tickets + SMTP + Cloudflare + account + billing + verifier |
| Agency | Full access | All ops scopes + Drive scopes + message scopes + migration scopes + tickets + SMTP + Cloudflare + account + billing + verifier |
What happens when you downgrade
If you downgrade from Pro to Starter, existing tokens with write scopes are not deleted. Instead, the API blocks requests that use disallowed scopes at runtime.
For example, a token with mailboxes:create on a Starter plan will receive 403 with code token_scope_blocked_by_plan when trying to create a mailbox. The read scopes on the same token will continue to work.
To fix this, revoke the old token and create a new one with only the scopes your current plan allows.
Dangerous scopes
The mailboxes:delete, domains:delete, migrations:write, and cloudflare:delete scopes are flagged as dangerous in the dashboard. Tokens with these scopes can initiate mailbox or domain deletion, remove Cloudflare tokens, or perform other irreversible actions. Consider whether your use case truly requires them.
The MCP server has an additional gate: delete tools require TREKMAIL_ALLOW_DESTRUCTIVE=true in the environment. Without it, agents cannot trigger deletion even if the token has the scope.
The messages:send scope allows sending real email from the mailbox. In the MCP server, sending requires two additional safety gates: TREKMAIL_ALLOW_SENDING=true in the environment and confirm_send=true on every send call. See Safety Rails and Delete Intents for details.
The migrations:write scope allows starting email migrations that connect to external IMAP servers using stored credentials. In the MCP server, migration write tools require TREKMAIL_ALLOW_MIGRATION=true in the environment and per-call confirmation parameters (confirm_start, confirm_cancel, confirm_retry).
Domain constraints
Scopes control what a token can do. Domain constraints control where it can do it.
A token constrained to specific domains will only see and modify resources within those domains. This is useful for giving a contractor or agent access to a single client domain without exposing others.
Scope checks happen before domain constraint checks. If a token lacks the required scope, the request fails with 403 regardless of domain constraints.
Quick fixes
- 403 "insufficient_scope": Your token does not have the scope required for this endpoint. Create a new token with the correct scopes.
- 403 "token_scope_blocked_by_plan": Your plan no longer allows one or more of the token's scopes. Upgrade your plan, or revoke the token and create a new one with allowed scopes.
- Some scopes are hidden in the create form: Your plan does not support those scopes. Only allowed scopes are shown.
Related articles
Jump to nearby guides that continue the workflow.