API Scopes and Plan Permissions
Reference for TrekMail API scopes by plan — Nano gets Verifier access, Starter is read-only plus Verifier, Pro and Agency unlock full API control.
Article details
Type, difficulty, plans, and last updated info.
▼
Article details
Type, difficulty, plans, and last updated info.
- Type
- Reference
- Difficulty
- Intermediate
- Plans
- Starter · Pro · Agency
- Last updated
- Jun 20, 2026
Scopes control exactly what an API token can do. Each token carries a set of scopes, and the API checks them on every request.
How scopes work
When you create a token, you select which scopes to include. The API enforces scopes at two levels:
- Token creation — You can only select scopes allowed by your plan.
- Every API request — The middleware checks the token's scopes against the endpoint's requirements.
If a token lacks the required scope, the API returns 403 with an insufficient_scope error code.
Two scope layers: OAuth vs internal
If you're connecting through Claude.ai, Claude Desktop, or another OAuth client, the consent screen shows five coarse OAuth scopes:
| OAuth scope | Covers |
|---|---|
mail:read |
Read account, domains, mailboxes, forwarding, mail rules, auto-reply, SMTP, Cloudflare, tickets — plus Drive read. |
mail:write |
All mail:read plus create / update / delete on domains, mailboxes, aliases, forwarding, mail rules, auto-reply, Cloudflare DNS, tickets, Drive uploads / shares. |
mail:admin |
All mail:write plus billing, delete intents, destructive Drive purges, migration writes, Cloudflare token deletes, message-token minting. |
messages:read |
Read mailbox contents (messages, folders, attachments, contacts, calendar, identities, templates). |
messages:send |
All messages:read plus drafting, sending, scheduling, deleting, moving, and contact/calendar/template mutations. |
Behind the scenes each OAuth scope expands into a set of internal API scopes (the fine-grained list below — domains:read, drive:account:write, etc.). When you create a tm_live_ token by hand in the dashboard, you pick the internal scopes directly. When an AI agent OAuth-authorizes, Claude requests one or more of the five buckets and Laravel expands them into the matching internal-scope set on the token row. The endpoint-level checks always work against the internal scopes, so both paths reach the same gate. The full OAuth → internal expansion table lives in config/oauth-scope-map.php.
Three ways to connect — and how each one gates capabilities
There are three ways an agent or integration reaches TrekMail, and the gating mechanism differs in each. This matters because the MCP "capability flags" (TREKMAIL_ALLOW_DESTRUCTIVE, TREKMAIL_ALLOW_SENDING, TREKMAIL_ALLOW_MIGRATION) only exist in one of them.
| Mode | Auth | Gating mechanism | Capability flags | Tool / endpoint reach |
|---|---|---|---|---|
(A) Hosted HTTP MCP (https://trekmail.net/mcp, OAuth) |
OAuth 2.1 with the five coarse scopes above | Purely the OAuth scopes you consent to. All capability flags are forced ON — there are no TREKMAIL_ALLOW_* env flags in HTTP mode, so a destructive or send tool runs as soon as your scope permits it. |
Forced on (not configurable) | 215 of the 216 MCP tools (only drive_file_upload is stdio-only) |
(B) Self-hosted stdio MCP (@trekmail/mcp-server, local) |
A tm_live_ (and optional tm_msg_) API token |
The TREKMAIL_ALLOW_* env flags in addition to the token's scopes. Destructive, sending, and migration tools stay disabled until you opt in. |
TREKMAIL_ALLOW_DESTRUCTIVE / TREKMAIL_ALLOW_SENDING / TREKMAIL_ALLOW_MIGRATION, all default off |
All 216 tools |
| (C) REST API directly | A tm_live_ / tm_msg_ bearer token |
The fine-grained internal scope strings on the token (e.g. smtp:read, smtp:write, domains:delete) — no MCP layer, no env flags |
n/a (scopes only) | Every documented endpoint |
In short: HTTP MCP forces all capability flags true and relies entirely on the five OAuth scopes for gating; stdio MCP gates with the TREKMAIL_ALLOW_* env flags (default off) on top of token scopes; and the REST API is gated purely by the internal scope strings carried on the token. For the domain-SMTP tools specifically, the destructive set/create/update/delete/test tools map to mail:write under HTTP-MCP OAuth, sit behind TREKMAIL_ALLOW_DESTRUCTIVE under stdio, and require smtp:write over plain REST.
Scope reference
Account & Billing
| Scope | What it does | Plans |
|---|---|---|
account:read |
View account info, plan, limits, and usage | Starter · Pro · Agency |
billing:read |
View billing status and invoice history | Starter · Pro · Agency |
Domains
| Scope | What it does | Plans |
|---|---|---|
domains:read |
List and view domain details, spam metrics | Starter · Pro · Agency |
domains:create |
Add new domains to the account | Pro · Agency |
domains:write |
Update catch-all, DKIM, notes | Pro · Agency |
domains:delete |
Delete domains (dangerous) | Pro · Agency |
domains:dns:read |
View DNS requirements and check results | Starter · Pro · Agency |
domains:dns:recheck |
Trigger a new DNS verification | Pro · Agency |
Mailboxes
| Scope | What it does | Plans |
|---|---|---|
mailboxes:read |
List and view mailbox details | Starter · Pro · Agency |
mailboxes:create |
Create new mailboxes | Pro · Agency |
mailboxes:delete |
Delete mailboxes (via delete intents) | Pro · Agency |
mailboxes:invites:create |
Send mailbox setup invites | Pro · Agency |
mailboxes:forwarding:read |
View forwarding configuration | Starter · Pro · Agency |
mailboxes:write |
Change password, update notes, pause/resume | Pro · Agency |
mailboxes:forwarding:write |
Create and modify forwarding rules | Pro · Agency |
mailboxes:rules:read |
View mail filters | Starter · Pro · Agency |
mailboxes:rules:write |
Create, update, and delete mail filters | Pro · Agency |
mailboxes:auto-reply:read |
View auto-reply settings | Starter · Pro · Agency |
mailboxes:auto-reply:write |
Update auto-reply settings | Pro · Agency |
mailboxes:message-tokens:manage |
Create, list, and revoke message tokens | Pro · Agency |
Messages (message token)
| Scope | What it does | Plans |
|---|---|---|
messages:read |
Read access to the full webmail surface — list/read messages, list folders, download attachments, get raw source, list scheduled messages, list contacts, export contacts, list calendar events, get reply/forward data, list identities, list templates, list blocked senders | Pro · Agency |
messages:write |
Write access — update flags, delete/move messages, report spam/ham, bulk actions, create/rename/delete folders, empty Trash/Junk, save/update drafts, cancel scheduled messages, create/update/delete contacts, import contacts, create/update/delete calendar events, create/update/delete contact groups, manage group members, create/update/delete identities, create/update/delete templates, block/unblock senders | Pro · Agency |
messages:send |
Send email from the mailbox (daily limit: 500 per token) — also covers scheduling new messages and cancelling scheduled sends | Pro · Agency |
Message scopes are carried by message tokens (tm_msg_ prefix), not ops tokens (tm_live_ prefix). Message tokens are created via the API using an ops token with the mailboxes:message-tokens:manage scope. Message tokens have their own scopes and rate limits, independent of ops tokens. A daily read limit per token (default 5,000) prevents mailbox scraping, and a daily send limit (default 500) prevents abuse.
All new webmail API endpoints (contacts, calendar, identities, templates, blocked senders, drafts, scheduled send, folders, attachments) map to the existing three message scopes — no new scopes were added. Existing tokens continue to work without any changes.
Note: Existing tokens with
messages:readautomatically includemessages:writefor backward compatibility.
Support Tickets
| Scope | What it does | Plans |
|---|---|---|
tickets:read |
List and view support tickets and messages | Starter · Pro · Agency |
tickets:write |
Create tickets, reply to tickets, close tickets | Pro · Agency |
Starter: read-only via API. Open and reply to tickets from the dashboard.
SMTP Configuration
| Scope | What it does | Plans |
|---|---|---|
smtp:read |
View a domain's SMTP route, list saved profiles, read the account-wide default, poll test jobs | Starter · Pro · Agency |
smtp:write |
Set a domain's route, create/update/delete saved profiles, set the account-wide default, run connection tests | Pro · Agency |
SMTP is configured per domain (/api/v1/domains/{id}/smtp), with a single account-wide default (/api/v1/smtp/default) deciding what new domains start on. See API Overview for the full endpoint list. The legacy account-level /api/v1/smtp endpoints still answer for back-compat but no longer drive routing.
Migrations
| Scope | What it does | Plans |
|---|---|---|
migrations:read |
List and view migration details | Starter · Pro · Agency |
migrations:write |
Start, cancel, retry, and delete migrations | Pro · Agency |
Migration scopes are carried by ops tokens (tm_live_ prefix). Starter can view migrations via API and run them from the dashboard. Pro and Agency can also start, cancel, retry, and delete migrations through the API and MCP.
Cloudflare
| Scope | What it does | Plans |
|---|---|---|
cloudflare:read |
Validate tokens, list zones, preview DNS changes | Starter · Pro · Agency |
cloudflare:write |
Connect domains and apply DNS changes via Cloudflare | Pro · Agency |
cloudflare:delete |
Delete Cloudflare tokens (dangerous) | Pro · Agency |
Drive
| Scope | What it does | Plans |
|---|---|---|
drive:account:read |
Browse Account Drive, view folders/files/trash/share-link metadata, request download URLs | Paid plans or active Drive Add-on |
drive:account:write |
Upload, create folders, rename, move, trash, and restore Account Drive items | Paid plans or active Drive Add-on |
drive:account:share |
Create, list, and revoke public share links for Account Drive files | Paid plans or active Drive Add-on |
drive:account:purge |
Permanently purge trashed Account Drive files/folders and empty trash | Paid plans or active Drive Add-on; high-risk |
drive:mailbox:read |
Browse allowed mailbox Drive spaces | Paid plans or active Drive Add-on |
drive:mailbox:write |
Upload and mutate files/folders in allowed mailbox Drive spaces | Paid plans or active Drive Add-on |
drive:mailbox:share |
Create, list, and revoke public links for allowed mailbox Drive files | Paid plans or active Drive Add-on |
drive:mailbox:purge |
Permanently purge trashed mailbox Drive items | Paid plans or active Drive Add-on; high-risk |
drive:addon:read |
Read Drive Storage Add-on status, pricing, and cancellation preview | Nano · Starter · Pro · Agency when add-on/Drive context exists |
Drive scopes are ops-token scopes. A token can be limited to selected mailboxes, and Drive will hide other mailbox spaces from that token. Drive Add-on purchase, resize, and cancel are not API/MCP write operations; billing changes stay in the dashboard.
Nano + Drive Add-on: With an active Drive Storage Add-on, Nano gets the full Drive scope set. Nothing else unlocks — just Drive, plus the Email Verifier scopes Nano already has. If you cancel the add-on, read scopes stay live for the 7-day grace window so you can finish downloading or rolling off; write, share, and purge are cut off right away.
Email Verifier
| Scope | What it does | Plans |
|---|---|---|
verify:read |
Check credits, list jobs, view job status and results | Nano · Starter · Pro · Agency |
verify:write |
Submit verifications, cancel jobs, delete jobs (also grants read access) | Nano · Starter · Pro · Agency |
Email Verifier scopes are available on all plans, including Nano. The only limitation is your credit balance. See Email Verifier API for the full endpoint reference.
Plan access levels
| Plan | API Access | Available Scopes |
|---|---|---|
| Nano | Email Verifier. Add a Drive Storage Add-on for the full Drive API + MCP. | verify:read, verify:write. With Drive Add-on: every drive:* scope. |
| Starter | Full Drive, full Email Verifier, read-only across the rest. Run dashboard writes from the dashboard. | account:read, billing:read, domains:read, domains:dns:read, mailboxes:read, mailboxes:forwarding:read, mailboxes:rules:read, mailboxes:auto-reply:read, migrations:read, tickets:read, smtp:read, cloudflare:read, verify:read, verify:write, all drive:* scopes. |
| Pro | Full access | All ops scopes + Drive scopes + message scopes + migration scopes + tickets + SMTP + Cloudflare + account + billing + verifier |
| Agency | Full access | All ops scopes + Drive scopes + message scopes + migration scopes + tickets + SMTP + Cloudflare + account + billing + verifier |
What happens when you downgrade
If you downgrade from Pro to Starter, existing tokens with write scopes are not deleted. Instead, the API blocks requests that use disallowed scopes at runtime.
For example, a token with mailboxes:create on a Starter plan will receive 403 with code token_scope_blocked_by_plan when trying to create a mailbox. The read scopes on the same token will continue to work.
To fix this, revoke the old token and create a new one with only the scopes your current plan allows.
Dangerous scopes
The mailboxes:delete, domains:delete, migrations:write, and cloudflare:delete scopes are flagged as dangerous in the dashboard. Tokens with these scopes can initiate mailbox or domain deletion, remove Cloudflare tokens, or perform other irreversible actions. Consider whether your use case truly requires them.
The MCP server has an additional gate: delete tools require TREKMAIL_ALLOW_DESTRUCTIVE=true in the environment. Without it, agents cannot trigger deletion even if the token has the scope.
The messages:send scope allows sending real email from the mailbox. In the MCP server, sending requires two additional safety gates: TREKMAIL_ALLOW_SENDING=true in the environment and confirm_send=true on every send call. See Safety Rails and Delete Intents for details.
The migrations:write scope allows starting email migrations that connect to external IMAP servers using stored credentials. In the MCP server, migration write tools require TREKMAIL_ALLOW_MIGRATION=true in the environment and per-call confirmation parameters (confirm_start, confirm_cancel, confirm_retry).
Domain constraints
Scopes control what a token can do. Domain constraints control where it can do it.
A token constrained to specific domains will only see and modify resources within those domains. This is useful for giving a contractor or agent access to a single client domain without exposing others.
Scope checks happen before domain constraint checks. If a token lacks the required scope, the request fails with 403 regardless of domain constraints.
Quick fixes
- 403 "insufficient_scope": Your token does not have the scope required for this endpoint. Create a new token with the correct scopes.
- 403 "token_scope_blocked_by_plan": Your plan no longer allows one or more of the token's scopes. Upgrade your plan, or revoke the token and create a new one with allowed scopes.
- Some scopes are hidden in the create form: Your plan does not support those scopes. Only allowed scopes are shown.
Related articles
Jump to nearby guides that continue the workflow.