ドメイン別にエージェントをワークスペースに整理する

The first agent you give an inbox to is easy. You set a send cap, maybe a spam policy, attach a couple of inbound rules, and you're done. The trouble starts at the tenth agent. And the fiftieth. Because the obvious way to apply limits — configure each grant when you create it — doesn't have an "all of them" button. You end up writing a loop that re-applies the same policy to every new account, hoping nobody provisions one out of band, and discovering three weeks later that the support fleet and the sales fleet drifted into two slightly different configurations nobody can fully account for. Configuring limits grant-by-grant doesn't scale past a handful of agents. That's the whole reason workspaces exist. A workspace is a container that groups Agent Accounts and carries exactly one policy plus a list of rules. Set the policy once on the workspace, and every account inside inherits it — including accounts that don't exist yet. Move the boundary up one level, from "configure each grant" to "configure the group," and the fleet manages itself. I work on the Nylas CLI, so the terminal commands below are the exact ones I reach for. Every one is checked against nylas v3.1.27, and every curl call against the published OpenAPI spec. The two-angle tour — API and CLI side by side — is here because half of this work happens in a provisioning script and the other half happens at 2am when you're poking at a misbehaving fleet by hand. The grant abstraction, one level up If you've used Agent Accounts, you already know the spine: an Agent Account is a grant. It carries a grant_id and works with every grant-scoped endpoint — Messages, Drafts, Threads, Folders, Contacts, Calendars, Events, Webhooks. There's nothing new to learn on the data plane. Sending mail from an agent is POST /v3/grants/{grant_id}/messages/send , same as any grant. Workspaces add one field to that picture. Every grant carries a workspace_id , and the workspace it points at holds a policy_id (limits and spam settings) and a rule_ids array (inbound and outbound mail filtering). The chain is short: List → holds values (domains, TLDs, addresses) Rule → match conditions + actions; references lists via in_list Policy→ send caps, storage, retention, spam detection Workspace → one policy_id + an array of rule_ids Grant → carries workspace_id → inherits all of the above Change the policy on the workspace and you've reconfigured every account in it at once. That's the leverage. You're not editing fifty grants; you're editing one workspace that fifty grants point at. How accounts find their workspace This is the part that makes the fleet self-organizing, and it's worth getting exactly right. When a new Agent Account is created, Nylas runs a three-step decision to pick its workspace: Explicit assignment. If the POST /v3/connect/custom payload includes a workspace_id , the grant joins that workspace immediately. No guessing. Domain auto-group. If no workspace_id was passed, Nylas looks for a custom workspace whose domain matches the new account's email domain and whose auto_group is true . If one matches, the grant joins it. Default workspace. If neither applies, the grant lands in the application's default workspace — the one Nylas creates and manages for you automatically. Step 2 is the interesting one. auto_group is a boolean on the workspace, and the spec describes it plainly: when true , "newly created grants in the application are automatically assigned to the workspace if their email address' domain matches the domain ." So if you create a workspace with domain: "support.yourcompany.com" and auto_group: true , then every account you later provision as [email protected] or [email protected] joins that workspace and inherits its policy without you passing a single extra field. The CLI agent account create command deliberately has no --workspace flag — auto-group is meant to carry that weight. You set the domain rule once and let provisioning be dumb. That's the design choice I like as an SRE: the policy decision lives in the infrastructure, not in every caller. A teammate writing a provisioning script doesn't need to know which policy a @sales.yourcompany.com agent should get. They create the account; the domain match routes it. Before you begin You'll need: A Nylas application and API key. The examples use the US data region host https://api.us.nylas.com and Authorization: Bearer <NYLAS_API_KEY> . A registered sending domain, or a Nylas *.nylas.email trial subdomain. Workspaces key off this domain, so it has to be one you actually provision accounts under. New domains warm over roughly four weeks. The Nylas CLI initialized ( nylas init ) if you want to follow the terminal half. New to Agent Accounts? Start with the Agent Accounts overview and the provisioning guide to create your first account, then come back here to organize them. Create a domain-scoped workspace A workspace create takes two required fields — name and domain — plus three optional ones: auto_group , policy_id , and rule_ids . The domain ties the workspace to one email domain, and auto_group (which defaults to true ) decides whether matching accounts join automatically. Here's the full version: a workspace scoped to a domain, with a policy and a rule attached in the same call. curl --request POST \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <NYLAS_API_KEY>' \ --header 'Content-Type: application/json' \ --data '{ "name": "Support fleet", "domain": "support.yourcompany.com", "auto_group": true, "policy_id": "<POLICY_ID>", "rule_ids": ["<RULE_ID>"] }' The response returns a Workspace object whose workspace_id is the value you'll store on grants. From the terminal, the same thing: nylas workspace create \ --name "Support fleet" \ --domain support.yourcompany.com \ --auto-group \ --policy-id <POLICY_ID> A couple of honest caveats on that CLI form. nylas workspace create accepts --name , --domain , --auto-group , and --policy-id . It does not take a --rule-ids flag at create time — to attach rules you run an update afterward (shown below). And the --auto-group flag is a switch: include it to enable auto-grouping, leave it off otherwise. Both --name and --domain are required by the CLI, matching the API. One field you can't undo: the domain is immutable once the workspace is created. The spec is explicit — "You can't change the domain after the workspace is created." That's a deliberate guardrail, but it means you should decide your domain-to-workspace map before you start provisioning, not after. If you scope a workspace to the wrong domain, you delete it and make a new one; you don't edit the domain in place. You also don't have to attach a policy at creation. A workspace with no policy_id runs its accounts at your billing plan's maximum limits. So a perfectly reasonable order of operations is: create the grouping first, get accounts flowing into it, then attach a policy once you know the limits you want. Attaching narrows the maximums down to whatever the policy defines. Attach a policy and rules to the whole fleet This is the payoff. You build a policy and some rules once, attach them to the workspace, and every member inherits them — including the ones auto-group hasn't created yet. A policy bundles the limits (daily send cap, storage, inbox/spam retention, attachment caps) and spam detection. A rule matches inbound or outbound mail and runs actions like block or assign_to_folder . Rules are inert on their own — a rule does nothing until a workspace references it through rule_ids . That's the activation step, and it's easy to forget: you can POST /v3/rules all day and nothing happens to your mail until the rule's ID lands in a workspace's array. To attach or change either, PATCH the workspace and include only the fields you're changing: curl --request PATCH \ --url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE_ID>" \ --header 'Accept: application/json' \ --header 'Authorization: Bearer <NYLAS_API_KEY>' \ --header 'Content-Type: application/json' \ --data '{ "policy_id": "<POLICY_ID>", "rule_ids": ["<RULE_ID_1>", "<RULE_ID_2>"] }' The PATCH semantics are worth internalizing because they're how you swap configuration across a fleet without churn: Omit a field and it's left untouched. Set a field to a value and it overwrites. policy_id takes one UUID string; rule_ids takes an array. Set a field to null and it clears. policy_id: null detaches the policy (the fleet drops back to plan maximums); rule_ids: null removes every rule. From the terminal, the same update: nylas workspace update <WORKSPACE_ID> \ --policy-id <POLICY_ID> \ --rules-ids rule-id-1,rule-id-2 The CLI flag is --rules-ids (comma-separated, note the plural), and --policy-id with an empty string — --policy-id "" — detaches the policy, the terminal equivalent of sending null . To see what you've got across the whole application, list every workspace and inspect one: curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces" \ --header 'Authorization: Bearer <NYLAS_API_KEY>' curl --request GET \ --url "https://api.us.nylas.com/v3/workspaces/<WORKSPACE_ID>" \ --header 'Authorization: Bearer <NYLAS_API_KEY>' The CLI mirrors both: nylas workspace list nylas workspace get <WORKSPACE_ID> Every account whose workspace_id points at this workspace is now governed by that one policy and that one rule set. Provision a new @support.yourcompany.com agent tomorrow and it inherits both the moment auto-group routes it in. You never touch the new grant directly. Moving an account between fleets Auto-group handles new accounts. For existing ones — say an account that was created before you set up its domain workspace, or one you want to reassign — you move it. The API path is the manual-assign endpoint, POST /v3/workspaces/{workspace_id}/manual-assign . Send grant IDs in assign_grants , remove_grants , or both, up to 500 IDs per list. Assigni