Thread/ permissions
Start building
Build a skill · request a permission

Read their inbox.
Without making them regret it.

Build a skill that gets scoped, revocable mailbox access your users grant in a single tap — no passwords to store, no all-or-nothing Google consent, no six-month security review. One SDK, and you're reading receipts by Friday.

Start buildingSee how it works
Scoped · Revocable · AuditedWhat every Thread grant guarantees, by construction.
skill.ts — the whole integration
import { Thread } from '@thread/sdk';

const thread = new Thread(process.env.THREAD_KEY);

// Ask for exactly what you need. Nothing more.
const grant = await thread.connect({
  scopes: ['receipts:read', 'newsletters:read'],
});

// One tap from the user. Scoped, revocable, masked.
const receipts = await thread.inbox(grant).list('receipts');

receipts[0].merchant;  // → "Wanderlog"  (the email itself never touched your servers)
11 lines. That's the whole skill.No webhook plumbing
Watch the gate

The raw inbox never reaches you. Only the scopes you asked for do.

Masked at the edge, stamped by category, routed by grant. Flip a scope below and watch its rows get recalled — that's revocation, live.

Raw inbox · firehoseThread gateYour skill · clean data
  • no scopes granted — nothing crosses
Granted scopes0 blocked · masked at edge
The user portal · what their users see

Trust isn't a badge.
It's a list they can actually read.

Every person who connects gets their own portal. They don't see a scary “this app can read all your mail.” They see a plain list: which skills they've connected, exactly what each one can touch, what stays out of reach — and a revoke button that actually works. Consent your users understand is consent that converts.

Open the user portal
What you granted · ananya@gmail.com● live
  • Wanderlogreceipts · read
    Granted
  • Wanderlognewsletters · read
    Granted
  • Wanderlogeverything else
    Out of scope
  • Wanderlograw email body
    Masked
Revoke any line, any timeRevoke all
Almost no code on your side

The part where you'd normally lose a month — we already wrote it.

01

Name your scopes

Declare the categories you need — receipts, newsletters, bookings. Thread turns that into a consent screen your user reads in five seconds.

02

They grant in one tap

No password. No 14-checkbox Google screen. A single, legible approval — scoped to you, revocable by them, logged forever.

03

You read clean data

Structured, classified, PII-masked records. The raw mailbox never touches your servers, so it never becomes your compliance problem.

The case against everything else

Every other way to touch a mailbox is a liability you inherit.

We're not being cute. Each alternative quietly moves a credential, an audit, or a breach surface onto your balance sheet. Thread is the one path that keeps all three off it.

The capability
IMAP password
They paste their actual password
“Sign in with Google”
Full-mailbox OAuth scope
Roll your own
Tokens, refresh, parsing, PII
Thread
The honest path
Scoped to exactly what you asked for
All or nothing
Whole mailbox
If you build it
Per-category grants
User revokes in one tap
Change password
All access, at once
You build the UI
Instant, per-grant
No credential you have to store
You hold the password
You hold refresh tokens
Tokens are yours now
Thread holds it, not you
PII masked before it reaches your servers
Raw everything
Raw everything
Build a masker
Masked at the edge
Clears Google’s restricted-scope audit
N/A — and risky
CASA audit on you
CASA audit on you
On Thread, not you
Time to first read
Days + liability
Weeks of review
Months
An afternoon
Why it hurts
IMAP password

You now hold a credential that opens everything — mail, contacts, the lot. Nothing is scoped. Revoking means they change their password.

Why it hurts
“Sign in with Google”

The consent screen says “read all your email.” Half your users bail. The other half put you on the hook for a restricted-scope security audit.

Why it hurts
Roll your own

Technically possible. Also: months of OAuth edge cases, token rotation, IMAP quirks, and a compliance surface you now own forever.

Two portals · one permission model

One side builds the skill. The other side controls it.

Developers build in the console. Their users govern in their own portal. The same scopes you request are the exact lines they can revoke — nothing hidden on either side.

For developersconsole.thread.dev

Build a skill

Register a skill, declare the scopes it needs, and ship. Issue keys, version your scopes, and watch the delivery log — all in the developer console.

  • Register a skill in minutes
  • Request only the scopes you need
  • Issue + rotate API keys
  • Read the live delivery log
Open the dev portal
For their usersapp.thread.dev

Manage permissions

Everyone who connects gets a portal of their own — every skill they’ve granted, exactly what each can touch, and one-tap revoke. Their settings, their call.

  • See every connected skill
  • Know exactly what each can read
  • Revoke any scope instantly
  • Raw mail masked by default
Open the user portal
The principle
“The right to read someone's mail should be narrow, named, and returnable. Thread is the only integration where it always is.”
Thread — design principle 01

Stop asking users for the keys.

Ask for a scope instead. Build your skill in the dev portal, and give every user a portal of their own to govern it — both sides of the same permission, in a day.

Build a skillManage your permissions
No card · Sandbox keys instantly · 50 grants free