LOOMAL
Concepts

Scopes

Permission scopes for API access

Scopes control what an identity's API key can do. They are set when creating an identity.

Available Scopes

ScopeAllows
mail:readRead messages, threads, and attachments
mail:sendSend and reply to emails
mail:manageUpdate labels on messages and threads, delete messages and threads, manage allow/block rules
vault:readList and retrieve credentials, generate TOTP codes
vault:writeStore, update, and delete credentials; consume TOTP backup codes
identity:signSign data as this identity
identity:verifyVerify signatures against any identity
calendar:readList and view calendar events
calendar:writeCreate and update calendar events
calendar:deleteDelete calendar events
calendar:publicToggle public calendar visibility
payments:acceptAccept x402 USDC payments at registered endpoints (REST only — no MCP tools)

Scope Enforcement

If an API key attempts an action outside its scopes, the API returns 403 Forbidden:

{
  "error": "forbidden",
  "message": "Missing required scope: mail:send",
  "status": 403
}

MCP Tool Visibility

When using the MCP server, only tools matching the identity's scopes are available:

ScopeMCP Tools
Always availableidentity.whoami
identity:signidentity.sign
identity:verifyidentity.verify
mail:readmail.list_messages, mail.get_message, mail.get_attachment, mail.list_threads, mail.get_thread
mail:sendmail.send, mail.reply
mail:managemail.update_labels, mail.update_thread_labels, mail.delete_message, mail.delete_thread, mail.list_rules, mail.add_rule, mail.delete_rule
vault:readvault.list, vault.get, vault.totp
vault:writevault.store, vault.delete, vault.totp_use_backup
calendar:readcalendar.list, calendar.get
calendar:writecalendar.create, calendar.update
calendar:deletecalendar.delete
calendar:publiccalendar.set_public

Recommendations

Use CaseRecommended Scopes
Read-only monitoring agentmail:read
Agent that reads and respondsmail:read, mail:send, mail:manage
Notification sender onlymail:send
Agent with credential accessmail:read, mail:send, vault:read, vault:write
Full access agentAll scopes

Labels

Organize messages with labels

Vault

Encrypted credential store for agent secrets

On this page

Available ScopesScope EnforcementMCP Tool VisibilityRecommendations