How to create auth token for the inbox?

I’m using inbox from @trycourier/react-inbox and could not find in the documentation how to generate a token for a user to authorize it. Available Scopes don’t seem be complete

I was trying to generate a token on the backend via POST /auth/issue-token with "scope": "user_id:ID inbox:read:messages", but the inbox will make more queries, for example query InitialState and your API will return 401.
One interesting thing is that if this token sent tohttps://api.courier.com/client/q request will always return 401, but query GetInboxMessages to https://fxw3r7gdm9.execute-api.us-east-1.amazonaws.com/production/q will succeed with empty messages:

{
    "totalCount": 0,
    "pageInfo": {
        "startCursor": null,
        "hasNextPage": false,
        "__typename": "PageInfo"
    },
    "nodes": [],
    "__typename": "InboxConnection"
}

Look at my other ticket where I described this strange behavior with different enpoints React SDK is not in sync with Courier API

The code I’m trying to get working:

import { Inbox } from '@trycourier/react-inbox';
import { CourierProvider } from '@trycourier/react-provider';

export default function CourierInbox() {
  return (
    <CourierProvider
      userId={USER_ID}
      authorization={MY_TOKEN_FROM_BACKEND}
    >
        <Inbox />
    </CourierProvider>
  );
}

Hi Andrew, I followed up on a previous thread about the useElementalInbox and useInbox. The scope for useElementalInbox is “inbox:read:messages” which is in beta and isn’t going to work for you right now as mentioned in the other thread.

The scope to use for useInbox should be “read:messages”. There should also be a “write:events” but that seems to be missing, let me check with someone on the events so we can be sure read/unread work correctly.

Hi @riley, I tried useInbox and it worked for me, thank you!
I’m also wondering what permissions I should give to authorize <Inbox /> from @trycourier/react-inbox (you can see code snippet above).
The inbox component makes a lot of requests, not only to get messages, and it can mark messages as read, so there should be some long complex string with permissions to generate this token. I don’t know how to craft it, should I use spaces between permissions like “read:messages read:messageLists write:events”, or some other format, etc. It would be great to see an example in docs

we just have “read:messages” right now, the event one seems to be missing a scope so i’ll need to update that and i think it would be “write:events” as the new inbox api is “inbox:write:events”. also after analyzing the code we should also have “read:brands” aswell as thats included in the initialstate request

although we need to find an update path that doesn’t break people who just did “read:messages”.

i would say it wouldn’t hurt to just do the following as the scope: “read:messages write:events read:brands”