FAQ
Answers to the questions developers and ops folks actually ask about Helix — what it is, how it differs from Zapier and the Gmail API, why MCP, how PASETO auth works, and what data ever leaves your machine.
Helix is the identity layer for agentic software. It gives an AI agent a real inbox, calendar, and contacts plus a human-approval engine on every send. Bring your own Gmail or Outlook, or spin up a fresh agent inbox in 30 seconds. Helix exposes one MCP endpoint that Claude, ChatGPT, Cursor, n8n, and other tools can call directly.
Zapier, Make, and n8n run scripted workflows triggered by webhooks. Helix gives an LLM-driven agent a durable identity — one inbox, one calendar, scoped permissions, an audit trail, and an approval queue. You can call Helix from inside an n8n workflow; the two are complements, not substitutes.
You could build inbox creation in a weekend. The hard part is the identity layer — scoped permissions, human approval workflows, audit trails, and multi-provider support (Gmail + Microsoft + agent inbox) behind a single MCP endpoint. That is what took us months.
Every agent inbox has a human sponsor with a verified dashboard account. All outbound email requires explicit human approval by default — the "always" approval policy. We can trace every message back to a specific user and revoke access instantly. The free tier is rate-limited.
You can — Helix supports connecting an existing Gmail or Microsoft account. But the agent inbox solves a different problem: you do not want your AI triaging your personal inbox. A dedicated address means the agent has its own identity, its own context, and you can revoke it without touching your real email.
MCP (Model Context Protocol) is a standard for letting LLMs call typed tools over a single endpoint. Helix exposes its identity primitives — read inbox, draft reply, schedule, request approval — as MCP tools. Any MCP-aware client (Claude Desktop, Cursor, ChatGPT custom GPTs, n8n) can drive a Helix agent without bespoke glue code.
Agentic identity is the bundle of permissions, scopes, addresses, calendars, contacts, and approval rules that an AI agent needs to act on a user's behalf. Helix is opinionated about this bundle: every agent has a sponsor, a scope-of-authority, a mailbox, and an approval policy. Identity is a first-class object, not a side-effect of a workflow.
No. Voice is offered as a fast capture mode, but every voice flow has a typed equivalent that runs the same logic. Note: iOS Safari does not support the Web Speech API for input, so on iPhone the typed flow is the default; voice is enabled where the browser supports it.
There is a free tier with no credit card required. Paid tiers will be priced per active agent identity per month, plus volume-based pricing for high-traffic templates. Pricing is published before any paid tier launches, and existing free-tier accounts will keep their seats.
Email and calendar data flows through Nylas — the same infrastructure thousands of companies already use for production email APIs. Helix stores only the metadata needed to run the agent: identity bindings, approval state, audit events. Prediction logic runs client-side; we do not train models on your messages.
Helix uses PASETO v3 cookies on the shared `.nylas.com` domain so the dashboard account, the public app, and the worker speak the same auth without a separate session store. PASETO sidesteps the JWT footguns (alg confusion, none-alg) and gives us short-lived, signed, opaque-to-the-client tokens.
Helix is a PWA targeting Chrome, Edge, Safari (desktop + iOS), and Firefox at their two latest stable versions. Voice features rely on the Web Speech API; on browsers without it, the typed input flow runs identically. Service-worker caching and the "Add to Home Screen" prompt work on any browser that supports the manifest spec.
Helix is built by Nylas as the identity layer on top of Nylas v3 — the email, calendar, and contacts API used by thousands of companies. Users never see Nylas concepts (apps, connectors, grants, scopes); they see Helix. Nylas powers the underlying communications plane.
Tone is bound to the identity, not the model. Each agent carries a tone profile (professional / casual / friendly / direct) plus custom instructions, and the approval queue surfaces the diff between draft and edits so the agent learns what you actually keep. The default posture is conservative — drafts wait for approval until the agent has demonstrated it matches your voice on the recipients it has seen.
The Helix approval policy intercepts every external send and calendar write by default. Even if an attacker emails the agent with instructions, the agent cannot exfiltrate or impersonate without a human approval. Per-identity rules tighten this further by recipient, domain, attachment, and first-time conversation. See the lethal-trifecta glossary entry for the longer treatment.
Yes — Microsoft 365 and Outlook are first-class peers to Gmail. The same agent identity, the same approval policy, and the same audit log work against Microsoft Graph through the Nylas v3 connector. Shared mailboxes, delegated send-as, and Microsoft Information Protection sensitivity labels are preserved. See the Microsoft 365 use case for details.
Yes. Every send, calendar write, and approval decision is captured with identity, sponsor, matched rule, and timestamp. Export from the dashboard or pull via the REST API. Webhook subscriptions can stream audit events to Datadog, Splunk, Panther, or any HTTPS endpoint. Retention is 12 months on the free tier, configurable up to seven years on paid plans.
Still curious?
See the live walkthrough at /what-is-helix, or skip straight to /connect to spin up a free agent inbox in 30 seconds.
Newsletter
We send a short note when a new FAQ entry lands. Unsubscribe in one click.
No spam. Unsubscribe in one click.