npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

mailbox-reader

v1.0.0

Published

Read your own Microsoft 365 mailbox via Microsoft Graph (delegated Mail.Read, auth code + PKCE)

Readme

mailbox-reader

A minimal Node.js app that reads your own Microsoft 365 mailbox via Microsoft Graph.

It uses delegated Mail.Read with the authorization code + PKCE flow as a public client (no client secret). With delegated permissions the token is bound to the signed-in user, so the app can only ever read the mailbox of whoever logged in — there is no code path to another user's inbox.

What's in here

| File | Purpose | |------|---------| | src/auth.js | MSAL sign-in (PKCE), silent token renewal, persistent cache | | src/index.js | Reads /me/messages and prints the latest N | | .env.example | Config template — copy to .env |

1. Register the app in Entra ID (one-time)

  1. Go to Entra admin centerIdentityApplicationsApp registrationsNew registration.
  2. Name: mailbox-reader (anything).
  3. Supported account types: Accounts in this organizational directory only (single tenant) is the safest default.
  4. Redirect URI: choose platform Mobile and desktop applications, value http://localhost.
    • You can also add it later under AuthenticationAdd a platformMobile and desktop applications → check http://localhost.
  5. Under Authentication, ensure Allow public client flows is set to Yes (this is a public client — no secret).
  6. API permissionsAdd a permissionMicrosoft GraphDelegated permissions → add Mail.Read (or Mail.ReadBasic for metadata only).
    • offline_access is requested automatically for refresh tokens.
    • If your tenant requires admin consent, click Grant admin consent (otherwise you'll just consent yourself on first sign-in).
  7. Copy the Application (client) ID and Directory (tenant) ID from the app's Overview page.

2. Configure

cd mailbox-reader
cp .env.example .env
# edit .env — paste your CLIENT_ID and TENANT_ID
npm install

3. Run

npm start          # sign in (first run) and list your latest messages
npm run login      # just sign in / confirm whose mailbox is connected
npm run logout     # clear the local token cache

First run opens a browser for Microsoft sign-in. After that, a refresh token in .token-cache.json renews access silently — no repeated prompts.

Security notes

  • No client secret. Public client + PKCE keeps credentials with Microsoft's login.
  • Self-scoped by design. Delegated Mail.Read can only read the signed-in user's mailbox.
  • Mail.ReadBasic (set SCOPES=Mail.ReadBasic in .env) drops message body and attachments — a tighter blast radius if a token ever leaks.
  • The real secret is .token-cache.json — it holds the refresh token. It's git-ignored and written with 0600 perms. Delete it (npm run logout) to revoke this machine's access; revoke fully under My Account → Security info / app access.
  • Never commit .env or .token-cache.json.