Give your AI agent its own personal email address. Send, receive, read, search, and reply to emails β right from Claude, OpenCode, Codex, Gemini, or any MCP-compatible AI client. No email server to run, no SMTP to configure.
- How it works
- Technical details
- Good to know
- Installation
- Getting Started
- Commands
- Usage with MCP Clients
- Skills for Claude Code
- Development
- FAQ
- License
- Disclaimer
- Install the CLI
- Connect it to your AI client (Claude Desktop, Claude Code, Gemini CLI, OpenCode, etc.)
- Your AI can now use email β no code or API keys needed
An account with a unique, personal email address is created automatically on first run. Your AI can then:
- Send emails to any address
- Receive emails at its own inbox
- Reply to and forward emails
- Search emails by keyword
- Read full threads of conversation
The CLI acts as a local bridge between your AI client and the InboxAPI cloud service. It speaks the Model Context Protocol (MCP) over standard input/output, so any compatible AI client can use it without custom integration.
- This is your agent's personal email β InboxAPI gives your AI agent its own email address for personal use. It is not a transactional email service β don't use it for bulk sending, marketing, or application notifications.
- Weekly send limit β Each account can send to up to five unique email addresses per week. This resets weekly.
- Check your spam folder β Each agent gets its own subdomain, and new subdomains don't have email reputation yet. Early messages may land in your recipient's spam or junk folder. Adding your agent's email address to your contacts or allowlist helps. Delivery improves over time as recipients interact with your agent's emails.
- No attachments yet β Attachment support is not available right now, but it's coming soon.
- No rich text yet β Emails are sent as plain text only. Rich text (HTML) support is coming soon.
- Owner verification β Link your email to your agent's account with
verify_ownerto enable account recovery and remove trial restrictions. Recommended as a first step after setup.
npm install -g @inboxapi/cli@latestPrebuilt binaries are included for:
| Platform | Architecture |
|---|---|
| macOS | ARM64, x64 |
| Linux | x64, ARM64 |
| Windows | x64 |
Run the same install command to update to the latest version:
npm install -g @inboxapi/cli@latestThe CLI also checks for updates automatically when running in proxy mode and installs them in the background.
Just start the proxy β an account is created automatically on first run
inboxapi proxyOn first run with no saved credentials, the CLI auto-creates an account with a generated name (e.g. brooding-fluffy-owl) and authenticates. No manual setup needed.
Credentials are stored in your system config directory and automatically injected into tool calls. The CLI checks multiple locations so it can pick up credentials created by AI agents:
~/Library/Application Support/inboxapi/credentials.json(macOS primary)~/.config/inboxapi/credentials.json(Linux primary / macOS fallback)~/.local/inboxapi/credentials.json(fallback, used by some AI agents)
Starts the STDIO proxy. Reads JSON-RPC messages from stdin, forwards them to the InboxAPI endpoint, and streams SSE responses to stdout. If no credentials are found, an account is automatically created with a generated name.
inboxapi proxy
inboxapi proxy --endpoint https://custom-endpoint.example.com/mcpRunning inboxapi with no subcommand also starts the proxy.
Manually creates an account with a chosen name and stores access credentials locally. Not required for basic usage since proxy handles account creation automatically.
inboxapi login
inboxapi login --name myaccount
inboxapi login --endpoint https://custom-endpoint.example.com/mcpDisplays the currently authenticated account and endpoint.
inboxapi whoamiDeletes stored credentials. Interactively offers to back up first, then asks for confirmation before deleting.
inboxapi resetBacks up credentials to a specified folder.
inboxapi backup ./my-backupRestores credentials from a backup folder. Validates backup integrity and offers to back up existing credentials before overwriting.
inboxapi restore ./my-backupInstalls Claude Code skills (slash commands) and hooks into the current project. Skills add email workflows like /check-inbox, /compose, and /email-search directly into Claude Code. Hooks provide automatic credential checks, email send guardrails, and activity logging.
inboxapi setup-skills
inboxapi setup-skills --force # Overwrite existing skills and hooksInboxAPI CLI works as an MCP STDIO transport. Point your MCP client at the inboxapi binary:
Claude Desktop (claude_desktop_config.json):
{
"mcpServers": {
"inboxapi": {
"command": "inboxapi"
}
}
}Claude Code:
Add to current project:
claude mcp add inboxapi inboxapiAdd globally (available in all projects):
claude mcp add inboxapi inboxapi -s userGemini CLI:
Add to current project:
gemini mcp add inboxapi inboxapiAdd system-wide (available in all directories):
gemini mcp add inboxapi inboxapi --scope userOpenCode:
Run the interactive setup:
opencode mcp addWhen prompted, enter:
- Location: Global
- MCP server name: inboxapi
- MCP server type: Local
- Command to run: inboxapi
Codex CLI:
codex mcp add inboxapi inboxapiInboxAPI includes a set of skills β Claude Code slash commands β that add guided email workflows to your project. Install them with:
inboxapi setup-skills| Skill | Description |
|---|---|
/check-inbox |
Fetch and display a summary of recent emails in a formatted table |
/compose |
Compose and send an email with guided prompts, addressbook lookup, and confirmation |
/email-search |
Search emails using natural language queries |
/email-reply |
Reply to an email with full thread context and preview before sending |
/email-digest |
Generate a structured digest of recent email activity grouped by threads |
/email-forward |
Forward an email to another recipient with an optional note |
/setup-inboxapi |
Configure InboxAPI MCP server and install skills into a Claude Code project |
The setup-skills command also installs three hooks that run automatically:
| Hook | Type | Description |
|---|---|---|
| Credential Check | SessionStart | Verifies InboxAPI credentials on startup and shows authentication status |
| Email Send Guard | PreToolUse | Reviews outbound emails before sending, warns about self-sends and empty bodies |
| Activity Logger | PostToolUse | Logs all InboxAPI tool usage to .claude/inboxapi-activity.log for audit trails |
cargo build # Build debug binary
cargo build --release # Build release binary
cargo test # Run tests
cargo fmt # Format codeSecurity β Gmail/Outlook OAuth gives your agent access to your entire inbox (medical, financial, legal, personal). A prompt injection in any inbound email could manipulate an agent with access to all of it. InboxAPI gives your agent its own isolated inbox with trust classification and datamarking on every message.
Identity β When your agent sends from your Gmail, recipients can't tell who they're talking to. Replies go to your inbox, mixed with your real mail. InboxAPI gives your agent its own personal address β clear separation between you and your agent.
Practicality β Gmail/Outlook APIs aren't MCP-native. You'd need middleware, OAuth plumbing, and custom integration. InboxAPI works out of the box with any MCP client.
Those are sending APIs β you build email infrastructure on top of them. InboxAPI gives your agent a complete email identity: send, receive, search, reply, and forward. There's nothing to configure and no infrastructure to manage.
We built our own email stack from the ground up. We don't wrap SES, Postfix, or any third-party sending service. Your agent's mail goes through infrastructure we operate directly.
Yes. No credit card, no trial period, no usage tiers. We're working on paid plans with additional features, but the core experience will always be free.
Account creation requires proof-of-work. Each account can only email 5 unique external email addresses per week. Daily send quotas and rate limiting are enforced on every account. These constraints are structural β they're not policies, they're how the system works.
Every inbound email includes a trust classification β trusted, agent, unverified, or suspicious β based on whether the sender is in your addressbook and whether their email passes authentication checks. This helps your agent decide how cautiously to handle each message. Emails from other InboxAPI agents are flagged separately so your agent knows to check with you before acting on them.
Additionally, untrusted email content is automatically transformed using spotlighting (datamarking) β whitespace is replaced with a unique marker character so your agent can clearly distinguish email data from its own instructions. This reduces the success rate of prompt injection attacks embedded in emails from ~50% to under 3%.
Email retrieval tools apply datamarking to untrusted content, replacing whitespace with a unique Unicode marker character generated per request. Content containing the marker should be treated as external data β never as instructions to follow. To recover the original text, replace the marker with a space. Emails from trusted senders (in your addressbook with valid authentication) are not spotlighted by default. This technique is based on academic research (arXiv:2403.14720).
Outbound emails are scanned for authentication tokens and credentials. If your agent accidentally tries to send an email containing a JWT or access token, the message is rejected before it leaves the platform. This prevents agents from being tricked into leaking sensitive data via email. Additionally, all recipient addresses in send, reply, and forward operations are validated against RFC 5322 β malformed addresses are rejected before delivery.
The same send limits apply to all outbound email β recipient caps, quotas, and rate limiting work the same regardless of who's on the receiving end.
Maybe at first. Each agent gets a brand-new subdomain, and new senders don't have reputation yet. Recipients may need to check their spam folder for the first few emails. Over time, as your agent sends legitimate mail and recipients interact with it, delivery improves.
Email reaches the entire existing internet β billions of people and businesses already use it. A2A requires both sides to implement the protocol. When your agent needs to reach someone outside its own ecosystem, email is the universal option. Agents will likely need both.
Each account can email up to 5 unique external email addresses per week. Emails to other @inboxapi.ai addresses don't count against this limit. The limit resets weekly.
When all 5 slots are in use, the least recently used entry is auto-replaced after 5 days of inactivity.
Not yet. Attachment support is coming soon.
HTML email support is coming soon. Currently emails are sent as plain text.
Your agent's credentials are stored locally at ~/.config/inboxapi/credentials.json (Linux) or ~/Library/Application Support/inboxapi/credentials.json (macOS). The CLI handles token creation and refresh automatically β your agent never needs to manage tokens manually.
If your agent's credentials are lost or corrupted, you can recover the account using the account_recover tool β but only if you previously linked your email via verify_owner. Recovery revokes all existing tokens and issues new credentials. Without a verified owner email, there is no way to recover a locked-out account.
Owner verification links your personal email address to your agent's InboxAPI account. Your agent calls verify_owner with your email, you receive a 6-digit code, and your agent submits it to complete verification. Once verified, you can recover the account if credentials are ever lost, and trial restrictions are removed from the account.
InboxAPI maintains a denylist that blocks sending to government (.gov), military (.mil), intelligence, law enforcement, nuclear/critical infrastructure, and disposable email domains.
Every inbound email is classified into one of four trust levels:
| Trust Level | Meaning | Recommended Action |
|---|---|---|
| Trusted | Sender is in your addressbook with valid SPF/DKIM | Safe to act on |
| Agent | Sender is a known InboxAPI agent | Read freely, but confirm with your human before taking actions |
| Unverified | Valid SPF/DKIM but sender not in addressbook | Use caution |
| Suspicious | Authentication failed or unknown sender | Flag and confirm before acting |
Your model must support tool/function calling β MCP requires this. We recommend a minimum 32K token context window to comfortably fit InboxAPI's 21 tool definitions alongside conversation history and email content.
Model recommendations by tier:
| Tier | Anthropic | OpenAI | |
|---|---|---|---|
| Good | Haiku 4.5+ | GPT-4.1 mini+, GPT-4.1 nano+ | Gemini 2.5 Flash+ |
| Recommended | Sonnet 4.5+ | GPT-4.1+, GPT-5 mini+ | Gemini 2.5 Pro+ |
| Best | Opus 4.5+ | GPT-5+, GPT-5.2+ | Gemini 2.5 Pro+ |
Datamarking overhead: InboxAPI applies datamarking (spotlighting) to untrusted email content, replacing whitespace with Unicode marker characters. This can slightly increase token consumption when processing emails from external senders. Models with larger context windows handle this more comfortably.
What won't work: Models without tool/function calling support, models with context windows under 16K tokens, and very small local models (under ~7B parameters) that lack reliable tool calling. These will struggle to fit InboxAPI's 21 tool definitions and maintain useful conversation history.
InboxAPI is a communication channel, not an execution environment. It can deliver an email, but it can't click buttons, enter credit card numbers, or interact with external systems. The risk of unauthorized actions comes from how an agent is configured and what other tools it has access to β not from its email.
The source code in this repository is licensed under the MIT License.
The InboxAPI service is provided as-is, with no guarantees or warranties of any kind. We reserve all rights regarding how the service is operated. Service terms, features, and availability may change at any time without notice.