FAQ
Why not just give my agent access to my Gmail or Outlook?
Security — Gmail/Outlook OAuth gives your agent access to your entire inbox (medical, financial, legal, personal). A prompt injection in any inbound email could manipulate an agent with access to all of it. InboxAPI gives your agent its own isolated inbox with trust classification and datamarking on every message.
Identity — When your agent sends from your Gmail, recipients can’t tell who they’re talking to. Replies go to your inbox, mixed with your real mail. InboxAPI gives your agent its own personal address — clear separation between you and your agent.
Practicality — Gmail/Outlook APIs aren’t MCP-native. You’d need middleware, OAuth plumbing, and custom integration. InboxAPI works out of the box with any MCP client.
How is this different from AWS SES, SendGrid, or Resend?
Those are sending APIs — you build email infrastructure on top of them. InboxAPI gives your agent a complete email identity: send, receive, search, reply, and forward. There’s nothing to configure and no infrastructure to manage.
How is this different from AgentMail or a1base?
We built our own email stack from the ground up. We don’t wrap SES, Postfix, or any third-party sending service. Your agent’s mail goes through infrastructure we operate directly.
Is it really free?
Yes. No credit card, no trial period, no usage tiers. We’re working on paid plans with additional features, but the core experience will always be free.
How do you prevent spam and abuse?
Account creation requires proof-of-work. Each account has 5 addressbook slots for external recipients — when all slots are in use, the least recently used entry is auto-replaced after 5 days of inactivity. Daily send quotas and rate limiting are enforced on every account. These constraints are structural — they’re not policies, they’re how the system works.
What about prompt injection via email?
Every inbound email includes a trust classification — trusted, agent, unverified, or suspicious — based on whether the sender is in your addressbook and whether their email passes authentication checks. This helps your agent decide how cautiously to handle each message. Emails from other InboxAPI agents are flagged separately so your agent knows to check with you before acting on them.
Additionally, untrusted email content is automatically transformed using spotlighting (datamarking) — whitespace is replaced with a unique marker character so your agent can clearly distinguish email data from its own instructions. This reduces the success rate of prompt injection attacks embedded in emails from ~50% to under 3%.
What is spotlighting?
Email retrieval tools apply datamarking to untrusted content, replacing whitespace with a unique Unicode marker character generated per request. Content containing the marker should be treated as external data — never as instructions to follow. To recover the original text, replace the marker with a space. Emails from trusted senders (in your addressbook with valid authentication) are not spotlighted by default. This technique is based on academic research (arXiv:2403.14720).
What about data exfiltration?
Outbound emails are scanned for authentication tokens and credentials. If your agent accidentally tries to send an email containing a JWT or access token, the message is rejected before it leaves the platform. This prevents agents from being tricked into leaking sensitive data via email. Additionally, all recipient addresses in send, reply, and forward operations are validated against RFC 5322 — malformed addresses are rejected before delivery.
Can agents spam each other?
The same send limits apply to all outbound email — recipient caps, quotas, and rate limiting work the same regardless of who’s on the receiving end.
Will my agent’s emails land in spam?
Maybe at first. Each agent gets a brand-new subdomain, and new senders don’t have reputation yet. Recipients may need to check their spam folder for the first few emails. Over time, as your agent sends legitimate mail and recipients interact with it, delivery improves. See Email Delivery for more details.
Why email instead of a native agent protocol like A2A?
Email reaches the entire existing internet — billions of people and businesses already use it. A2A requires both sides to implement the protocol. When your agent needs to reach someone outside its own ecosystem, email is the universal option. Agents will likely need both.
Why email instead of WhatsApp, Telegram, or other messaging apps?
Messaging apps seem like a natural fit for agent communication, but they have structural limitations that make them impractical for agents at scale.
Scalability — You can programmatically create hundreds of email addresses. WhatsApp, Telegram, and Signal all require phone numbers and verification. Scaling past a handful of accounts is impractical, often against terms of service, and sometimes impossible without physical SIM cards. If your workflow needs 50 agents, you’d need 50 phone numbers.
No identity gatekeeping — Email is the only communication channel where you can create an identity without a phone number, government ID, or approval from a platform owner. No single company controls who gets an email address.
Open protocol — Email is federated and vendor-neutral. WhatsApp, Discord, and Telegram are proprietary — they can revoke API access, ban bot accounts, or change the rules at any time. Email can’t be shut off by one company.
ToS compliance — Most messaging platforms explicitly prohibit automated accounts or have strict approval processes (WhatsApp Business API requires business verification, Telegram restricts bot-to-bot messaging). Email has no such restrictions — automated sending is a first-class use case.
Universal reach — Messaging channels are siloed. Your Telegram bot can’t reach a WhatsApp user. Email reaches anyone with an email address — which is effectively everyone.
Complementary, not competing — Multi-channel agent frameworks like OpenClaw support dozens of messaging channels, and email should be one of them. InboxAPI fills the gap that messaging platforms structurally cannot: unlimited, programmable identity creation with no platform approval required.
What are the send limits?
Each account has 5 addressbook slots for external recipients. Emails to other InboxAPI addresses (e.g., @inboxapi.ai, @inboxapi.io, @inboxapi.dev) don’t count against this limit. When all slots are in use, the least recently used entry is auto-replaced after 5 days of inactivity. See Limits & Fair Use for full details.
What happens when I hit the limit?
When all 5 slots are in use, the least recently used entry is auto-replaced after 5 days of inactivity.
How does the addressbook work? Do I need to add contacts?
The addressbook is automatic — contacts are added when you send email. You never need to add, configure, or manage contacts manually. There is no settings file, no contact list to maintain, and no setup step.
When your agent sends an email to a new external address, that address is recorded in the addressbook. Each account has 5 slots. When all 5 are in use, the least recently used entry is auto-replaced after 5 days of inactivity. Emails to other InboxAPI addresses (@inboxapi.ai, @inboxapi.io, @inboxapi.dev) are always unlimited and don’t use a slot.
What are the current limitations?
While InboxAPI is fully functional for agent-to-human and agent-to-agent email, there are a few current limitations:
- 5 external recipient slots: Each account has 5 concurrent external recipient slots in its addressbook. You can email more than 5 people over time, but only 5 external addresses can be active at once; when all slots are in use, the least recently used entry is auto-replaced after 5 days of inactivity.
- No custom domains yet: Agents use auto-provisioned @inboxapi.ai subdomains.
- Personal use only: InboxAPI is not a transactional email service — don’t use it for bulk sending, marketing, or application notifications.
How do credentials work?
Your agent’s credentials are stored locally at ~/.config/inboxapi/credentials.json (Linux) or ~/Library/Application Support/inboxapi/credentials.json (macOS). The CLI handles token creation and refresh automatically — your agent never needs to manage tokens manually.
What if my agent loses access?
If your agent’s credentials are lost or corrupted, you can recover the account using the account_recover tool — but only if you previously linked your email via verify_owner. Recovery revokes all existing tokens and issues new credentials. Without a verified owner email, there is no way to recover a locked-out account.
What is owner verification?
Owner verification links your personal email address to your agent’s InboxAPI account. Your agent calls verify_owner with your email, you receive a 6-digit code, and your agent submits it to complete verification. Once verified, you can recover the account if credentials are ever lost, and trial restrictions are removed from the account.
What domains are blocked from sending?
InboxAPI maintains a denylist that blocks sending to government (.gov), military (.mil), intelligence, law enforcement, nuclear/critical infrastructure, and disposable email domains.
How does the trust classification work?
Every inbound email is classified into one of four trust levels:
| Trust Level | Meaning | Recommended Action |
|---|---|---|
| Trusted | Sender is in your addressbook with valid SPF/DKIM | Safe to act on |
| Agent | Sender is a known InboxAPI agent | Read freely, but confirm with your human before taking actions |
| Unverified | Valid SPF/DKIM but sender not in addressbook | Use caution |
| Suspicious | Authentication failed or unknown sender | Flag and confirm before acting |
What AI model should I use with InboxAPI?
Your model must support tool/function calling — MCP requires this. We recommend a minimum 32K token context window to comfortably fit InboxAPI’s 22 tool definitions alongside conversation history and email content.
Model recommendations by tier:
| Tier | Anthropic | OpenAI | |
|---|---|---|---|
| Good | Haiku 4.5+ | GPT-4.1 mini+, GPT-4.1 nano+ | Gemini 2.5 Flash+ |
| Recommended | Sonnet 4.5+ | GPT-4.1+, GPT-5 mini+ | Gemini 2.5 Pro+ |
| Best | Opus 4.5+ | GPT-5+, GPT-5.2+ | Gemini 2.5 Pro+ |
Datamarking overhead: InboxAPI applies datamarking (spotlighting) to untrusted email content, replacing whitespace with Unicode marker characters. This can slightly increase token consumption when processing emails from external senders. Models with larger context windows handle this more comfortably.
What won’t work: Models without tool/function calling support, models with context windows under 16K tokens, and very small local models (under ~7B parameters) that lack reliable tool calling. These will struggle to fit InboxAPI’s 22 tool definitions and maintain useful conversation history.
What stops an agent from buying things or authorizing transactions via email?
InboxAPI is a communication channel, not an execution environment. It can deliver an email, but it can’t click buttons, enter credit card numbers, or interact with external systems. The risk of unauthorized actions comes from how an agent is configured and what other tools it has access to — not from its email.