Security

AgentInbox is built with security in mind. This page covers authentication, webhook verification, and infrastructure protections.

API Key Authentication

All API requests require a valid API key passed in the Authorization header.

Header
Authorization: Bearer at_live_...

Best Practices

  • API keys start with at_live_
  • Store keys securely and never commit them to version control
  • Rotate keys regularly from the dashboard
  • Use environment variables for key storage

Inbound Email Authentication

AgentInbox receives mail through a dedicated inbound pipeline that parses each message, normalizes it, and delivers it to your inbox over an authenticated internal channel.

Trust Boundary

  • Inbound mail is accepted only through the internal pipeline — there is no public HTTP ingress for receiving email.
  • The inbound pipeline authenticates to the API with a rotating shared secret, so only trusted senders can deliver normalized messages.
  • Message contents are only ever exposed to you through authenticated API requests and the dashboard — never directly to the browser from storage.

Webhook Signing

All webhooks sent by AgentInbox include a signature header. Verify this signature on your endpoint to ensure events are authentic.

Signature Header
x-agentinbox-signature: t=<unix_seconds>,v1=<hex_hmac>

Always verify signatures

Never trust webhook payloads without verifying the signature. This prevents attackers from sending spoofed events to your endpoint.
typescript
import { createHmac, timingSafeEqual } from "crypto";
// Header format: "t=<unix_seconds>,v1=<hmac_sha256_hex>"
// The signature is HMAC-SHA256 over `${t}.${rawBody}`.
function verifyWebhook(rawBody: string, header: string, secret: string): boolean {
const parts = Object.fromEntries(
header.split(",").map((kv) => kv.split("=") as [string, string]),
);
const { t, v1 } = parts;
if (!t || !v1) return false;
const expected = createHmac("sha256", secret)
.update(`${t}.${rawBody}`)
.digest("hex");
const a = Buffer.from(expected);
const b = Buffer.from(v1);
return a.length === b.length && timingSafeEqual(a, b);
}

Rate Limits as Security

Rate limits help prevent abuse and ensure platform availability for all users.

  • Per-API-key limits prevent abuse from individual accounts
  • Inbox quotas prevent resource exhaustion
  • Automatic IP-based blocking for suspicious traffic patterns
  • All requests are logged for security auditing

Data Retention

  • Inboxes and messages are deleted automatically after TTL expires
  • Session timelines are retained for 30 days for debugging
  • API logs are retained for 7 days
  • Webhook delivery logs are retained for 7 days

Security first

AgentInbox is designed to handle sensitive data securely. If you have specific security requirements, contact our team through the dashboard.

Related Documentation