Security
AgentInbox is built with security in mind. This page covers authentication, webhook verification, and infrastructure protections.
API Key Authentication
All API requests require a valid API key passed in the Authorization header.
Header
Authorization: Bearer at_live_...Best Practices
- API keys start with
at_live_ - Store keys securely and never commit them to version control
- Rotate keys regularly from the dashboard
- Use environment variables for key storage
Inbound Email Authentication
AgentInbox receives mail through a dedicated inbound pipeline that parses each message, normalizes it, and delivers it to your inbox over an authenticated internal channel.
Trust Boundary
- Inbound mail is accepted only through the internal pipeline — there is no public HTTP ingress for receiving email.
- The inbound pipeline authenticates to the API with a rotating shared secret, so only trusted senders can deliver normalized messages.
- Message contents are only ever exposed to you through authenticated API requests and the dashboard — never directly to the browser from storage.
Webhook Signing
All webhooks sent by AgentInbox include a signature header. Verify this signature on your endpoint to ensure events are authentic.
Signature Header
x-agentinbox-signature: t=<unix_seconds>,v1=<hex_hmac>Always verify signatures
Never trust webhook payloads without verifying the signature. This prevents attackers from sending spoofed events to your endpoint.
typescript
import { createHmac, timingSafeEqual } from "crypto"; // Header format: "t=<unix_seconds>,v1=<hmac_sha256_hex>"// The signature is HMAC-SHA256 over `${t}.${rawBody}`.function verifyWebhook(rawBody: string, header: string, secret: string): boolean { const parts = Object.fromEntries( header.split(",").map((kv) => kv.split("=") as [string, string]), ); const { t, v1 } = parts; if (!t || !v1) return false; const expected = createHmac("sha256", secret) .update(`${t}.${rawBody}`) .digest("hex"); const a = Buffer.from(expected); const b = Buffer.from(v1); return a.length === b.length && timingSafeEqual(a, b);}python
import hmacimport hashlib # Header format: "t=<unix_seconds>,v1=<hmac_sha256_hex>"# The signature is HMAC-SHA256 over f"{t}.{raw_body}".def verify_webhook(raw_body: str, header: str, secret: str) -> bool: parts = dict(kv.split("=", 1) for kv in header.split(",")) t, v1 = parts.get("t"), parts.get("v1") if not t or not v1: return False expected = hmac.new( secret.encode("utf-8"), f"{t}.{raw_body}".encode("utf-8"), hashlib.sha256, ).hexdigest() return hmac.compare_digest(expected, v1)Rate Limits as Security
Rate limits help prevent abuse and ensure platform availability for all users.
- Per-API-key limits prevent abuse from individual accounts
- Inbox quotas prevent resource exhaustion
- Automatic IP-based blocking for suspicious traffic patterns
- All requests are logged for security auditing
Data Retention
- Inboxes and messages are deleted automatically after TTL expires
- Session timelines are retained for 30 days for debugging
- API logs are retained for 7 days
- Webhook delivery logs are retained for 7 days
Security first
AgentInbox is designed to handle sensitive data securely. If you have specific security requirements, contact our team through the dashboard.