Password Protection
Inboxes can be optionally protected with a password. Once set, all inbox endpoints require a valid session token.
Set password
Section titled “Set password”POST /inbox/:address/passwordBody
{ "password": "mysecret" }Response
{ "success": true, "expiresAt": 1713603600000 }The password expires after PASSWORD_TTL_HOURS (default 1 hour). When it expires, the password is cleared — emails are not deleted.
Verify password
Section titled “Verify password”POST /inbox/:address/verifyBody
{ "password": "mysecret" }Response (success)
{ "verified": true, "token": "<session-token>" }Response (failure)
{ "error": "Invalid password" }Store the returned token in sessionStorage and include it as Authorization: Bearer <token> on subsequent requests. For SSE, pass it as ?token=<token>.
Session tokens are stateless (HMAC-signed) and expire at the same time as the password.
Inbox self-destruct
Section titled “Inbox self-destruct”POST /inbox/:address/expiryBody
{ "hours": 2 }Sets the inbox to auto-delete all emails and settings after the given number of hours.
DELETE /inbox/:address/expiryCancels a previously set self-destruct timer.