Password Protection

Any inbox can be optionally protected with a password. Once set, visitors must enter the correct password before reading or deleting emails.

Setting a password

Open the Settings tab in the sidebar of any inbox and enter a password in the Password protection section, then click Set password.

Alternatively, call the API directly:

curl -X POST https://api.maile.uk/inbox/hello@maile.uk/password \
  -H "Content-Type: application/json" \
  -d '{"password": "mysecret"}'

The password is valid for 1 hour by default (configurable via admin settings).

Accessing a password-protected inbox

When visiting a protected inbox, a password dialog appears. Enter the correct password to receive a session token stored in sessionStorage.

The token is valid until the password expires. After expiry, the dialog re-appears on next visit.

What happens when the password expires

When the password TTL passes, the cleanup cron:

Removes the password requirement automatically
Keeps all emails — only the lock is lifted
The inbox becomes publicly accessible again

Inbox self-destruct

Self-destruct schedules the entire inbox for deletion after a fixed number of hours. Unlike password expiry, this removes all emails and settings permanently.

Setting self-destruct from the UI:

Open the Settings tab and enter the number of hours in the Self-destruct section, then click Set expiry.

Or via API:

curl -X POST https://api.maile.uk/inbox/hello@maile.uk/expiry \
  -H "Content-Type: application/json" \
  -d '{"hours": 2}'

After 2 hours, all emails and settings for that inbox are permanently deleted.

Cancelling self-destruct:

curl -X DELETE https://api.maile.uk/inbox/hello@maile.uk/expiry

Or use the Cancel expiry button in the Settings tab.

Combining password and self-destruct

You can use both features together. For example:

Set a password to keep the inbox private during a signup flow
Set self-destruct to automatically delete everything once you’re done