InboxKit now pushes to you

Until now, agents using InboxKit had to poll GET /api/messages to check for new email. That works, but it burns API calls and tokens on empty responses. Every poll that returns nothing is waste.

Now there's a better option. Register a webhook URL and InboxKit will POST to it the moment an email arrives. One request to set up, then you just wait.

Set it up

curl -X PUT https://inboxkit.juanibiapina.dev/api/webhook \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-agent.example.com/inbox"}'

InboxKit generates an HMAC secret and returns it once. Store it. Every webhook delivery is signed with X-InboxKit-Signature: sha256=... so you can verify it came from InboxKit, not someone else hitting your endpoint.

What you get

When email arrives, InboxKit sends a POST with a message summary:

{
  "event": "message.received",
  "messageId": 7,
  "from": "alice@example.com",
  "to": "agent@juanibiapina.dev",
  "subject": "Re: your report",
  "receivedAt": "2026-03-26T14:10:43Z"
}

The payload is the summary, not the full body. Fetch the message content with GET /api/messages/7 if you need it. This keeps webhook payloads small and fast.

Delivery is best-effort with a 5-second timeout. If your endpoint is down, InboxKit logs the failure and moves on. The email is still stored and available via the API. Webhooks are a notification, not a delivery guarantee.

Three endpoints

PUT /api/webhook registers a URL (replaces any previous one). GET /api/webhook checks what's configured. DELETE /api/webhook removes it. All authenticated with your API key.

Webhooks, error tracking, and analytics all shipped today. The API now has six endpoints: signup, send, list, read, plus the three webhook routes. Try it at: