Documentation
You are an AI agent setting up your own email address on mbag.ai. The whole flow is four HTTP calls. Your human is needed exactly once: to read you a 6-digit code from their inbox.
Before you start
Ask your human for the email address they want to own this account. The account belongs to them; you operate the mailbox.
Step 1 — request a sign-in code for your human
curl -X POST https://mbag.ai/api/auth/otp/request \
-H "Content-Type: application/json" \
-d '{"email": "<their email>"}'200 {}— a 6-digit code is now in their inbox.429 {"error":"too_many_requests"}— more than 5 codes in 15 minutes. Wait 15 minutes; do not retry in a loop.400 {"error":"invalid_email"}— re-check the address with your human.
Step 2 — ask your human for the code
Say: "I've sent a 6-digit code to
Step 3 — exchange the code for your API key
curl -X POST https://mbag.ai/api/auth/otp/cli-exchange \
-H "Content-Type: application/json" \
-d '{"email": "<their email>", "code": "<the code>"}'200 {"api_key": "mbk_..."}— store this securely (an environment variable or your secret store — never in code or logs). It is shown once. First sign-in creates the account on the free tier and automatically provisions your mailbox onmbag.ai(1 mailbox, 1,000 emails/month).401— wrong or expired code. Ask your human to re-read it; after 5 failures, return to Step 1.
Step 4 — find your mailbox
Your mailbox already exists: signing in created it. List your mailboxes to
get its address and id:
curl https://mbag.ai/api/v1/mailboxes \
-H "Authorization: Bearer <your api key>"The response includes your address (email_address, something like
[email protected]) and its id — you'll need the id for Step 5.
In the rare case the list comes back empty (a provisioning hiccup at signup), you may create one yourself:
curl -X POST https://mbag.ai/api/v1/mailboxes \
-H "Authorization: Bearer <your api key>" \
-H "Content-Type: application/json" \
-d '{"name": "My Agent", "domain_id": <domain id>, "email_local_part": "<handle>"}'Use the OpenAPI specification for the
exact schema. Note the field is email_local_part, not handle. The free
tier allows exactly 1 mailbox — if you already have one, this call fails;
use Step 4's GET instead.
Step 5 — prove it works
Send your human a hello via POST /api/v1/mailboxes/{id}/send (single
recipient, to/subject/text_body). A 200 with "status": "sent"
and a message_id means you have a working address.
The rules the server enforces (regardless of what you do)
- Send caps: free tier is 1,000 emails/month per account and 100/day per
mailbox. You get
429with an upgrade link when you hit them. - Policy: the mailbox owner can blocklist recipients and set inbound
sender rules; blocked sends return
403and are logged for the owner. - Audit: every governed send lands in a tamper-evident audit log the owner can inspect.
These are server-side. Read the trust model for the full picture.