Skip to main content
Every request to the AgentPost MCP server must include a valid API token. Tokens are scoped to your account — tools can only access mailboxes, emails, and domains that belong to you.

Generate a token

Go to Settings → API Tokens and create a new token. Copy it immediately — AgentPost does not display the token value again after creation.
Treat your API token like a password. Anyone with your token can read and delete your mailboxes and emails.

Configure your MCP client

Pass the token as a Bearer value in the Authorization header of your MCP client configuration: 
{
  "mcpServers": {
    "agentpost": {
      "url": "https://<app-url>/mcp",
      "headers": {
        "Authorization": "Bearer YOUR_TOKEN_HERE"
      }
    }
  }
}
Replace YOUR_TOKEN_HERE with the token you copied from Settings, and <app-url> with your AgentPost instance URL.

How authentication works

AgentPost validates the token on every request before executing any tool. All tool calls are automatically scoped to the authenticated user — your agent cannot access another user’s mailboxes or emails, even if it knows an address or message ID.

Authentication failures

If the token is missing, invalid, or revoked, the server returns an error and the tool call does not execute. Your agent should surface this as a configuration error rather than retrying.
Revoke a token any time from Settings → API Tokens. Revoked tokens fail immediately on the next request.

Rate limit

The MCP server allows 60 requests per minute per token. Requests beyond this limit are rejected until the window resets. If your agent needs to poll for email, use WaitForEmail instead — it streams progress server-side and counts as a single request regardless of wait duration.