Using the browser extension
The inboxy browser extension lets your browser autofill OTPs, follow magic links, and surface inboxy mail without ever giving the browser a long-lived API key. Authentication is device-bound via DPoP — the token only works from the browser instance that minted it.
Install
| Browser | Store |
|---|---|
| Chrome / Edge | (link lands at extension launch) |
| Firefox | (link lands at extension launch) |
The extension is open-source — see github.com/inboxy/inboxyEMAIL.
First-run
- Click the inboxy icon in your toolbar.
- Sign in with your inboxy email — magic link, same flow as the website.
- The extension generates a per-browser keypair and registers it with
api.inboxy.net. - You're done. No copy-pasted API key.
Day-to-day
- OTP autofill — when you receive a one-time code, the extension surfaces it in a toolbar badge. Click to copy or autofill the focused field.
- Magic-link follow — login links from senders you mark "trusted" are opened directly when clicked from the badge.
- Inbox preview — a popup showing the last 20 messages, filterable by classification.
Privacy
The extension reads only your inboxy mail (the API key it holds is scoped read). It does not read other webmail you have open. It does not phone home — every request goes to api.inboxy.net.
Revoking a browser
Lost laptop, retiring a browser, or just want to start over? In Account → API keys, revoke the key labelled with the browser's name (the extension labels keys automatically on first-run). The next request from that browser returns 401.
Still need help? support@inboxy.net