← Help

Using the browser extension

The inboxy browser extension volunteers an @inboxy.net alias whenever a website asks for an email address. You never have to think about which alias to use, never have to copy one from your account page, and your real email never leaves your computer.

What it does

  • When you focus an email field on any site, the extension fills it with a random @inboxy.net alias from your account.
  • A small chip appears next to the field with two options:
    • Use a different alias — picks another one of yours (keyboard: Cmd/Ctrl + Shift + E).
    • Use my real email — swaps the field to your verified personal email instead.
  • When you submit the form, the extension records which alias went to which site, so later you can see "quiet-otter-47 was given to nike.com" in your account and burn it if it starts attracting spam.

That's the whole feature. The extension does not read messages, follow magic links, autofill OTPs, or surface your inbox. Those live on the website and in MCP clients.

Install

Browser Store
Chrome / Edge / Brave / Arc / Opera / Vivaldi (link lands at extension launch)
Firefox (link lands at extension launch)
Safari Coming in a later release

The extension is open-source — see github.com/inboxy/inboxyEMAIL.

First-run

  1. Click the inboxy icon in your toolbar.
  2. Hit Connect to inboxy — a small window opens at inboxy.net and walks you through magic-link sign-in (and passkey if you haven't enrolled one yet).
  3. Approve the extension. Your browser generates a per-device keypair that signs every request the extension makes. The private key never leaves your browser; the public part is bound to a short-lived token at the API.
  4. You're done. Focus any email field on any site to see the alias fill in.

You don't paste an API key anywhere. If you uninstall the extension or your browser clears its storage, the token is gone — there's nothing to revoke from another machine.

Day-to-day

  • Focus an email field — the alias appears, with the chip alongside.
  • Wrong alias? Press Cmd/Ctrl + Shift + E to pick another, or click the chip.
  • Want to use your real email instead? Click the chip → Use my real email.
  • The site is showing a phantom email field you don't want filled — ignore the chip. Nothing happens until you actually submit the form.

After you submit, the inbox page on the website shows which sites have each of your aliases, and offers a one-click burn if the alias starts taking spam.

When the extension stays out of your way

  • inboxy's own site (inboxy.net and any subdomain) — the extension explicitly does not run there.
  • Sites that opt out — a site can ship <meta name="inboxy-extension" content="off"> in its HTML to tell the extension to leave it alone. The chip will not appear on those pages.
  • Fields already filled by you or another extension — focusing a non-empty field does nothing.
  • Before you focus anything — the extension makes zero network requests until your first focus on a real email field. It is not watching the page in the background.

What the extension can and cannot do

What the extension is allowed to do, enforced server-side by the token scope:

  • List your aliases.
  • Mint a new alias on demand (when you don't yet have one suitable for a site).
  • Record which alias went to which site origin (e.g. https://nike.com).

What the extension cannot do, even if the token were stolen:

  • Read your mail.
  • Send mail from any alias.
  • Change your account settings, rotate your passkeys, or read your API keys.
  • See any data from the pages you visit beyond the origin string (https://nike.com) — no DOM contents, no form values other than the email field it just filled, no cookies, no other tabs.

The token is also device-bound via DPoP — even an attacker who copied it off your disk could not replay it from another browser.

Privacy

  • The only thing the extension sends to inboxy is "alias X went to site https://nike.com", and only after you confirm by submitting the form (or after 30 seconds of no further typing in that field, whichever comes first). Cancelling or swapping to your real email skips the call.
  • The site origin is read from the browser's tab API, not from the page's own HTML, so a hostile page cannot trick the extension into recording the wrong attribution.
  • No analytics, no telemetry, no third-party scripts. The extension is fully static after install.
  • All requests go to api.inboxy.net. The extension never talks to any other host.

Revoking the extension

Two options, both fine:

  • From the browser: uninstall the extension. The keypair is destroyed and the token becomes inert immediately (no other browser can replay it).
  • From your inboxy account: open /account/keys, find the row labelled "Browser extension on …", click Revoke. The next request the extension makes will be rejected and the toolbar icon will prompt you to reconnect.

Use the account-page route if your laptop was lost or stolen.

Troubleshooting

  • The chip doesn't appear when I focus an email field. Check the toolbar icon — if it shows a red dot, the extension is not connected; click it and connect. If the icon looks fine, the site may be opting out via the meta tag, or the field may not be a true <input type="email"> (some sites use exotic widgets).
  • The alias filled in but the site says it's invalid. A small number of sites reject + or long local-parts. Use the chip to swap to a different alias style, or use your real email for that one site.
  • I rerolled and now I have two aliases for the same site. Both work. The alias attribution page lets you keep one and burn the other.
  • I want to stop using the extension on one specific site, without uninstalling. Right now, just dismiss the chip — there's no per-site allow-list in the UI yet. If you need this, send us a ticket.

Still stuck? Email support@inboxy.net.


Still need help? support@inboxy.net

Add Inboxy to your Home Screen

  1. Tap the Share button in Safari’s toolbar.
  2. Scroll and tap Add to Home Screen.
  3. Tap Add in the top-right corner.