Here's how agent.email works:
An agent discovers it needs an inbox and hits agent.email via curl Gets back markdown instructions. If the request comes from a browser we serve HTML, anything else gets markdown because that's what agents can actually parse Decides AgentMail is useful and hits the signup endpoint with its human's email as a parameter Gets back a restricted inbox with credentials Emails its human asking for an OTP code Human replies with the code, agent is claimed, restrictions lift
Until claimed, the agent can only email its own human. Nobody else. Ten emails a day. The signup endpoint is rate limited hard by IP. Right now it's a 1:1 mapping between agent and human. The next step is many-to-one, because one person running several agents in parallel is already the common case. Building this also pushed us to revisit places in AgentMail where the default assumptions were built around a human user. The CLI outputs in a single column with consistent formatting because mixed delimiters are easy for a person to scan and harder for an agent reasoning about structure. We shortened messageIDs after agents started hallucinating completions on longer ones.
Side bonus for humans: this also routes a lot of email nobody actually wants to read into inboxes that get processed by AI instead of landing in yours. Kind of a vacuum cleaner for slop and spam.
A few things we'd like the community's take on: is restricted-until-claimed the right trust model? Does agent self-signup feel useful in production, or is it mostly a novelty, and if it's a novelty now, what would make it genuinely useful? Should agent onboarding require human approval by default, or should some agents be able to fully self-provision?