Skip to content
catchotp
Use case · AI agents

Give your agent a real email inbox.

Modern agents need to sign up for services, confirm accounts, and handle email-based workflows. catchotp exposes inboxes as a first-class MCP tool — structured JSON in, real-time waiters out.

  • MCP-native
  • Works with Claude, OpenAI, LangGraph
  • Per-agent isolation
AI agent connected to inbox, waitForOtp, and webhook tools via MCP

The problem agents hit at email

The first non-trivial task an autonomous agent runs into is account creation. Almost every useful service on the internet requires an email address, then sends a verification code or magic link, then refuses to proceed until that flow is closed. Without a programmable receive-side, the agent is stuck — it cannot create the account it needs to do the work it was given.

Existing options are uncomfortable. Disposable-inbox sites have no API and are aggressively blocked. Wiring the agent into your personal Gmail via OAuth gives it your real inbox and an alarming blast radius. Self-hosting an SMTP catcher is a week of work for what should be a tool call.

Anthropic's Model Context Protocol made this a first-class category: agent tools defined once and reusable across every MCP-aware host. catchotp is built for that surface.

An MCP-native inbox

Drop-in MCP server

npx @catchotp/mcp runs a stdio MCP server that exposes the inbox API as agent-callable tools. Add it to Claude Code, Cursor, or any MCP host.

Structured JSON responses

Every message returns parsed text, HTML, headers, deduped links, and detected OTPs as structured JSON. No HTML parsing in the model.

Long-poll waiters

Agents can yield on wait_for_otp instead of busy-looping. The waiter resolves the moment the code lands.

Without catchotp vs with catchotp

Concern Without catchotp With catchotp
Account creation Blocked at email step One tool call
Blast radius Personal Gmail Per-task disposable inbox
Wait pattern Polling loop in tokens Single yield on long-poll
Body parsing Model parses raw HTML Structured JSON, OTP pre-extracted
Auditability Implicit in transcripts Audit log per inbox

A complete agent example

Three views of the same workflow: the MCP host configuration, the user prompt the agent will act on, and the bare-metal Anthropic SDK loop if you want to build it without MCP.

// Claude Desktop · ~/.config/claude/claude_desktop_config.json
{
  "mcpServers": {
    "catchotp": {
      "command": "npx",
      "args": ["-y", "@catchotp/mcp"],
      "env": {
        "CATCHOTP_API_KEY": "sk_live_..."
      }
    }
  }
}
Same primitives, three integration paths. Pick whichever fits your stack.

AI agent email FAQ

What is MCP?
Model Context Protocol — an open standard from Anthropic for connecting LLMs to external tools and data. catchotp ships an MCP server that exposes its inbox API as a set of agent-callable tools. Drop it into Claude Desktop, Cursor, Claude Code, or any MCP host and the agent gains email superpowers without any glue code.
Do I have to use Anthropic models?
No. The MCP server works with any MCP-compatible host. The example above uses the Anthropic SDK because the loop is short, but the same tools are callable from OpenAI Agents SDK, LangGraph, or any framework that speaks JSON tool calls.
Is this safe? What stops an agent from reading other users' inboxes?
Each API key is scoped to its owning workspace; an agent can only see inboxes it created or was given access to. We recommend a per-agent or per-task key so a runaway agent has a tight blast radius. Pro and Team plans support per-key rate limits and IP allowlists.
How does this compare to giving the agent a Gmail OAuth token?
Gmail-via-OAuth gives the agent your real inbox — every personal email, every work conversation. catchotp gives the agent a clean, scoped, disposable inbox that exists only for the task at hand. Way smaller blast radius, and you can audit every action the agent took on it.
Can I use webhooks instead of waiters?
Yes. Pro and Team plans support webhooks per inbox or per workspace. For long-running agents, webhooks can be more economical than long-polling — the agent can suspend until the webhook fires, freeing the runtime entirely. The payload is signed with HMAC-SHA256 against a secret you provide, so your handler can verify origin before acting on it.
How many inboxes can an agent create?
Free tier supports 5 concurrent inboxes — enough for a single agent running 1-2 task concurrently. Pro at $29/mo allows 50 concurrent inboxes, which handles typical agent fleets where tasks run for minutes and inboxes are recycled with TTL. Team and Enterprise tiers are unlimited. Inbox creation itself takes under 100ms, so an agent can spin up an inbox per task without latency cost; the cap is on concurrent live inboxes, not creation rate.
How do I tear down an inbox after the run?
Three options: pass `ttlMinutes` at creation (default 60, max 30 days) and the inbox auto-expires; call `inboxes.delete(id)` explicitly when the task completes; or skip cleanup and let the per-plan retention window handle it (24h Free, 30d Pro). For agents, TTL is the lowest-friction pattern — set it to slightly longer than the worst-case task duration and the inbox cleans itself up. Audit logs persist beyond the inbox lifetime, so you can still trace what the agent did 90 days later.
Is the MCP server safe to expose to local agents?
The MCP server runs over stdio (not network), so it is only callable by the local agent host you configured. It needs your CATCHOTP_API_KEY in its env — treat that key as you would any other credential and use a per-agent or per-task scoped key in production. Pro and Team plans support per-key rate limits and IP allowlists, so a runaway agent cannot exfiltrate or melt your account. For air-gapped agents, the SDK works offline against a recorded fixture set if you need fully deterministic runs.

Wire your agent into a real inbox.

The MCP server is one config block away. Free tier covers most agents.