Keep one address you actually own. Every message it receives — newsletter confirmations, free-trial codes, one-time downloads — auto-deletes two hours after it lands. The inbox stays. The clutter doesn't.
The same encrypted infrastructure powers a clean web inbox, a built-for-code API, and a tool your AI agents can call directly. Pick the surface — switch any time.
For when a website wants your "real" email but doesn't deserve it. Sign in, paste your address wherever you need to. Two hours later every message in it is gone — but the address is still yours.
When your test suite needs a different inbox every run. One call to create, one to read. The OTP your app just sent is one line away — no flaky polling, no shared mailbox state.
When your agent has to sign up, verify, or fetch an OTP to do its job. Hand it one API key and it spins up real inboxes on demand. No bot detection, no rate-limits, no automation clauses.
The same encrypted, auto-purging infrastructure under both surfaces. Use the web inbox, the API, or both — your account works the same either way.
Every email is encrypted on receipt. We can't read them — and neither can anyone who'd subpoena us.
Every message expires on a timer. 2 hours by default for free accounts, configurable up to 30 days on paid plans. Your address stays put.
Spin up a new throwaway address whenever you want. No per-address quota, no "upgrade to continue" — one account, as many inboxes as you need.
Create, list, read, delete inboxes from your code. Drop-in SDKs for every major language — a few lines and you're done.
Inboxes look real to the services your tests or agents sign up for. No bounces, no "this looks fake" flags, no disposable-list blocks.
No analytics on inbox content. No ads inside emails. Anonymous-by-default for free users, encrypted sync for paid.
Your agent signs up for tools, verifies OTPs, clicks magic links — all day, every day. It needs a real, working email. We hand it one. No rate-limits. No bot detection. No questions.
Hand your agent an API key and it spins up addresses as it needs them — newsletter confirmations, free-trial logins, third-party verifications. No per-inbox quota.
We don't fingerprint your agent. No captcha gate, no "are you a human" challenge, no fair-use lecture in the ToS. If your model wants 400 inboxes an hour, that's its business.
Stripe delivers. Gmail won't bounce. OpenAI verifies. Real mailboxes on real domains — not flagged as disposable by the services your agent is signing up for.
Old messages clear themselves every two hours, so your agent's email tool returns recent, relevant mail only — not a 10,000-line wall stuffed into its context window.
Whether you're clicking through a web UI or curling the API, you're hitting the same encrypted inbox under the hood.
mailflat.net — your inbox is already waiting.
x7k2m@mailflat.net — one tap to clipboard.
Newsletter signup, free trial, app download.
Two hours later every message is wiped — your address stays.
Free key, scoped to dev / staging / prod.
One call. Unique subdomain. Ready before your next line.
Use the address in your signup flow — emails arrive in real time.
GET /emails, extract the OTP, assert the outcome.
One agent key, MCP server or SDK — drop it into GPT, Claude, or LangChain.
mailflat.create(label="research") — real address, ready in < 80ms.
Agent fills the form, waits for the OTP, parses the magic link — all in one tool call.
Inbox auto-clears after 2h — no cleanup logic, no 10k-line context pollution.
Zero-knowledge isn't a marketing line — it's the architecture. Your inbox key is generated and held only in your browser (or your CI runner). Without it, what's on our disk is encrypted noise. Even subpoenaed, there's nothing to hand over but ciphertext.
Free works for everyday inboxes AND small test suites. Pay only when you need longer TTLs, custom domains, or higher API limits.
Everyday inbox + room to try the API.
A little more headroom for steady, everyday use.
Longer-lived inboxes, custom names, syncs across devices.
Custom domain, higher volume, priority support.
Plenty of disposable-email and email-testing services exist. Here's where MailFlat lines up — and where it doesn't. We named the alternatives on purpose; it's the comparison we'd want to see.
M MailFlat real receive · e2e · agents | Mailtrap captured in sandbox | Mailosaur QA-only · enterprise | 10minutemail disposable · burner | Gmail +alias real mail · no privacy | |
|---|---|---|---|---|---|
Real SMTP receipt Mail actually lands in a real mailbox, not a sandbox. | —sandbox only | ~often blocked | |||
Auto-purge by design Messages clear themselves on a timer — nothing accumulates. | 2h → 30d | — | — | 10 min | — |
End-to-end encrypted Server holds ciphertext only. We can't read your mail. | — | — | — | — | |
API + SDKs for tests Create, list, read, delete inboxes from code. | — | — | |||
AI agent tooling MCP server + tool spec for GPT / Claude / LangChain. | MCP + tool spec | — | — | — | — |
Not flagged by signup forms Real mailboxes on real domains — Stripe, Gmail accept them. | · | —blocklisted | |||
Custom domain Use your own brand on the inbox addresses. | Team plan | — | · | ||
Free tier with real limits Usable without paying — not a 7-day trial in disguise. | 500 mails / mo | ~100/mo | ~14-day trial |
Don't see yours? Email hi@mailflat.net — a human replies, usually within a day.
Open the page and start typing, curl the API and start scripting, or hand the key to your agent. Same encrypted backend, same free tier, same zero setup.