Security
AgentInbox is built with security in mind. This page covers authentication, webhook verification, and infrastructure protections.
API Key Authentication
All API requests require a valid API key passed in the Authorization header.
Header
Authorization: Bearer at_live_...Best Practices
- API keys start with
at_live_ - Store keys securely and never commit them to version control
- Rotate keys regularly from the dashboard
- Use environment variables for key storage
SNS Verification
AgentInbox uses AWS SES for email delivery. SNS notifications for email events are verified using X.509 certificate validation.
Verification Steps
- Verify the SNS message signature using the signing certificate URL
- Validate the certificate domain matches
sns.amazonaws.com - Confirm the message timestamp is within 15 minutes of current time
- Process the message only after all checks pass
Webhook Signing
All webhooks sent by AgentInbox include a signature header. Verify this signature on your endpoint to ensure events are authentic.
Signature Header
X-AgentInbox-Signature: sha256=<hex_hmac>Always verify signatures
Never trust webhook payloads without verifying the signature. This prevents attackers from sending spoofed events to your endpoint.
typescript
import { createHmac } from "crypto"; function verifyWebhook(payload: string, signature: string, secret: string): boolean { const expected = createHmac("sha256", secret) .update(payload, "utf8") .digest("hex"); const actual = signature.replace("sha256=", ""); return expected === actual;}python
import hmacimport hashlib def verify_webhook(payload: str, signature: str, secret: str) -> bool: expected = hmac.new( secret.encode("utf-8"), payload.encode("utf-8"), hashlib.sha256, ).hexdigest() actual = signature.replace("sha256=", "") return hmac.compare_digest(expected, actual)Rate Limits as Security
Rate limits help prevent abuse and ensure platform availability for all users.
- Per-API-key limits prevent abuse from individual accounts
- Inbox quotas prevent resource exhaustion
- Automatic IP-based blocking for suspicious traffic patterns
- All requests are logged for security auditing
Data Retention
- Inboxes and messages are deleted automatically after TTL expires
- Session timelines are retained for 30 days for debugging
- API logs are retained for 7 days
- Webhook delivery logs are retained for 7 days
Security first
AgentInbox is designed to handle sensitive data securely. If you have specific security requirements, contact our team through the dashboard.