Quickstart: MCP agents
mailfixture ships a remote MCP server at https://mailfixture.com/mcp. Point an agent at it — Claude Code, or any client that speaks Streamable HTTP — and it can create real inboxes, trigger your app's email flows, and read the OTP back by itself. Nothing to install, no glue code to write.
1 · Get a key
Create a key in Dashboard → API keys. The agent authenticates with a normal mfx_ key — same permissions as the REST API, revocable any time. Give agents their own key (label it mcp-agent) so you can pull it without breaking your test suites.
MAILFIXTURE_API_KEY=mfx_••••••••••••••••••••
2 · Connect a client
Claude Code is one command:
$ claude mcp add --transport http mailfixture https://mailfixture.com/mcp \ --header "Authorization: Bearer $MAILFIXTURE_API_KEY"
Any other MCP client takes the same shape — a Streamable HTTP server with a bearer header:
{
"mcpServers": {
"mailfixture": {
"type": "http",
"url": "https://mailfixture.com/mcp",
"headers": { "Authorization": "Bearer mfx_…" }
}
}
}
3 · Let the agent test your email flow
That's the whole setup. Ask the agent to exercise a signup flow and it chains the tools itself:
> Sign up a fresh account on staging and verify the OTP email works. create_inbox(ttl_seconds=900) → k2x9v04qtr@mxsink.sh … agent drives the signup form with that address … wait_for_otp(inbox_id=…, timeout_seconds=45) → { best: "482913" } # held open server-side, returns when mail lands … agent submits the code, asserts the account is verified …
wait_for_otp, wait_for_link, and wait_for_message long-poll on the server (up to 60s per call) — the agent never writes a sleep-and-retry loop. Racing emails? They take the same match filter as the REST API: subject:, from:, to:.
The tool surface
34 tools — full parity with the /v1 REST API, email and SMS, plus the wait helpers. The high-traffic ones:
Scope and security
The MCP server is the API — the key is the only credential, and everything the agent does is attributable to it. Three things to know: the tool set includes account administration (keys, domains, webhooks), so treat the key like the secret it is; message bodies flow into the agent's context, so don't point production traffic at inboxes an agent reads; and errors come back structured (status/title/detail, same vocabulary as the REST API) so agents can react instead of guessing.