GUIDE

Your agent can fill any form.
Then the email arrives.

AI agents drive browsers, call APIs, and write whole test suites — and then a signup flow says “we've sent you a verification code” and the run is over, because the email went somewhere no agent can reach. This guide is about removing that wall: what people try first, and what it looks like when the agent simply has an inbox of its own.

Where agent runs die today

Email verification is deliberately a wall — it exists to prove there's a real mailbox behind a form. Agents hit it constantly: exploratory QA on a signup flow, an end-to-end check after a deploy, authoring a regression test that needs one real pass to be trustworthy. The workarounds all reintroduce the thing the agent was supposed to remove:

The shape of the fix: the inbox is a tool

MCP — the Model Context Protocol — is how agents get capabilities: a client like Claude Code connects to a server, and the server's tools become things the agent can just do. mailfixture is a remote MCP server, so “receive email” becomes a tool call. The agent mints a fresh address for the run, uses it in the form it's testing, and then waits on the inbox the same way your test suite does — server-side, no polling loop, no sleeps:

an agent run, unattended
> verify the signup flow on staging works end to end

create_inbox(ttl_seconds=900)
   q7v3n0x2k9@mxsink.sh
… agent fills the signup form with that address …
wait_for_otp(inbox_id=…, timeout_seconds=45)
   { best: "482913" }   # held open until the email lands
… agent types the code, asserts the account is live …
delete_inbox(inbox_id=…)   ✓ teardown

Three details carry the weight here. The address is real — a live MX-routed domain, so it works against staging, production, or anything else that can send mail; nothing in the app under test is mocked or rewired. The wait is a single tool callwait_for_otp, wait_for_link, and wait_for_message long-poll on the server and return the extracted result, so the agent never writes a retry loop or parses an email body with a regex. And every run is isolated — a fresh inbox per attempt, with a TTL so abandoned runs clean up after themselves.

Setup is one command per the MCP quickstart; the agent authenticates with a normal API key you can revoke any time.

MCP or the SDK? Both — at different moments

The MCP tools are for work the agent does with its own hands: exploratory QA, a one-off “does signup still work?” check, reproducing a bug report that involves an email. The SDKs are for the tests the agent leaves behind: when the job is “add a regression test for the OTP flow,” a good agent writes a Playwright or pytest test against the SDK — code your CI runs forever — and can use its own MCP tools while authoring to confirm the flow actually behaves the way the test assumes. Same inboxes, same extraction, same long-poll semantics; the only question is whether the caller is a model or your test runner.

PRACTICE Give agents their own API key, labeled as such, and treat what they read as context: message bodies flow into the model's conversation, so point agents at test inboxes, not at anything receiving real customer mail. Keys are revocable one click from the dashboard.

The boundary, stated plainly

All of this assumes the flow being verified is your own product's. Our terms draw the same line for agents as for test suites: registering accounts on services you don't control is prohibited; testing what you own is the point. An agent that mass-registers accounts around the web with programmatic inboxes is the abuse case we design against — and the account-and-key attribution behind every inbox means it isn't an anonymous one.

one command: claude mcp add — then the agent takes it from there
Read the MCP quickstart Start free