Skip to main content
Mail gives agents organization-owned inboxes they can use to receive and send email during legal workflows. Inboxes live under your Case.dev organization, can be created on demand, and support per-inbox policies for sender filtering and read, reply, and send access.

Managed inboxes

Create and list inboxes for agent workflows without provisioning external mail infrastructure.

Access policies

Control sender allowlists and which API keys, users, sessions, or operators can read, reply, and send.

Create an inbox

Shell
curl -X POST https://api.case.dev/mail/v1/inboxes \
  -H "Authorization: Bearer $CASE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "displayName": "Matter Intake Agent"
  }'
You can pass an address with a local part such as intake-smith-v-jones. If omitted, Case.dev generates an address on the supported mail domain.

Send a message

Shell
curl -X POST https://api.case.dev/mail/v1/inboxes/{inboxId}/messages/send \
  -H "Authorization: Bearer $CASE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "to": ["client@example.com"],
    "subject": "Documents received",
    "text": "We received the documents and will follow up after review."
  }'
Send requests require a recipient, subject, and either text or html. Optional cc, bcc, and replyTo fields accept either a string or an array of strings.

Read messages

Shell
curl "https://api.case.dev/mail/v1/inboxes/{inboxId}/messages" \
  -H "Authorization: Bearer $CASE_API_KEY"
Message listing respects the inbox policy. When sender filtering is enabled, messages from disallowed senders are omitted from the returned data.

Configure policy

Shell
curl -X PUT https://api.case.dev/mail/v1/inboxes/{inboxId}/policy \
  -H "Authorization: Bearer $CASE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "enforceSenderAllowlist": true,
    "allowedSenderPatterns": ["client@example.com", "@lawfirm.example"],
    "readAccessRules": ["organization"],
    "replyAccessRules": ["organization"],
    "sendAccessRules": ["api_key"]
  }'
Policy rules can target the organization, an operator, a specific user, an API key, a Clerk session, or * for all authenticated callers with the required service permission.