decoy logodecoy
email access for AI agents

how can you give an ai agent email access safely?

Email helps agents retrieve login codes, confirm reservations and reply to services. It is also a master key containing password resets, financial messages and years of personal context.

broad mailbox access is larger than most tasks

An agent completing a Nike return may need one confirmation message. A broad Gmail grant can expose unrelated conversations, password resets and private documents. The size of the authorization does not match the size of the task.

Service-specific inboxes create a natural boundary. Messages for one account arrive at one address, and that inbox can be paused or deleted without affecting the user’s primary email.

separate message discovery from message content

An agent often needs safe metadata to find the right message before requesting its contents. It can filter by account, time or sending domain, then unlock only the relevant message body.

Decoy keeps message contents encrypted and records each content access. Users can grant access to selected inboxes for a duration or require a new request.

email is also an untrusted input channel

A message can contain instructions intended to manipulate the agent. Narrowing mailbox access reduces exposure but does not eliminate prompt injection. The runtime should treat email as data, not trusted instructions, and gate sends, deletes and account changes separately.

Decoy keeps the primary inbox out of the integration

Developers integrate one MCP server or API. Users add the service accounts an agent needs, and Decoy provides their approved inbox messages and codes without connecting the user’s full Gmail history.

common questions

does Decoy require Gmail access?

No. Decoy provides its own service-specific email addresses and inboxes.

can the agent send and reply?

Yes, when the connected agent has the required access. Sending and reading are separate operations that appear in the activity record.

does a separate inbox stop prompt injection?

No. It reduces the amount of exposed email, but the agent runtime must still treat message content as untrusted input.

give your agent the info it needs. not your user’s whole life story.

Decoy provides user-approved passwords, email codes, passkeys and personal details through one MCP server or API.