# Auth.md for MailAgents

MailAgents supports two authentication modes for agents.

## Mailbox Token

Use a mailbox token in the `X-Agent-Token` header for direct MCP and Agent API calls.
Create the token in the MailAgents UI and grant only the scopes needed for the task.

```http
POST https://mailagents.net/mcp
X-Agent-Token: <mailbox token>
Content-Type: application/json
```

## OAuth

Authorization server metadata: https://mailagents.net/.well-known/oauth-authorization-server
Protected resource metadata: https://mailagents.net/.well-known/oauth-protected-resource
MCP protected resource metadata: https://mailagents.net/.well-known/oauth-protected-resource/mcp

Agent registration metadata is also available in the `agent_auth` block of the OAuth authorization server metadata.

Supported scopes are `read` and `send`.

## Agent E2EE

Direct remote MCP calls return encrypted envelope metadata and next-action fields.
Plaintext for Agent E2EE messages is available only through an authorized local MailAgents plugin bridge.