A self-hosted email client with an AI agent that reads your inbox, drafts replies automatically, and exposes full email operations over MCP — running entirely on Cloudflare Workers.
Agentic Inbox is a fully self-hosted email client built on Cloudflare’s serverless platform. It combines a modern React web interface with an AI agent that can autonomously read, search, draft, and organize your email — all without touching any server you have to manage. Every mailbox is isolated in its own Durable Object with a per-mailbox SQLite database, and attachments go straight to R2 object storage.
The AI Email Agent is built on Cloudflare’s Agents SDK using the AIChatAgent base class, powered by Workers AI running the Kimi K2.5 model. It exposes nine email tools — from listing folders and reading threads to drafting replies and discarding stale drafts. When a new email arrives, the agent fires automatically, reads the full thread history for context, and generates a draft reply that waits for human review before sending.
Security is taken seriously: an active prompt injection scanner (backed by Llama 3.1) inspects every inbound email body and thread context before the agent touches it. If injection is detected, auto-drafting is blocked and the user is notified in the agent chat. Cloudflare Access JWT validation guards the entire application in production — including the MCP endpoint — so your inbox is never exposed to the open internet.
For teams that want to connect external AI tools, Agentic Inbox exposes a full Model Context Protocol (MCP) server at /mcp. Claude Code, Cursor, and other MCP-compatible clients can directly list mailboxes, read emails, search conversations, and send messages by passing a mailboxId parameter.
Architecture
Agentic Inbox follows a clear layered architecture where a single Hono-based Cloudflare Worker acts as the API and SSR boundary, delegating stateful operations to two types of Durable Objects: MailboxDO for email persistence and EmailAgent/EmailMCP for AI and MCP concerns. Each mailbox is fully encapsulated in its own Durable Object instance, meaning horizontal isolation is structural rather than enforced at the application layer. The event flow is well-defined — inbound email arrives via Cloudflare’s email handler, gets parsed and stored in the mailbox DO, then triggers the agent DO asynchronously via waitUntil. Outbound email bypasses the DO and calls the send_email binding directly. The MCP server is a third DO class that delegates all operations to the shared tools library, keeping protocol-specific logic separate from business logic. Data flow is unidirectional and the separation between routing, persistence, and AI is clean, though the large Hono router in the main worker mixes orchestration and request-parsing concerns that could benefit from route-level decomposition.
Tech Stack
The frontend is built with React 19 and React Router v7 in framework mode, server-side rendered by the Worker and hydrated on the client. TipTap handles rich text composition, Zustand manages client-side state, and TanStack Query handles server data fetching. The backend runs on Hono as the HTTP framework on top of Cloudflare Workers with Durable Objects providing per-mailbox SQLite storage via Drizzle ORM. Attachments are stored in Cloudflare R2. The AI agent uses Cloudflare’s Agents SDK (AIChatAgent), the Vercel AI SDK v6 for model streaming, Workers AI as the inference provider (running Kimi K2.5 for chat and Llama 3.1 for security scanning), and the MCP SDK for the Model Context Protocol server. Authentication is handled by Cloudflare Access with JOSE for JWT verification. Email parsing uses postal-mime and sending uses Cloudflare’s send_email binding. The build pipeline uses Vite with the Cloudflare Vite plugin and React Router’s dev/build commands.
Code Quality The codebase has no test files whatsoever — not a single spec or test runner configured, which is a notable gap for a security-sensitive application handling email. TypeScript is used throughout with strict mode enabled, and the schema definitions use Zod for runtime validation at API boundaries. Error handling is explicit in most paths: the email receiver validates sizes, checks for missing recipients, and uses try/catch with meaningful console logging. The agent’s prompt injection scanner notably fails closed — a scanner exception causes auto-drafting to be skipped rather than silently proceeding. The tools library is well-factored and shared between the conversational agent and the MCP server, avoiding duplication. SQL queries use Drizzle ORM with a whitelist-based sort column validator to prevent injection. Code style is consistent with clear inline documentation on non-obvious logic, though there are a few TODO comments indicating known gaps (e.g. draft create-then-delete not being atomic).
What Makes It Unique Agentic Inbox is genuinely novel in combining a complete email client, an AI agent with auto-draft capabilities, and a Model Context Protocol server into a single serverless deployment with zero external services beyond Cloudflare itself. The architectural decision to make each mailbox a Durable Object with its own SQLite database means the data isolation guarantees are enforced by the runtime rather than application-level access controls. The prompt injection scanner as a first-class safety layer — running before every auto-draft and scanning both the email body and the full thread context — is a thoughtful security design that is uncommon in open-source AI email tooling. The MCP endpoint turning the email client into a tool server for external AI assistants reflects an emerging pattern where self-hosted apps become composable components in larger AI workflows rather than standalone end-user applications.
Agentic Inbox is released under the Apache License 2.0, a permissive open-source license maintained by Cloudflare. You are free to use, modify, and distribute the software for any purpose — commercial or otherwise — without copyleft obligations on your own code. Attribution and inclusion of the original license notice are required when redistributing. There is no dual-licensing, no proprietary enterprise edition, and no feature gating.
Running Agentic Inbox yourself means you are responsible for provisioning and maintaining the underlying Cloudflare services: a Workers account with Durable Objects, R2 storage, Workers AI access, and Email Routing configured for your domain. Deployment is largely automated via the ‘Deploy to Cloudflare’ button, which provisions R2, Durable Objects, and AI bindings in one step. However, post-deploy you must configure Cloudflare Access (supplying POLICY_AUD and TEAM_DOMAIN secrets), set up Email Routing catch-all rules, and enable the send_email binding manually. There are no database migrations to manage manually — the app handles SQLite migrations inside Durable Objects automatically on startup.
Because this runs entirely on Cloudflare’s serverless infrastructure, there is no VPS, container, or traditional server to maintain. Uptime, global distribution, and scaling are handled by Cloudflare. The trade-off is hard dependency on Cloudflare’s ecosystem: you cannot run this on bare metal, Kubernetes, or any other cloud without substantial rewrites. There is no paid hosted version or managed SaaS offering from Cloudflare for Agentic Inbox itself — it is purely a self-deployment template. Support comes from the GitHub issue tracker and the Cloudflare community forums rather than dedicated enterprise SLAs.
Automation · Productivity · AI Assistants
Build, deploy, and run autonomous AI agents that automate complex multi-step workflows using a visual block-based graph editor.
No Code Platforms · AI Development · Developer Tools
Visual LLM workflow platform with RAG pipelines, agent capabilities, and model management for building production AI applications.
Productivity · Project Management · Collaboration
The open-source AI workspace that puts your data, your rules — with local LLMs, CRDT collaboration, and full self-hosting built in.