NeoMail exposes two main HTTP surfaces:
- Browser/session routes under
/api/* - Programmatic REST routes under
/api/v1/*
Programmatic routes support:
Authorization: Bearer <token>X-API-Key: <token>
API keys are:
- created per user
- displayed once
- stored hashed
- revocable
- scope-limited
- audited with last-used tracking
mail:readmail:writedrafts:writesend:writesettings:readsettings:writeai:usemcp:accessprivacy:readprivacy:write
/api/v1/auth/me/api/v1/mail/accounts/api/v1/mail/threads/api/v1/mail/search/api/v1/mail/drafts/api/v1/mail/send/draft/:draftId/api/v1/mail/ai/*/api/v1/settings/api/v1/privacy/profiles/api/v1/privacy/exposures/api/v1/privacy/scan/api/v1/privacy/scans/:scanId/api/v1/privacy/exposures/:exposureId/remove/api/v1/privacy/removals