Your agent should read your mail.
Not your life.
Connect your inbox once and decide exactly what an AI agent may see — which mail, whether it gets message text, whether it gets attachments. Your agent gets one endpoint. Everything you didn't grant simply isn't there.
The raw inbox never reaches you. Only the scopes you asked for do.
Masked at the edge, stamped by category, routed by grant. Flip a scope below and watch its rows get recalled — that's revocation, live.
- no scopes granted — nothing crosses
Everything important still lands in email.
Receipts, boarding passes, invoices, contracts, sign-in codes, the message from your landlord. The inbox is the closest thing your life has to an API — which is why an agent that can't see it keeps asking you to copy-paste, and an agent that can see all of it is a different kind of problem.
The catalog Thread classifies every email into — and the vocabulary every grant is written in.
So today the choice is everything — or nothing.
- Paste your passwordThe agent’s config now holds a credential that opens everything — mail, contacts, recovery. Forever. Revoking means changing your password.
- “Sign in with Google”One checkbox: read all of it. Your OTPs, your lawyer, your medical results — sitting in the context window of a model that follows instructions it finds in email.
- Forward it by handYou become the API. It works until Tuesday, then you stop, and the agent goes blind again.
The most useful thing you can hand an agent is also the most dangerous.
Trust isn't a promise. It's what the system cannot do.
Narrow, named, returnable.
You grant categories, senders, subjects — in plain words. Every line is visible in your panel, editable, revocable in one tap. Grants expire by default.
Rules decide. AI only labels.
A small model tags each email once — from its sender and subject line, never the body. Then a deterministic engine decides every single read. Same input, same answer, every access audited.
Nothing worth stealing.
Per email, Thread stores three things: the id, the sender, the labels. No subjects, no bodies, no attachments at rest — content is fetched live at the moment your agent asks, and message text is delivered masked, personal details redacted.
message id
sender address
labels
subjects · bodies
attachments
raw anything
For the agent, it's one call.
$ curl -H "Authorization: Bearer thread_sk_…" /emails▍
{ "emails": [{ "id": "19f36c29307f49c4", "from": "billing@anthropic.com", "subject": "Your July invoice", "labels": ["financial", "invoice"], "attachments": [{ "name": "invoice.pdf", "type": "application/pdf" }] }]}Every call returns what's new since the agent's last one — already filtered to the grant, message text masked, attachments downloadable when allowed. And mail outside the grant isn't denied — it's absent. No error to handle, no scope to negotiate, nothing to probe. Silence, by design.
It already speaks agent.
Drop the thread-mail skill into your agent and it knows the whole surface — the feed loop, attachments, masked bodies, and why an empty answer is an answer.
github.com/JoinThread/thread-skills→Mint a key in your panel and it hands you a ready-made prompt — paste it into your agent and it's reading granted mail on the next run.
Mint an agent key→“The right to read someone's mail should be narrow, named, and returnable. Thread exists so it always is.”
Give your agent your mail.
Keep your life.
Connect an inbox, decide what your agent may read, mint a key. Five minutes, and the first request lights up your panel.