Skip to main content

Resend email inbox

Agentbot can receive inbound emails through a Resend webhook. Emails from approved senders are processed and forwarded to your agent for handling.

How it works

  1. A user sends an email to your Resend inbox address
  2. Resend forwards the email to POST /api/webhooks/resend
  3. Agentbot verifies the webhook signature, checks the sender against an allowlist, and applies rate limiting
  4. Approved emails are processed and made available to your agent

Setup

1

Create a Resend webhook

In the Resend dashboard, create a webhook pointing to:
https://agentbot.raveculture.xyz/api/webhooks/resend
Subscribe to the email.received event type.
2

Configure environment variables

Add the following environment variables to your deployment:
VariableRequiredDescription
RESEND_API_KEYYesYour Resend API key
RESEND_WEBHOOK_SECRETYesWebhook signing secret from the Resend dashboard
ALLOWED_SENDERSNoComma-separated list of approved sender email addresses. Defaults to the platform owner’s addresses.
OWNER_EMAILNoEmail address for security notifications
3

Test the integration

Send an email from one of the allowed sender addresses to your Resend inbox. Check the agent logs to confirm it was received and processed.

Webhook endpoint

POST /api/webhooks/resend
Receives inbound email events from Resend. This endpoint verifies the webhook signature using Svix headers and enforces a strict sender allowlist.
This endpoint is intended to be called by Resend only. You must configure the RESEND_WEBHOOK_SECRET environment variable for signature verification. When the secret is not configured, the endpoint returns 500.

Headers

HeaderRequiredDescription
svix-idYesUnique message identifier
svix-timestampYesMessage timestamp
svix-signatureYesWebhook signature for verification

Signature verification

The endpoint verifies the webhook payload using the Resend SDK’s built-in signature verification. Requests with invalid or missing signatures are acknowledged with 200 to prevent Resend from retrying.

Handled event types

EventBehavior
email.receivedValidates sender against the allowlist, applies rate limiting, fetches full email content, and forwards to the agent for processing.
Other eventsAcknowledged and logged. No further processing.

Response

The endpoint always returns 200 to prevent Resend from retrying delivery. 
{
  "received": true,
  "action": "processed"
}
action valueMeaning
processedEmail passed all checks and was forwarded to the agent
rejectedSender is not on the allowlist
rate_limitedSender exceeded the rate limit
fetch_errorEmail content could not be retrieved from Resend

Security

Sender allowlist

Only emails from addresses listed in the ALLOWED_SENDERS environment variable are processed. All other emails are rejected and logged for audit. This is a strict allowlist — there is no wildcard or domain-level matching.

Rate limiting

Each allowed sender is limited to 10 emails per hour. Emails that exceed this limit are acknowledged but not processed.

Content sanitization

Email bodies are sanitized before processing:
  • Script tags and HTML markup are stripped
  • Body text is truncated to 5,000 characters

Troubleshooting

Verify that the RESEND_WEBHOOK_SECRET environment variable is set. The endpoint cannot verify signatures without it.
Check that the sender’s email address is included in ALLOWED_SENDERS. Addresses are matched in a case-insensitive manner.
The limit is 10 emails per sender per hour. Wait for the rate limit window to reset or adjust the sending frequency.