1. Webhook
InboxKit
  • Introduction
  • Order
    • Place Order
      POST
  • Webhook
    • Webhook Integration & Signature Verification
      POST
    • Event: Domain Status Changed
      POST
    • Event: Mailbox Status Changed
      POST
    • Events: OAuth Consent & Client ID Changes
      POST
  • Account
    • Get account details
      GET
  • Workspaces
    • List workspaces
      GET
    • Get workspace details
      GET
    • Create workspace
      POST
    • Update workspace
      PUT
    • Delete workspace
      DELETE
    • Update workspace webhook
      POST
  • Domains
    • Domain Renewals
    • Search available domains
      POST
    • Check if domain is banned from registration
      GET
    • Check domain availability
      GET
    • Register domains
      POST
    • List domains
      POST
    • List assignable domains
      GET
    • Remove domains
      POST
    • Set domain forwarding
      POST
    • Set catch-all email
      POST
    • Remove catch-all email
      DELETE
    • Get nameservers for domain connection
      POST
    • Check nameservers propagation
      POST
    • Check Workspace Availability
      POST
    • Set DMARC Configuration
      POST
    • Remove DMARC Configuration
      DELETE
    • Regenerate Domain Nameservers
      POST
    • Request Domain Renewal
      POST
    • Check Renewal Status
      GET
  • Cloudflare Domains
    • Connect Cloudflare Domains
    • List Connected Cloudflare Domains
    • Get Domain Details
    • Disconnect Cloudflare Domains
    • List Cloudflare Zones
  • Mailboxes
    • List mailboxes
    • Add or update signature for mailboxes
    • Delete signature for mailboxes
    • Show mailbox credentials
    • Get mailbox details
    • Buy mailboxes
    • Check mailbox status
    • Cancel mailboxes
    • Update mailbox
    • Update mailbox profile picture
    • Generate TOTP
    • Change username
    • Change password
    • Check mailbox availability
    • Get Failure Reason
    • Uncancel mailboxes
  • DNS
    • Get DNS records
    • Add DNS records
    • Update DNS records
    • Delete DNS records
  • Sequencers
    • Export mailboxes status
    • List sequencer platforms
    • Get sequencer tags
    • List sequencers
    • Export mailboxes
    • Add sequencer
    • Update sequencer
    • Delete sequencers
  • Billing
    • Get pricing plans
    • Get subscription details
    • Change subscription plan
    • Cancel subscription
    • Get wallet details
    • Add credits to wallet
    • Update auto top-up settings
    • Get billing portal link
  • Warmup
    • List Warmup Subscriptions
    • Get Warmup Subscription Details
    • Add Warmup to Mailboxes
    • Pause Warmup for Mailboxes
    • Resume Warmup for Mailboxes
    • Cancel Warmup for Mailboxes
    • Get Warmup Statistics
    • Get Warmup Pricing
  • Client ID Requests
    • Initiate Client ID Request
    • Get Client ID Request Status
    • List Client ID Requests
  • Mailbox Forwarding
    • Setup Email Forwarding
    • Update Email Forwarding
    • Remove Email Forwarding
    • List Forwarding Jobs
  • Consent Request
    • Initiate Consent Request
    • Get Consent Request Status
    • List Consent Requests
  • Tags
    • Assign tags to domains or mailboxes
    • Get all tags
    • Create a new tag
    • Delete a tag
  • Prewarm
    • Search Domains
    • Search Mailboxes
    • Buy Prewarmed Mailboxes
    • Check Order Status
    • Check Availability
  • Inbox Placement
    • Tests
      • Create Test
      • List Tests
      • Get Test Results
    • Scheduled Tests
      • List Scheduled Tests
      • Get Scheduled Test
      • Pause Scheduled Test
      • Resume Scheduled Test
      • Delete Scheduled Test
  • InfraGuard
    • InfraGuard - Subscriptions
      • List protected domains
      • Get subscription details
      • Enable InfraGuard for domains
      • Cancel InfraGuard for domains
      • Get workspace statistics
      • Get pricing info
    • InfraGuard - Monitoring
      • Get blacklist check history
      • Get DNS check history
      • Get current bounce metrics
      • Get bounce check history
    • InfraGuard - Settings
      • Update subscription settings
      • Trigger manual check
    • InfraGuard - Alerts
      • List alerts
      • Acknowledge an alert
      • Resolve an alert
    • InfraGuard - Action Items
      • List action items
      • Get action item statistics
      • Resolve an action item
      • Dismiss an action item
  • Email Insight
    • Email Insights - Workspace
      • Get Workspace Overview
      • Get Mailboxes Health
      • Get High Bounce Mailboxes
      • Get Workspace Activity
    • Email Insights - Mailbox
      • Get Mailbox Stats
      • Get Mailbox Deliverability
      • Get Mailbox Health
      • Get Mailbox Trends
      • Get Mailbox Activity
      • Get Mailbox Bounce Events
      • Get Mailbox Top Recipients
      • Get Mailbox Top Recipient Domains
      • Get Mailbox Message Breakdown
      • Get Mailbox Subject Analysis
  • Domain Renewals
  • Schemas
    • Schemas
      • WebhookPayload
      • DomainStatusWebhook
      • Tag
      • DomainEventData
      • MailboxStatusWebhook
      • MailboxEventData
      • Domain
      • Mailbox
      • ChangeDetails
      • WebhookResponse
      • ErrorResponse
  1. Webhook

Event: Mailbox Status Changed

POST
https://api.inboxkit.com/webhook
Maintainer:Not configured

Event: mailbox.status_changed#

Fires whenever a mailbox transitions to a new lifecycle status — from initial provisioning all the way through to cancellation.
🔗 For the shared HTTP contract, headers, signature verification, and retry logic, see the Webhook Integration & Signature Verification page.

🔴 Security — read this first#

The mailbox payload contains decrypted mailbox credentials as plaintext:
password — main mailbox login password
app_password — application-specific password
secret — secret key for 2FA / secondary auth
These fields are transmitted because many customers need them to provision downstream sequencers. This is a deliberate product choice and it creates real security obligations on your side:
1.
Use an HTTPS webhook endpoint. The mailbox payload is plaintext credentials — TLS is the only thing that protects them in transit. We strongly recommend never configuring a plain HTTP URL for an integration that receives mailbox events.
2.
Treat your webhook endpoint as a secrets-handling endpoint. Restrict access, review who can read its logs, apply the same controls you'd apply to a password vault.
3.
Never log these fields. Not in application logs, not in error tracking (Sentry, Datadog), not in nginx access logs.
4.
Store them encrypted at rest on your side, with an encryption key that is rotated separately from your application code.
5.
Clear plaintext from memory as soon as you've persisted the encrypted copy. Don't keep the decrypted values in long-lived objects.
6.
Rotate immediately if leaked. Use the mailbox management API to push a new password if you suspect exposure.
OAuth refresh_token values are intentionally excluded from webhook payloads for security reasons. If you need them, use the authenticated mailbox read API instead.

Applies to#

ScopeValue
ProvidersAll InboxKit-managed mailboxes. data.mailbox.platform is currently one of GOOGLE, MICROSOFT, AZURE, or SMTP.
TriggerAny significant change to mailbox.status.
Typical cadenceDelivered to your endpoint within approximately 30 seconds of the status change.
Forward-compatibility tip. InboxKit may add new platform values in the future. When you switch on data.mailbox.platform, always include a default branch so an unknown platform logs a warning instead of crashing your handler.

Headers (reminder)#

POST /your-path HTTP/1.1
Content-Type: application/json
User-Agent: InboxKit-Webhook/1.0
X-InboxKit-Event: mailbox.status_changed
X-InboxKit-Timestamp: 2024-01-10T16:45:30.456Z
X-InboxKit-Signature: sha256=<hex>

Payload envelope#

{
  "event": "mailbox.status_changed",
  "timestamp": "<ISO 8601 UTC>",
  "team_id": "<your team uid>",
  "team_name": "<your team name>",
  "data": {
    "mailbox": { /* see fields below */ },
    "metadata": { /* see fields below */ }
  }
}

data.mailbox fields#

Every field InboxKit sends in a mailbox.status_changed webhook is listed below.
FieldTypeNullableDescription
uidstringnoUnique, stable identifier for this mailbox. Use this as your idempotency key.
emailstringnoFull email address (computed as ${username}@${domain_name}).
usernamestringnoLocal-part of the email address.
first_namestringno (may be empty)First name on the mailbox.
last_namestringno (may be empty)Last name on the mailbox.
profile_picturestringno (may be empty)URL to profile picture, or "" if not set.
statusenumnoNew status. See the status reference table below.
previous_statusstring | nullyesPrevious status before this transition, if known.
platformenumnoGOOGLE, MICROSOFT, AZURE, or SMTP. New values may be added in the future.
renewal_dateISO 8601 | nullyesWhen the mailbox subscription is next due for renewal.
renewal_statusenumnona | pending | completed | failed | cancelled | permanent_failure.
is_adminbooleannoWhether this mailbox has admin privileges on its Workspace tenant.
passwordstringno🔴 DECRYPTED main mailbox password. See security section above.
app_passwordstringno🔴 DECRYPTED application-specific password (e.g. for SMTP sending).
secretstringno🔴 DECRYPTED secret key for 2FA or secondary auth.
is_add_onbooleannoWhether this is an add-on mailbox (piggy-backed on an existing Workspace).
Not included: refresh_token is intentionally omitted from the payload. If you need it, fetch it via the authenticated API.

data.metadata fields#

FieldTypeDescription
updated_atISO 8601When the mailbox document was last updated in InboxKit's database.
workspace_idstringInternal workspace identifier.
domain_idstringInternal identifier of the domain the mailbox belongs to.
domain_namestringThe full domain name the mailbox belongs to (same as the part after @ in email).

Status value reference#

Every status listed below will trigger a mailbox.status_changed webhook when a mailbox transitions to it.

Pre-active lifecycle#

StatusWhat it means
pendingInitial state — mailbox has been requested but provisioning hasn't started.
processingGeneric "work in progress" state.
waiting_for_dns_propagationMailbox is waiting on DNS records on its domain to propagate.
waiting_for_activation_emailWaiting for the provider's activation email (Microsoft).
activation_email_receivedActivation email received; moving on to configuration.
configuring_workspaceGoogle/Microsoft workspace-level setup in progress.
configuring_dnsApplying mailbox-specific DNS records (MX/SPF/DKIM).
configuring_dkimGenerating and publishing DKIM keys.
configuring_authFinal authentication setup (OAuth consent, app passwords, etc.).
finalizing_setupLast-mile tasks before the mailbox goes active.

Active lifecycle#

StatusWhat it means
activeMailbox is live and ready to send/receive. Credentials in this payload are current.
inactiveMailbox exists but is currently paused.
scheduledScheduled to become active at a future time.

Terminal / failure states#

StatusWhat it means
suspendedMailbox has been suspended (admin action or provider-side).
failedProvisioning or a state transition failed. Check previous_status for context.
renewal_failedThe mailbox's subscription renewal (billing) failed. Typically appears alongside renewal_status: "failed". Surface this to your billing flow so the customer can retry payment.
scheduled_for_cancellationCustomer cancelled; mailbox will be cancelled soon.
cancelledSubscription cancelled.
archivedMailbox has been archived but retained.
deletedFully removed from InboxKit. Terminal state.

Example receiver (Node.js)#

Examples#

Use the selector on the right-hand side to see different realistic transitions.

Request

Authorization
Provide your bearer token in the
Authorization
header when making requests to protected resources.
Example:
Authorization: Bearer ********************
Header Params

Body Params application/json

Examples

Responses

🟢200OK
application/json
Webhook received successfully. InboxKit will mark the delivery as complete and will not retry.
Body

🟠400Bad Request
🟠401Unauthorized
🔴500Server Error
Request Request Example
Shell
JavaScript
Java
Swift
cURL
curl --location --request POST 'https://api.inboxkit.com/webhook' \
--header 'X-InboxKit-Signature: sha256=b0344c61d8db38e0f469e85fc6e8c055e0742e8d9a9c5a9e8e4d3f7c5a8b9c0d' \
--header 'X-InboxKit-Event: domain.status_changed' \
--header 'X-InboxKit-Timestamp: 2024-01-10T15:30:45.123Z' \
--header 'User-Agent: InboxKit-Webhook/1.0' \
--header 'Authorization: Bearer <token>' \
--header 'Content-Type: application/json' \
--data-raw '{
    "event": "mailbox.status_changed",
    "timestamp": "2024-01-10T16:45:30.456Z",
    "team_id": "ABC-123-DEF-TEAM",
    "team_name": "Marketing Team",
    "data": {
        "mailbox": {
            "uid": "ABC-123-DEF-MAILBOX",
            "email": "[email protected]",
            "username": "jane.doe",
            "first_name": "Jane",
            "last_name": "Doe",
            "profile_picture": "",
            "status": "active",
            "previous_status": "configuring_auth",
            "platform": "GOOGLE",
            "renewal_date": "2025-01-10T00:00:00.000Z",
            "renewal_status": "na",
            "is_admin": false,
            "password": "Mb!xyzAB8921",
            "app_password": "app-Xy9!pq7M",
            "secret": "",
            "is_add_on": false
        },
        "metadata": {
            "updated_at": "2024-01-10T16:45:30.456Z",
            "workspace_id": "ABC-123-DEF-WORKSPACE",
            "domain_id": "ABC-123-DEF-DOMAIN-ID",
            "domain_name": "yourdomain.com"
        }
    }
}'
Response Response Example
200 - Success
A minimal 200 response body is enough. The body content is not inspected by InboxKit — any 2xx status code counts as success.
{
  "received": true,
  "message": "Webhook processed successfully"
}
Modified at 2026-04-11 14:36:35
Previous
Event: Domain Status Changed
Next
Events: OAuth Consent & Client ID Changes
Built with