Skip to main content

Security

email-connector is designed around a principle: minimize what we store, encrypt what we must, and make everything auditable.

Authentication

email-connector uses OAuth 2.0 with PKCE (S256) — the same pattern used by mobile apps and single-page applications. Your email credentials are never shared with Claude directly.
LayerImplementation
OAuth flowAuthorization Code with PKCE (RFC 7636)
Challenge methodS256 (SHA-256)
Token typeBearer, 30-day expiry
Client authclient_secret_post
CSRF protectionRequired state parameter

Credential Protection

LayerDetail
Encryption at restAES-256-GCM
Transport encryptionTLS 1.3 (HTTPS everywhere)
Memory handlingCredentials decrypted only during active IMAP sessions, cleared immediately after
LoggingCredentials are never written to application logs or error output
Storage isolationCredentials stored separately from session data

App Passwords

email-connector only uses app-specific passwords — never your main account password. App passwords:
  • Are scoped to email access only — they cannot modify account settings, change passwords, or access other services
  • Can be revoked at any time from your provider’s security settings without affecting your main password
  • Are separate from your login credentials and designed for third-party tool access
  • Vary by provider: 16 characters (Apple, Microsoft, Yahoo) or 32 characters (Fastmail)

Email Data Handling

  • Email content is never stored or cached by email-connector
  • Emails are retrieved in real-time over IMAP, processed in memory, and returned to Claude
  • No email content is persisted to disk, database, or any storage medium
  • Each IMAP request opens and closes its own isolated connection

IMAP Session Lifecycle

Request from Claude arrives (with Bearer token)
→ Token validated against credential store
→ Credentials decrypted from AES-256-GCM store (in memory only)
→ IMAP connection opened to your email provider
→ Operation performed (read / search / move / etc.)
→ Results returned to Claude
→ IMAP connection closed
→ Credentials cleared from memory

Security Headers

All responses include hardened HTTP headers:
HeaderValue
Strict-Transport-Securitymax-age=63072000; includeSubDomains
X-Frame-OptionsDENY
X-Content-Type-Optionsnosniff
Referrer-Policyno-referrer
X-Powered-ByDisabled

CORS

Requests are only accepted from:
  • https://claude.ai
  • https://claude.com
  • https://email-connector.fly.dev
  • https://connectmyemail.com
All other origins are rejected.

Revoking Access

To disconnect your email from Claude:
  1. Go to your email provider’s security settings
  2. Delete the app-specific password you created for Claude
  3. Access is revoked immediately — no action needed on the email-connector side
You can also revoke the OAuth token via POST /oauth/revoke, but deleting the app password is the most definitive way to cut access.

Open Source

The entire codebase is open source under the MIT license. Audit the code, self-host it, or contribute.

View on GitHub

github.com/zacslost/email-connector

Reporting Vulnerabilities

Report security vulnerabilities via GitHub Security Advisories or email privacy@connectmyemail.com. Do not disclose security issues publicly before they’ve been addressed. We acknowledge reports within 48 hours and aim to remediate within 7 business days.