TestTau
mail.testtau.com — Disposable email
Send mail to any address at mail.testtau.com; read it in your browser or wait for it from CI.
Quick start
Pick a name. Tell your application to send mail to <name>@mail.testtau.com. Open the inbox UI to read it:
https://mail.testtau.com/i/<name>Example address:
checkout-qa@mail.testtau.comWait from automation
The wait endpoint long-polls for up to 15 seconds and returns the newest matching message.
curl "https://mail.testtau.com/i/checkout-qa/api/wait?timeout=15000&subject=Verify&text=884201"Supported filters are from, to, subject, preview, text, hasAttachments, and after (epoch milliseconds). Use timeout=0 for an immediate check.
Quota
Anonymous public inboxes currently store up to 100 messages at a time. When an inbox is full, new inbound mail is rejected until messages are deleted or the inbox is wiped.
curl "https://mail.testtau.com/i/checkout-qa/api/quota"Public mail also has abuse guardrails: HTTP inbox API calls are rate-limited per client IP, and inbound email is rate-limited per sender domain, sender address, and recipient inbox. Paid/private teams will get higher workspace-level limits later.
Signed-in private sender mail
Free accounts can register one sender email on the account page and generate a mail API key. When TestTau receives mail from that sender, it stores the message in a private inbox instead of the anonymous public inbox.
# Sender: you@example.com
# Recipient can still be any TestTau inbox address:
login-smoke@mail.testtau.com
# Private browser viewer:
https://mail.testtau.com/private/i/login-smoke
# Private API access:
curl -H "Authorization: Bearer $TESTTAU_KEY" \
"https://mail.testtau.com/private/i/login-smoke/api/list"The API key is sent in an HTTP header or pasted into the browser unlock prompt. It does not need to appear in the URL.
Read and clean up
curl "https://mail.testtau.com/i/checkout-qa/api/list"
curl "https://mail.testtau.com/i/checkout-qa/api/message/<messageId>"
curl -X DELETE "https://mail.testtau.com/i/checkout-qa/api/message/<messageId>"
curl -X DELETE "https://mail.testtau.com/i/checkout-qa/api/all"Deleting a message removes its Durable Object row plus the raw .eml and attachment blobs from R2.
What's captured
- Full
.emlfile, downloadable. - Plain-text body, HTML body (rendered in a sandboxed iframe by default).
- Attachments up to 2 MiB each, max 10 per message.
- Message size capped at 25 MiB (Cloudflare Email Routing limit).
Retention
Messages are deleted 48 hours after they arrive by the inbox Durable Object cleanup alarm. Manual delete and wipe remove both metadata and R2 blobs immediately. A bucket lifecycle backstop may be added later, but the worker cleanup path is the source of truth.
Address parsing
Gmail-style +tag suffixes are stripped for routing: qa+signup@mail.testtau.com and qa@mail.testtau.com land in the same inbox qa.
Security
Inbox names are public bearer secrets: anyone who knows the name can read and delete messages in that inbox. Do not use TestTau mail for production accounts, password resets, real customer data, or long-lived secrets.
HTML bodies render in a sandboxed iframe with no script execution, no same-origin, no top-level navigation. Attachments serve with Content-Disposition: attachment and X-Content-Type-Options: nosniff.
Limits
| Message size | 25 MiB |
| Attachment size | 2 MiB |
| Attachments per message | 10 |
| Stored messages per inbox | 100 |
| Signed-in private senders | 1 sender email per account |
| HTTP API rate limit | 120 requests/minute per IP |
| Inbound sender limit | 100 messages/hour per sender address |
| Inbound domain limit | 500 messages/hour per sender domain |
| Retention | 48 h |