API Overview
The API follows an action-based model, exposed through the shared /ajax.php endpoint and the f parameter.
It is designed for temporary mailbox creation, inbox synchronization, full email reading, and mailbox data management.
Quick Start
- Step 1: Call
GET /ajax.php?f=get_domainsto retrieve the available domain list. - Step 2: Call
POST /ajax.php?f=get_email_addressto create a session and a temporary email address. - Step 3 (optional): Call
POST /ajax.php?f=set_email_userto customize the username and domain. - Step 3b (optional): Call
POST /ajax.php?f=open_email_addressto reopen an existing mailbox. - Step 4: Prefer the mailbox event stream for real-time updates. If polling is needed as a fallback, call
POST /ajax.php?f=get_email_listevery 15-30 seconds. - Step 5: When opening an email, call
POST /ajax.php?f=fetch_emailto retrieve the full content. - Step 6: If attachments are present, call
POST /ajax.php?f=fetch_attachmentto download the file.
Session Authentication
After a successful get_email_address call, the system returns sid_token. This token is required for mailbox-related actions.
Security: for POST actions, send sid_token in the request body. Do not pass sid_token in the URL query string.
Responses that carry session context such as get_email_address, set_email_user, open_email_address, and
get_email_list also return session metadata so the client can track session lifetime explicitly.
| Field | Required | Description |
|---|---|---|
| sid_token | Yes | A 48-character hexadecimal string representing the active session. |
| lang | No | Optional language hint. Supported values: vi or en. |
| Session Meta in JSON Response | Type | Description |
|---|---|---|
| session_started_at | number | Unix timestamp in milliseconds when the session was created. |
| session_expires_at | number | Unix timestamp in milliseconds when the current session will expire. |
| session_ttl_minutes | number | Configured session TTL in minutes. |
| mailbox_event_token | string | Token for the real-time mailbox event stream. You can ignore it if you only poll the inbox. |
Mailbox read/download actions such as get_email_list, fetch_email, del_email, and fetch_attachment
also send the latest session metadata through response headers.
| Response Header | Type | Description |
|---|---|---|
| X-Session-Started-At | number | Unix timestamp in milliseconds when the session was created. |
| X-Session-Expires-At | number | Unix timestamp in milliseconds when the latest renewed session will expire. |
| X-Session-Ttl-Minutes | number | Session TTL in minutes. |
| X-Mailbox-Event-Token | string | Latest mailbox event token. Refresh your local copy if the client uses real-time mailbox events. |
Mailbox Events
If your tool needs near real-time inbox updates, open the SSE stream instead of polling get_email_list continuously.
The event stream is the preferred integration path for OTP, confirmation emails, and inbox-change detection.
/events/mailbox?token=MAILBOX_EVENT_TOKEN
Read mailbox_event_token from the JSON response or the X-Mailbox-Event-Token header returned by mailbox actions such as get_email_address, set_email_user, open_email_address, and get_email_list.
This connection uses Server-Sent Events. Browsers and SSE clients reconnect automatically; the server currently sends retry: 2000 to suggest reconnecting after 2 seconds.
| Query Parameter | Required | Description |
|---|---|---|
| token | Yes | The mailbox_event_token for the current mailbox session. |
| Event | When it is emitted | Main payload |
|---|---|---|
state |
Right after connect, or when watcher state changes. | email, connected, count, connected_folders, watched_folders, folders, ts, and optionally error. |
changed |
When the mailbox count changes or a new message arrives. | email, reason, connected, count, total_count, connected_folders, ts, and optionally prevCount, folder, path. |
ping |
Periodic keepalive to keep the stream active. | Same shape as state, plus ping: true. |
session_lost |
When the session expires or the token no longer matches the active mailbox. | email, ts. |
const sidToken = 'SID_TOKEN';
let mailboxEventToken = 'MAILBOX_EVENT_TOKEN';
async function refreshInbox() {
const response = await fetch('/ajax.php?f=get_email_list', {
method: 'POST',
headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
body: new URLSearchParams({ sid_token: sidToken, offset: '0' }),
});
const payload = await response.json();
mailboxEventToken = payload.mailbox_event_token
|| response.headers.get('X-Mailbox-Event-Token')
|| mailboxEventToken;
return payload;
}
const source = new EventSource(`/events/mailbox?token=${encodeURIComponent(mailboxEventToken)}`);
source.addEventListener('changed', async () => {
await refreshInbox();
});
source.addEventListener('session_lost', () => {
source.close();
// Create a new session or reopen the mailbox, then read the next mailbox_event_token.
});
source.onerror = () => {
// If SSE stays unavailable, fall back to polling get_email_list every 15-30 seconds.
};
Integration recommendation: call get_email_list when the mailbox opens, when a changed event arrives, or when SSE is unavailable. Do not keep SSE open and also run tight polling in parallel.
mailbox_event_token as a temporary credential for the current mailbox. Use it only over HTTPS, do not log the full stream URL or send it to analytics systems, do not share /events/mailbox?token=... links, and when session_lost is received you should obtain a fresh token instead of reusing the old one.
401 for an invalid token or lost session, 429 for too many SSE connections from the same IP, and 503 when event capacity is temporarily full.
Retrieve Available Domains
/ajax.php?f=get_domains
Returns the list of available domains, the default domain, and the latest domain catalog update timestamp.
{
"domains": ["mailmmo.io.vn", "tempmailmmo.com"],
"defaultDomain": "tempmailmmo.com",
"domains_updated_at": 1710000000000
}
| Response Schema | Type | Description |
|---|---|---|
| domains | string[] | List of available domains. |
| defaultDomain | string | Default domain selected when no domain is explicitly provided. |
| domains_updated_at | number | Unix timestamp in milliseconds for the latest domain catalog synchronization. |
Create a Temporary Mailbox or Restore a Session
/ajax.php?f=get_email_address
Creates a new mailbox, or restores the current session if a valid sid_token is sent in the request body.
The response also includes the current domain catalog so the client can refresh its domain selector without making a separate get_domains request.
Note: sid_token only represents a temporary access session. When the session expires, the mailbox is not immediately removed from the server and can still be reopened through open_email_address as long as that email address or domain still exists.
| Body Parameter | Required | Description |
|---|---|---|
| email_domain | No | Preferred domain. If omitted, defaultDomain is used. |
| lang | No | Session language, for example vi or en. |
| sid_token | No | Send a previous token in the request body to restore the session if it is still valid. |
{
"email_addr": "demo@tempmailmmo.com",
"email_user": "demo123",
"email_domain": "tempmailmmo.com",
"sid_token": "0123456789abcdef0123456789abcdef0123456789abcdef",
"alias": 0,
"session_started_at": 1710000000000,
"session_expires_at": 1710086400000,
"session_ttl_minutes": 1440,
"mailbox_event_token": "MAILBOX_EVENT_TOKEN",
"domains": ["mailmmo.io.vn", "tempmailmmo.com"],
"defaultDomain": "tempmailmmo.com",
"domains_updated_at": 1710000000000
}
| Response Schema | Type | Description |
|---|---|---|
| email_addr | string | Full email address in local@domain format. |
| email_user | string | The local part of the email address. |
| email_domain | string | The current domain assigned to the session. |
| sid_token | string (48 hex) | Session token used for mailbox actions. |
| alias | number | Compatibility flag, currently always 0. |
| session_started_at / session_expires_at / session_ttl_minutes / mailbox_event_token | mixed | Standard session meta fields. See Session Authentication. |
| domains / defaultDomain / domains_updated_at | mixed | Latest domain catalog fields. See get_domains. |
Retrieve the Email List
/ajax.php?f=get_email_list
Returns the email list using sid_token from the request body, with optional pagination through offset.
Prefer the mailbox event stream for real-time updates. Use this endpoint as a polling fallback only, with a recommended 15-30 second interval instead of tight continuous polling.
The response also carries the latest domain catalog so active clients can stay in sync when domains are updated.
This endpoint also renews the session and returns session metadata in both the JSON response and the response headers.
| Body Parameter | Required | Description |
|---|---|---|
| sid_token | Yes | Active session token, sent in the request body. |
| offset | No | Starting offset for retrieval. Default is 0. |
{
"list": [],
"count": 0,
"session_started_at": 1710000000000,
"session_expires_at": 1710086400000,
"session_ttl_minutes": 1440,
"mailbox_event_token": "MAILBOX_EVENT_TOKEN",
"domains": ["mailmmo.io.vn", "tempmailmmo.com"],
"defaultDomain": "tempmailmmo.com",
"domains_updated_at": 1710000000000
}
| Response Schema | Type | Description |
|---|---|---|
| list | object[] | Paginated list of emails. |
| count | number | Number of items currently returned in list. |
| session_started_at | number | Unix timestamp in milliseconds when the session was created. |
| session_expires_at | number | Unix timestamp in milliseconds when the renewed session will expire. |
| session_ttl_minutes | number | Configured session TTL in minutes. |
| mailbox_event_token | string | Latest mailbox event token after the session renewal. |
| domains | string[] | Current list of available domains. |
| defaultDomain | string | Current default domain used by the service. |
| domains_updated_at | number | Unix timestamp in milliseconds for the latest domain catalog synchronization. |
| Schema for list[] Item | Type | Description |
|---|---|---|
| mail_id | string | Email ID, for example 123 or Junk:123. |
| mail_from | string | Sender information. |
| mail_subject | string | Email subject. |
| mail_excerpt | string | Short preview of the email content. |
| mail_timestamp | string | Unix timestamp in seconds, returned as a string. |
| mail_read | number | 1 = read, 0 = unread. |
| attached | number | 1 = has attachment, 0 = no attachment. |
Set a Custom Username and Domain
/ajax.php?f=set_email_user
Updates the email address for the current session using the provided username and domain.
If force_takeover is enabled and the target email is currently held by another active session, the API returns the session that already owns that mailbox.
| Body Parameter | Required | Description |
|---|---|---|
| sid_token | Yes | Active session token. |
| email_user | Yes | Username of 3-32 characters using only a-z, 0-9, dot, underscore, or hyphen. |
| email_domain | No | Target domain. If invalid, the default domain is used. |
| force_takeover | No | Send 1 or true to take over the target email if it is currently held by another active session. |
| lang | No | Session language. Supported values: vi or en. |
{
"email_addr": "custom_name@tempmailmmo.com",
"email_user": "custom_name",
"email_domain": "tempmailmmo.com",
"sid_token": "0123456789abcdef0123456789abcdef0123456789abcdef",
"alias": 0,
"session_started_at": 1710000000000,
"session_expires_at": 1710086400000,
"session_ttl_minutes": 1440,
"mailbox_event_token": "MAILBOX_EVENT_TOKEN",
"domains": ["mailmmo.io.vn", "tempmailmmo.com"],
"defaultDomain": "tempmailmmo.com",
"domains_updated_at": 1710000000000
}
| Response Schema | Type | Description |
|---|---|---|
| email_addr | string | Updated email address after the change. |
| email_user | string | Current username. |
| email_domain | string | Current domain. |
| sid_token | string (48 hex) | Session token, unchanged. |
| alias | number | Compatibility flag, currently always 0. |
| session_started_at / session_expires_at / session_ttl_minutes / mailbox_event_token | mixed | Standard session meta fields. See Session Authentication. |
| domains / defaultDomain / domains_updated_at | mixed | Latest domain catalog fields. See get_domains. |
Reopen an Existing Mailbox
/ajax.php?f=open_email_address
Reopens an existing mailbox by its full local@domain address so you can access emails already stored in that mailbox.
Important: This endpoint does not create a new mailbox. If the mailbox has already been deleted from the server or its domain no longer exists on the server, the API returns 404 MAILBOX_NOT_FOUND.
The response includes the reopened session data together with the latest domain catalog.
| Body Parameter | Required | Description |
|---|---|---|
| email_addr | Yes | Mailbox address to reopen, for example test@tempmailmmo.com. |
| force_takeover | No | Send 1 or true to take over the mailbox if it is currently held by another session. |
| sid_token | No | Current session token, used to prioritize resume or takeover in the current context. |
| lang | No | Session language. Supported values: vi or en. |
{
"email_addr": "old_mailbox@tempmailmmo.com",
"email_user": "old_mailbox",
"email_domain": "tempmailmmo.com",
"sid_token": "0123456789abcdef0123456789abcdef0123456789abcdef",
"alias": 0,
"session_started_at": 1710000000000,
"session_expires_at": 1710086400000,
"session_ttl_minutes": 1440,
"mailbox_event_token": "MAILBOX_EVENT_TOKEN",
"domains": ["mailmmo.io.vn", "tempmailmmo.com"],
"defaultDomain": "tempmailmmo.com",
"domains_updated_at": 1710000000000
}
| Response Schema | Type | Description |
|---|---|---|
| email_addr | string | Reopened mailbox address. |
| email_user | string | Local part of the reopened mailbox. |
| email_domain | string | Domain of the reopened mailbox. |
| sid_token | string (48 hex) | Session token used for mailbox actions. |
| alias | number | Compatibility flag, currently always 0. |
| session_started_at / session_expires_at / session_ttl_minutes / mailbox_event_token | mixed | Standard session meta fields. See Session Authentication. |
| domains / defaultDomain / domains_updated_at | mixed | Latest domain catalog fields. See get_domains. |
| Common Error | HTTP | Description |
|---|---|---|
| Mailbox not found on server | 404 | The mailbox has been deleted or no longer exists on the server. |
| Email address is already in use by another session | 409 | The mailbox is currently in use by another session and takeover is not enabled. |
Retrieve Email Details
/ajax.php?f=fetch_email
Returns the full email content by email_id, including the HTML body and the attachment list.
The response headers also include the latest session metadata. See Session Authentication for the X-Session-* and X-Mailbox-Event-Token headers.
| Body Parameter | Required | Description |
|---|---|---|
| sid_token | Yes | Active session token, sent in the request body. |
| email_id | Yes | Email ID taken from list[].mail_id. |
{
"mail_id": "123",
"mail_from": "Example Sender <sender@tempmailmmo.com>",
"mail_subject": "Your OTP",
"mail_body": "<html>...</html>",
"mail_timestamp": "1710000000",
"mail_attachments": [
{
"name": "otp.pdf",
"size": 20480,
"type": "application/pdf"
}
]
}
| Response Schema | Type | Description |
|---|---|---|
| mail_id | string | Email ID. |
| mail_from | string | Sender information. |
| mail_subject | string | Email subject. |
| mail_body | string (HTML) | Processed email body in HTML format. |
| mail_timestamp | string | Unix timestamp in seconds, returned as a string. |
| mail_attachments | object[] | List of attachments. |
| Schema for mail_attachments[] Item | Type | Description |
|---|---|---|
| name | string | File name. |
| size | number | File size in bytes. |
| type | string | MIME type of the file. |
Download an Attachment
/ajax.php?f=fetch_attachment
Downloads a binary attachment from a specific email. The API returns the file content directly.
Because the response body is binary, the latest session metadata is delivered through response headers. See Session Authentication.
| Body Parameter | Required | Description |
|---|---|---|
| sid_token | Yes | Active session token. |
| email_id | Yes | Email ID taken from the email list or from fetch_email. |
| file_name | Yes | Name of the file to download, matching the name field in mail_attachments. |
curl -X POST "https://your-domain.com/ajax.php?f=fetch_attachment" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "sid_token=YOUR_SID_TOKEN&email_id=123&file_name=otp.pdf" \ --output otp.pdf
| Response Result | Value | Description |
|---|---|---|
| Body | binary | Attachment file content. |
| Content-Type | application/octet-stream | Download content type. |
| Content-Disposition | attachment | Forces the browser to download the file. |
Delete Emails
/ajax.php?f=del_email
Deletes a single email or multiple emails by ID list.
This endpoint also renews the session and sends the latest session metadata through response headers. See Session Authentication.
| Body Parameter | Required | Description |
|---|---|---|
| sid_token | Yes | Active session token, sent in the request body. |
| email_id or email_ids[] | No | Email IDs to delete. If omitted, the API returns deleted: 0. |
{
"deleted": 1
}
| Response Schema | Type | Description |
|---|---|---|
| deleted | number | Number of emails deleted successfully. |
Limits and Integration Notes
| Item | Value | Notes |
|---|---|---|
| HTTP method for mailbox actions | POST | Mailbox actions called with GET are rejected with 405. |
| sid_token format | 48 hex characters | Example: 012345...abcdef. |
| offset | 0 to 1,000,000 | Values outside the range are clamped by the server. |
| Email list page size | Maximum 500 (default 50) | Depends on server configuration. |
| Number of email_id values for del_email | Maximum 100 IDs/request | Server-side protection against abuse. |
| Attachment download size | Maximum 5MB | Returns 413 when exceeded. |
| Global rate limit | Subject to server configured | Exceeding the limit returns 429 with Retry-After. |
| Session creation rate limit | Subject to server configured | Applies to new mailbox and session creation flows. |
| Active mailbox sessions | Subject to server configured | Older sessions may be evicted to make room for new ones when the threshold is reached. |
| Session lifetime | Server-configured | Use session_expires_at in the response to track the effective expiry time. |
Common Error Codes
sid_token or an expired session.Retry-After.
Recommendation: Wrap all requests with a 10-15 second timeout, use retry backoff for network errors,
and recreate the session whenever you receive 401.
Some business-level errors may include a more specific code, for example:
{"error":"Mailbox not found on server","code":"MAILBOX_NOT_FOUND"}.
Sample Errors by Endpoint
All errors are returned as JSON: {"error":"..."}. This section keeps only endpoint-specific cases with extra integration meaning.
# get_email_list - missing sid_token
POST /ajax.php?f=get_email_list
=> HTTP 401
{"error":"Missing or invalid sid_token"}
# set_email_user - email already used by another session
POST /ajax.php?f=set_email_user
=> HTTP 409
{"error":"Email address is already in use by another session"}
# open_email_address - mailbox deleted on the server
POST /ajax.php?f=open_email_address
=> HTTP 404
{"error":"Mailbox not found on server","code":"MAILBOX_NOT_FOUND"}
cURL Examples by Flow
# 1) Create a session curl -X POST "https://your-domain.com/ajax.php?f=get_email_address" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "email_domain=mailmmo.io.vn&lang=en" # 2) Retrieve the email list curl -X POST "https://your-domain.com/ajax.php?f=get_email_list" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "sid_token=YOUR_SID_TOKEN&offset=0" # 2b) Reopen an existing mailbox to read emails curl -X POST "https://your-domain.com/ajax.php?f=open_email_address" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "email_addr=oldbox@mailmmo.io.vn&force_takeover=1&lang=en" # 3) Retrieve the details of one email curl -X POST "https://your-domain.com/ajax.php?f=fetch_email" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "sid_token=YOUR_SID_TOKEN&email_id=123" # 4) Delete one email curl -X POST "https://your-domain.com/ajax.php?f=del_email" \ -H "Content-Type: application/x-www-form-urlencoded" \ --data "sid_token=YOUR_SID_TOKEN&email_ids[]=123"