How Inboxed works

A plain-English explanation of what happens when you use Inboxed — technically accurate, no jargon.

01

You connect Gmail with read-only access

When you click "Scan my inbox", you're redirected to Google's own login screen. You grant Inboxed read-only access using the official gmail.readonly OAuth scope. This is the same permission Gmail uses for its own unsubscribe button. We never see your password. Google handles authentication entirely.

Technical note: Technical: OAuth 2.0 with gmail.readonly scope. Token stored in an encrypted session cookie, revoked after use.

02

We read email headers — never content

The Gmail API returns email metadata when requested in "metadata" format. This includes the From header (who sent it) and the List-Unsubscribe header (how to opt out). The body, subject line, attachments, and all other content are technically excluded from the API response. We never see them.

Technical note: Technical: messages.get with format=metadata and metadataHeaders=['List-Unsubscribe','From']. No message content is requested or received.

03

We build a deduplicated list of senders

From up to 300 recent inbox emails, we extract every unique sender domain that publishes a List-Unsubscribe header. If you received 20 emails from the same newsletter, it appears once. You see the full list before paying anything.

Technical note: Technical: Map deduplication by sender domain. Sorted by unsubscribe method — one-click HTTP first, mailto second.

04

You pay once — we send opt-out requests to all

After payment, Inboxed sends opt-out requests to every sender using the URL or email address they published in the List-Unsubscribe header. For senders using RFC 8058 one-click unsubscribe, a single HTTP POST is all it takes. For mailto-only senders, a pre-written unsubscribe email is sent.

Technical note: Technical: HTTP POST with body "List-Unsubscribe=One-Click" per RFC 8058. Legal basis: GDPR Article 21, CAN-SPAM Section 5.

05

Your session ends — everything is deleted

When you close the tab or after one hour, your Gmail OAuth token is revoked via Google's token revocation API. All session data in server memory is cleared. We have no database. There is no record of your email address, your senders, or anything else.

Technical note: Technical: POST to https://oauth2.googleapis.com/revoke. Session stored in-memory only — no database, no logs.

Frequently asked questions about how it works

Can Inboxed see my email subjects or message content?

No. We request the metadata format from the Gmail API, which explicitly excludes message content, subject lines, and attachments. The API response contains only the headers we specify.

Does Inboxed store my email address?

No. We don't know your email address unless you provide it for the Apple Mail waitlist. Your Gmail account is accessed via an anonymous OAuth token that is revoked after use.

How is this different from clicking Unsubscribe in Gmail?

Functionally identical — both use the List-Unsubscribe header. The difference is that Gmail does it one email at a time. Inboxed does it for your entire inbox at once.

What if a sender doesn't have a List-Unsubscribe header?

We generate a pre-written unsubscribe email to the sender's From address as a fallback. Senders without any unsubscribe mechanism are rare among legitimate mailers.

Is the opt-out legally binding?

Yes. Under GDPR Article 21 and CAN-SPAM, opt-out requests sent via the List-Unsubscribe mechanism carry full legal force. Senders must process them within 10 business days.

See it for yourself

The scan is free. No payment until you decide to unsubscribe.

Scan my inbox for free →