Security

How OneShotMail handles your email data -- encryption, retention, deletion, and API key security.

Data handling principles

OneShotMail is designed to hold your data for the minimum time necessary and delete it automatically. By design, every piece of email data has a guaranteed deletion date set at creation time.

Encryption

In transit

All traffic is encrypted with TLS 1.2+. The API is only accessible over HTTPS at https://api.oneshotemail.com. Plain HTTP requests are rejected, not redirected.

At rest

All email data, address metadata, and credentials are encrypted at rest using industry-standard encryption. There is no unencrypted data at rest anywhere in the system.

Email data retention

Email data is retained only until the address TTL expires. There is no long-term storage.

PlanMax TTLMaximum retention
Free1 hour1 hour
Solo12 hours12 hours
Team24 hours24 hours
EnterpriseCustomCustom (max 7 days)
Max24 hours24 hours

Deletion

  1. Automatic — Address records and email data are automatically deleted after the TTL expires.
  2. Explicit — You can delete an address and all its data immediately via DELETE /addresses/{id} or DELETE /addresses?label=....

When data is deleted (by TTL or explicit request), it is permanently removed. There is no backup, no soft-delete, no recovery mechanism.

What we log

We DO log

  • Request metadata: timestamp, HTTP method, path, status code, latency.
  • Address metadata: address ID, status transitions, TTL, label, mode.
  • Error details: error codes and stack traces for server errors.
  • Usage metrics: address creation counts, email delivery latency.

We NEVER log

  • Email content (subject, body, headers).
  • Email attachments.
  • API key values (only the prefix for debugging).
  • Personal email addresses (the from/to of emails passing through the system).

API key security

  • Hashed storage — Your API key is stored as a bcrypt hash. We cannot retrieve or display your key after initial creation.
  • Prefix indexing — The first 8 characters of your key are stored separately as a lookup index. This allows us to find your account without storing the full key.
  • One-time display — Your key is shown exactly once at registration or regeneration. There is no “show key” button.
  • Immediate revocation — Regenerating your key invalidates the previous key immediately. There is no grace period.

API key best practices

  1. Store your key in environment variables or a secrets manager, not in code.
  2. Use separate accounts for CI, staging, and production testing.
  3. Regenerate your key immediately if it is exposed.
  4. Use CI/CD secret stores (GitHub Actions secrets, GitLab CI variables, etc.).
  5. Set up secret scanning in your repository to catch accidental commits.

Network security

  • HTTPS only — All API endpoints require TLS.
  • CORS — Restricted to the OneShotMail web UI origin. Cross-origin requests from other domains are rejected.
  • Rate limiting — Per-API-key rate limits prevent abuse and denial-of-service.
  • No public storage — Emails are only accessible through the authenticated API. There is no public access to stored data.

Address security

  • Cryptographically random — Address IDs are 20-character base62 strings generated with a cryptographically secure random source. The address space is large enough to prevent enumeration.
  • Silent discard — Emails sent to non-existent or expired addresses are silently dropped. The sender receives no bounce or error message, preventing probing for valid addresses.
  • One-shot guarantee — Each address accepts exactly one email. This prevents replay attacks and ensures test isolation.

Infrastructure security

  • Least privilege — Every component follows least-privilege access patterns. Services can only access the data they need to function.
  • No long-lived credentials — Internal credentials are managed and rotated automatically.
  • Hosted on AWS — All infrastructure runs on AWS with encryption, access controls, and monitoring enabled by default.

Abuse prevention

Receiving

  • Emails to non-existent addresses are silently discarded (no bounce).
  • Each address accepts only one email (subsequent emails are discarded).
  • Address TTL limits prevent addresses from persisting indefinitely.

Sending

  • Bounce and complaint rates are monitored per account.
  • Accounts with high bounce rates have sending automatically disabled.
  • Send operations cost more credits (2x receive) to discourage mass sending.

Free tier

  • One account per email domain.
  • Queue-based approval with rate limiting.
  • 90-day inactivity auto-suspension.

Compliance

  • Data residency — All data is stored in Australia (AWS ap-southeast-2). Enterprise customers can request dedicated deployments in other regions.
  • Audit logging — All usage events are recorded with timestamps and metadata. Enterprise accounts can export usage data via GET /account/usage/export.
  • No data sharing — We do not share, sell, or analyse your email data. We do not train models on your email content.
  • Right to deletion — Delete your account and all associated data at any time. Address data is automatically deleted by TTL.

Reporting security issues

If you discover a security vulnerability, please report it responsibly to security@oneshotemail.com. Do not open a public GitHub issue.

Edit this page on GitHub