signedinbox
Get started

Privacy & About

What signedinbox sees, what it doesn't, and why we built it this way.

About

signedinbox is a small tool that lets people prove a real human sent an email — not a bot, not a spoofed address, not an AI bulk sender. When you stamp an email, a cryptographic badge is embedded that anyone can verify in a browser. No app required, no account needed to verify.

The code is MIT licensed and open source.

What we never see

Your email body

The content of your email is never captured, transmitted, or stored. The Chrome extension reads the compose window only to inject the stamp badge — it does not send any body text to our servers.

Recipient email addresses

The recipient's address is sent to our servers solely to compute a SHA-256 hash. The plaintext address is immediately discarded — we store only the irreversible hash. We cannot read, reverse, or recover the original address.

Subject lines

The subject line is used client-side to compute the content fingerprint that makes your stamp specific to this email. The plaintext subject is never sent to or stored on our servers.

Attachments or metadata

We never access attachments, headers, thread history, or any other part of your Gmail account. The extension only interacts with the active compose window.

How client-side hashing works

When the Chrome extension stamps an email, it computes a SHA-256 content fingerprint of the sender, recipient, and subject — entirely inside your browser using the Web Crypto API. That fingerprint is sent to our servers. The recipient address is also sent so we can hash it server-side for verification; the plaintext is then discarded. The subject line is never sent.

Content fingerprint (computed in browser):
SHA-256(senderId | recipient@example.com | Subject line)
→ 3f7a9c2e1b4d8f6a… (stored)
Recipient hash (computed on server, plaintext discarded):
SHA-256(recipient@example.com)
→ a9f2c1e8b3d7… (stored, unreadable)

These hashes let recipients verify the stamp was meant for them — without us ever knowing the subject line or being able to recover the recipient address.

What we do store

·

Your account email

Used for authentication only. Displayed publicly as a masked version (e.g. a***@gmail.com) on verification pages.

·

Your display name

Shown on the stamp verification page so recipients know who sent the email. You set this when you create your account.

·

Stamp metadata

Stamp ID, creation date, expiry date, and the content hash described above. This is the minimum needed to let recipients verify stamps.

·

Verification count

How many times a stamp's verification page was visited. Used to detect reuse — if a personal stamp is verified by 50 different people, that's a signal it was copied and forwarded.

Cloudflare Turnstile

Every stamp requires a human verification check powered by Cloudflare Turnstile. This runs silently in the background — no checkbox, no puzzle, just a signal that confirms you're a real person using a real browser.

Cloudflare processes this challenge entirely on their infrastructure. We receive only a short-lived pass/fail token which we verify server-side. We do not store it, log it, or use it for any other purpose. Cloudflare's own privacy policy governs what they collect during that check.

Open source

You don't have to take our word for any of this. The full source code — including the Chrome extension, the web app, and the API — is publicly available on GitHub under the MIT license. The hashing logic described above is in extension/background/background.ts.

Public signing keys for independent stamp verification are available at /api/v1/.well-known/signedinbox.

Chrome extension — local storage

The signedinbox Chrome extension stores two things locally in your browser using chrome.storage.local:

  • ·

    Session tokenA Supabase authentication token that keeps you signed in between browser sessions. It is never shared with third parties.

  • ·

    Selected sender IDThe ID of the sender identity you have chosen to stamp emails with. This is a reference to data already stored on our servers under your account.

This data stays on your device and is cleared when you sign out of the extension or uninstall it.

Deleting your data

You can delete your account and all associated data at any time from the dashboard — scroll to the Account section and click Delete account. This permanently removes your account email, display name, sender identities, stamps, and API keys immediately.

Stamps that have already been delivered to recipients will become unverifiable once your account is deleted. If you need help, email alex@signedinbox.com.

Questions?

Open an issue on GitHub or email alex@signedinbox.com.