# ReplyLayer > Safe email for AI agents: send, receive, reply to, and security-scan > transactional and operational email via a REST API, the `rly` / `replylayer` > CLI, an MCP server, and TypeScript / Python SDKs. Not a bulk or marketing tool. > Every message is scanned, and the scan verdict is a machine-legible contract > agents branch on. All documentation links below are absolute and resolve at https://replylayer.ai. The npm, PyPI, and public CLI repository links are also absolute and live. Every documentation page is also available as raw markdown by appending `.md` to its URL. ## Start here - [Documentation home](https://replylayer.ai/docs): guides and reference for people integrating ReplyLayer. - [ReplyLayer for agents](https://replylayer.ai/agents): the machine-facing contract surface — message lifecycle, scan verdicts, send gates, typed errors, idempotency. # Human documentation (/docs) ## Getting started - [Quickstart](https://replylayer.ai/docs/quickstart): Install the rly CLI, get an API key, create a mailbox, and land your first scanned send to the email success simulator in about a minute. - [Authentication](https://replylayer.ai/docs/authentication): How ReplyLayer API keys work — the rly_live key format, admin vs agent roles, Bearer-vs-session auth, session-only surfaces, and safe create-verify-revoke rotation. ## Guides - [Email simulator](https://replylayer.ai/docs/guides/simulator): Test outbound delivery, bounce and complaint webhooks, plus inbound scanning and quarantine, without sending to a real recipient. - [Do-not-contact list (suppressions)](https://replylayer.ai/docs/guides/suppressions): How the suppression list gates every send, when to add addresses yourself, and the add / list / remove contract across API, CLI, SDKs, and MCP. - [Webhooks](https://replylayer.ai/docs/webhooks): Receive signed callbacks for inbound mail and outbound state changes — setup, signature verification, the retry and auto-disable model, PII redaction, and rotation. - [Recipient allowlist (mailbox containment)](https://replylayer.ai/docs/guides/recipient-allowlist): How per-mailbox allowlist mode contains outbound sends — opt-in restriction, admin-only mutations, wildcard domains, thread-reply bypass, and agent-send containment. - [Inbound firewall (sender allowlist + blocklist)](https://replylayer.ai/docs/guides/inbound-firewall): Gate incoming email by sender with per-mailbox allowlist mode, an account-wide blocklist, the releasable firewall_blocked state, and verified-reply bypass. - [Scheduled send (send later)](https://replylayer.ai/docs/guides/scheduled-send): Schedule an email for a future time. ReplyLayer holds the draft and re-runs the full send-time gate stack at dispatch, so policy changes are always honored. - [Sub-addressing and secure replies](https://replylayer.ai/docs/guides/sub-addressing): Route replies back to the exact agent instance that opened a thread using plus-addressing, and how ReplyLayer's tamper-evident secure-reply headers protect those threads. - [Attachments (receiving and sending)](https://replylayer.ai/docs/guides/attachments): How inbound attachment exposure tiers work — metadata, text previews, and raw downloads — and how to send files with the upload, scan, then attach flow. - [Content scanning](https://replylayer.ai/docs/guides/content-scanning): How ReplyLayer scans inbound and outbound email, when a message is quarantined versus delivered with a finding, and what releasing held mail actually does. - [Custom domains (bring your own domain)](https://replylayer.ai/docs/guides/custom-domains): Send and receive from your own subdomain by adding ReplyLayer's DNS records at your provider — the create flow, the records table, verification states, and health. - [Self-hosted transport (bring your own email service)](https://replylayer.ai/docs/guides/self-hosted-transport): Run your own SMTP and IMAP servers behind a delegated domain — the v1 transport contract, the setup and verification flow, delivery-visibility limits, and the egress IPs to allowlist. - [LangChain tools](https://replylayer.ai/docs/guides/langchain): Add ReplyLayer's governed email tools to a LangChain agent — install langchain-replylayer, build the six-tool toolkit, branch on each tool's status contract, and treat message content as untrusted input. ## Clients - [CLI (rly)](https://replylayer.ai/docs/cli): Install and run the rly command-line client — npm/pipx setup, credential storage, a tour of the everyday commands, config, and verifying signed release artifacts. - [SDKs (TypeScript & Python)](https://replylayer.ai/docs/sdks): Install and use the official TypeScript and Python SDKs — client setup, your first send, safe idempotent retries, webhook signature verification, and typed errors. - [MCP server](https://replylayer.ai/docs/mcp): Connect an MCP client to ReplyLayer two ways — the hosted /v1/mcp streamable-HTTP endpoint or the local stdio server — with copy-paste client config. ## Platform - [Tiers, quotas, and sandbox limits](https://replylayer.ai/docs/limits): Per-tier daily send caps, the sandbox trial restrictions, the GET /v1/accounts/quota preflight, and the RATE_LIMITED 429 contract when you hit your cap. ## API reference - [Messages API](https://replylayer.ai/docs/api/messages): Per-operation reference for the Messages resource — send, reply, read, list, long-poll, search, lifecycle (release/block/report/delete), human review, and read/star markers. - [Drafts API](https://replylayer.ai/docs/api/drafts): Draft CRUD, the scan-then-review-then-send flow, scheduled and asynchronous dispatch, and release-and-send for drafts held by a send-time scan. - [Mailboxes API reference](https://replylayer.ai/docs/api/mailboxes): CRUD and per-mailbox policy operations — scanner policy, PII delivery mode, attachment exposure, sender/firewall mode, agent-send containment, and instruction-trust tightening. - [Attachments API](https://replylayer.ai/docs/api/attachments): REST reference for reading inbound attachments (text previews, raw byte download) and staging outbound attachments through single-use upload handles. - [Webhooks API reference](https://replylayer.ai/docs/api/webhooks): HTTP reference for managing webhook endpoints — create, list, update, delete, rotate the signing secret, send a test event, and list or retry deliveries. - [Suppressions API reference](https://replylayer.ai/docs/api/suppressions): Per-operation contract for the do-not-contact list — list, add, bulk-add, and remove, with actor metadata, domain patterns, idempotency, and complaint-lock (409) semantics. - [Recipient allowlist API](https://replylayer.ai/docs/api/allowlist): Recipient allowlist CRUD, blocked-send-attempt logs, and sandbox verified-recipient endpoints — methods, auth, request and response shapes, and a per-operation classification. - [Threads API](https://replylayer.ai/docs/api/threads): List and read email threads, and continue a conversation with a thread-scoped send — request fields, response shapes, error codes, and per-operation classification. - [Account API reference](https://replylayer.ai/docs/api/account): Per-operation reference for the account resource — programmatic signup, send-budget quota, usage & trust, malicious-link-scanning opt-in, data export, and account deletion. - [Inbound sender policy (firewall) API](https://replylayer.ai/docs/api/inbound-policy): Per-resource reference for the inbound firewall — sender-policy mode, per-mailbox allowlist, account-wide blocklist, blocked-attempt log, and message release. # Agent documentation (/agents) ## Core - [Message states & scan verdicts](https://replylayer.ai/agents/messages): The inbound and outbound message lifecycle, every state transition, and why the scanner verdict is a separate channel from delivery state — the contract agents branch on. - [Authentication and API keys](https://replylayer.ai/agents/auth): The machine auth contract — key format, admin vs mailbox-scoped agent keys, Bearer-over-session precedence, create-verify-revoke rotation, self-revoke, and the read-only instruction-trust capability. - [Security model — trust contract](https://replylayer.ai/agents/security-model): What an agent may and may not trust per field: bodies, subjects, senders, scan verdicts, and safety context. Scanning is a filter, not a guarantee. ## Sending - [Send outcomes (the Governed Email Effect)](https://replylayer.ai/agents/send-outcomes): The four send outcomes on one read — the email_effect field, Prefer outcome=strict HTTP mapping, the never-retry-a-block rule, idempotent replay, and async 202 dispatch. - [Why a send was refused (send gates)](https://replylayer.ai/agents/send-gates): The decision tree every outbound send passes through — do-not-contact, agent-send containment, recipient allowlist, strict-recipient, MX validation, sandbox gates, and quota — with the exact code, denial envelope, and who can lift each. ## Integrations - [Trusted instruction sources](https://replylayer.ai/agents/trusted-instructions): How an agent consumes a trusted-instruction relaxation — the instruction_trust basis, branch-on-presence integration, the fail-closed matrix, and why an agent can tighten trust but never grant it. - [CLI machine interface](https://replylayer.ai/agents/cli): The rly CLI machine contract — the --json shapes, the canonical exit-code table (0/1/2/3 plus --strict 4/5/6), the block-is-exit-0 asymmetry, CONFIRM_REQUIRED, and inbox wait long-poll semantics. - [MCP server](https://replylayer.ai/agents/mcp): The ReplyLayer MCP server contract — hosted and stdio transports, the full 44-tool registry with annotations, the isError + hint envelope, structured output, and the server-instructions divergence. - [SDK contract — typed errors, retries, and webhook verification](https://replylayer.ai/agents/sdk): How the TypeScript and Python SDKs surface error codes, the denial envelope, EmailEffect strict outcomes, automatic retries, idempotency, and webhook signature checks. - [Attachments (inbound previews and outbound staging)](https://replylayer.ai/agents/attachments): The attachment contract for agents — inbound exposure tiers and the preview machine, plus the outbound stage-then-send lifecycle with consume-once handles and its full code-to-action tables. - [Webhooks (agent consumption contract)](https://replylayer.ai/agents/webhooks): The webhook event catalog for agents — verify, dedupe, branch on signed delivery events; every event type, payload field, PII-redaction rule, retry and auto-disable contract. ## Reference - [Error reference](https://replylayer.ai/agents/errors): The curated catalog of ReplyLayer API error codes an agent hits — HTTP status, cause, denial-envelope axis, who can fix it, and whether it is retryable. - [Changelog (agent-facing)](https://replylayer.ai/agents/changelog): Agent-visible behavior changes to the ReplyLayer API, SDKs, CLI, and MCP — newest first, dated, with upgrade notes. Contracts live on their own pages; this indexes what changed. ## Examples - [Inbound triage (runnable example)](https://replylayer.ai/agents/examples/inbound-triage): A runnable inbound-triage loop — poll for new mail, branch on the scan verdict, release or report quarantined mail, read untrusted bodies safely, then reply or escalate. - [From sandbox to production](https://replylayer.ai/agents/examples/sandbox-to-production): A runnable walkthrough — sign up, send to the simulator, verify a real recipient, set a production safety posture (allowlist, human review, webhook), then make a governed first production send. - [Example — webhook-driven governed reply loop](https://replylayer.ai/agents/examples/webhook-reply): End-to-end recipe for an agent that replies to inbound mail from a webhook — verify the signature, dedupe, fetch by id, send an idempotent reply, and branch on the governed outcome. # Machine-readable contract - [OpenAPI specification](https://replylayer.ai/docs/openapi.json): the generated OpenAPI 3.0 document for the customer REST API. # Surfaces - [CLI on npm](https://www.npmjs.com/package/rly): `npm install -g rly`. - [CLI on PyPI](https://pypi.org/project/rly/): `pipx install rly`. - [Public CLI repository (install & package trust)](https://github.com/replylayer/rly): signed `SHA256SUMS`, GPG key, build provenance.