Skip to main content

Resend email integration

Agentbot integrates with Resend for both inbound email handling and outbound email event tracking. Inbound emails from approved senders are forwarded to your agent, while outbound email events (delivery, opens, clicks, bounces) are logged for analytics and compliance.

How it works

Inbound emails

  1. A user sends an email to your Resend inbox address
  2. Resend forwards the email to POST /api/webhooks/resend
  3. Agentbot verifies the webhook signature, checks the sender against an allowlist, and applies rate limiting
  4. Approved emails are processed and made available to your agent

Outbound email event tracking

  1. Agentbot sends a transactional email through Resend
  2. Resend delivers the email and tracks lifecycle events (sent, delivered, opened, clicked, bounced, complained)
  3. Resend forwards each event to POST /api/webhooks/resend
  4. Agentbot logs the event and takes action for bounces and complaints

Setup

1

Create a Resend webhook

In the Resend dashboard, create a webhook pointing to:
https://agentbot.raveculture.xyz/api/webhooks/resend
Subscribe to the event types you need. For full coverage, enable all of the following:
  • email.sent
  • email.delivered
  • email.delivery_delayed
  • email.bounced
  • email.complained
  • email.opened
  • email.clicked
  • email.received (for inbound email processing)
2

Configure environment variables

Add the following environment variables to your deployment:
VariableRequiredDescription
RESEND_API_KEYYesYour Resend API key
RESEND_WEBHOOK_SECRETYesWebhook signing secret from the Resend dashboard
ALLOWED_SENDERSNoComma-separated list of approved sender email addresses. Defaults to the platform owner’s addresses.
OWNER_EMAILNoEmail address for security notifications
3

Test the integration

Send an email from one of the allowed sender addresses to your Resend inbox. Check the agent logs to confirm it was received and processed. For outbound tracking, send a test email through Resend and verify that delivery events appear in your logs.

Webhook endpoint

POST /api/webhooks/resend
Receives email events from Resend. This endpoint handles both inbound email delivery and outbound email lifecycle tracking. For inbound emails, it verifies the webhook signature using Svix headers and enforces a sender allowlist. For outbound events, it logs event data and handles bounce/complaint cases.
This endpoint is intended to be called by Resend only. You must configure the RESEND_WEBHOOK_SECRET environment variable for signature verification on inbound emails. When the secret is not configured, inbound email processing returns 500.

Headers

HeaderRequiredDescription
svix-idYesUnique message identifier
svix-timestampYesMessage timestamp
svix-signatureYesWebhook signature for verification

Request body

The request body is a JSON object with the following fields:
FieldTypeDescription
typestringThe event type (e.g., email.sent, email.delivered, email.bounced)
dataobjectEvent-specific payload
data.email_idstringUnique identifier of the email
data.tostringRecipient email address
data.subjectstringEmail subject line
data.created_atstringISO 8601 timestamp of the event
For bounce events, the data object also includes:
FieldTypeDescription
data.bounce.messagestringBounce reason from the receiving mail server

Signature verification

The endpoint verifies the webhook payload using the Resend SDK’s built-in signature verification. Requests with invalid or missing signatures are acknowledged with 200 to prevent Resend from retrying.

Handled event types

EventBehavior
email.receivedValidates sender against the allowlist, applies rate limiting, fetches full email content, and forwards to the agent for processing.
email.sentLogged for analytics.
email.deliveredLogged for delivery tracking and analytics.
email.delivery_delayedLogged for analytics.
email.bouncedLogged with a warning. The recipient address is flagged for review.
email.complainedLogged with a warning. The recipient address is flagged for removal from mailing lists.
email.openedLogged for engagement tracking.
email.clickedLogged for engagement tracking.
Other eventsAcknowledged and logged. No further processing.

Response

The endpoint always returns 200 to prevent Resend from retrying delivery. Inbound email response: 
{
  "received": true,
  "action": "processed"
}
action valueMeaning
processedEmail passed all checks and was forwarded to the agent
rejectedSender is not on the allowlist
rate_limitedSender exceeded the rate limit
fetch_errorEmail content could not be retrieved from Resend
Outbound event response: 
{
  "received": true
}

Security

Sender allowlist

Only emails from addresses listed in the ALLOWED_SENDERS environment variable are processed. All other emails are rejected and logged for audit. This is a strict allowlist — there is no wildcard or domain-level matching.

Rate limiting

Each allowed sender is limited to 10 emails per hour. Emails that exceed this limit are acknowledged but not processed.

Content sanitization

Email bodies are sanitized before processing:
  • Script tags and HTML markup are stripped
  • Body text is truncated to 5,000 characters

Troubleshooting

Verify that the RESEND_WEBHOOK_SECRET environment variable is set. The endpoint cannot verify signatures without it.
Check that the sender’s email address is included in ALLOWED_SENDERS. Addresses are matched in a case-insensitive manner.
The limit is 10 emails per sender per hour. Wait for the rate limit window to reset or adjust the sending frequency.