Give Claude your inbox — without giving up control.
A signed, notarized, Touch-ID-gated bridge between Proton Mail and Claude, running entirely on your Mac. Claude reads, searches, organizes, drafts, and sends your mail — and reads your calendar — through 34 MCP tools. Every send needs your fingerprint. Nothing leaves your laptop except the mail itself.
What it feels like
You talk to Claude. Claude talks to your mailbox. You stay in the loop on anything that matters.
“What did I miss from the climbing group this week?”
→ Claude searches the local mirror, reads the thread, summarizes it. No prompt — reading is safe.
“File all the newsletters under Reading and mark them read.”
→ Claude moves and marks them. Organizing is gated, but quiet.
“Reply to Alice that I’m in for Saturday, and send it.”
→ A Touch ID prompt appears: To: alice@example.com · Subject: Re: gear list. You tap. It sends. You didn’t.
Every read is served from a local SQLite mirror, so it’s fast and works offline. Every write is governed by a per-tool policy. Every send re-prompts, every time, showing the literal recipients — that fingerprint tap is the line between “Claude drafted it” and “Claude sent it.”
34 tools, grouped by what they touch
Reads run free; everything that changes state is deny-by-default and Touch-ID gated.
📖 Read & search read
List, full-text search, read messages, reconstruct threads, list attachments, list labels/folders, sync.
🗂️ Organize gated
Mark read/unread, move, label, trash.
🏷️ Labels & folders gated
Full CRUD with colour-palette validation.
✍️ Drafts gated
Create, update, delete, list.
📤 Send Touch ID
Send, reply, reply-all, forward, send-draft — each one re-prompts, every time.
📎 Attachments gated
Decrypt and download, save to disk.
📅 Calendar read
List calendars, browse/search events by date range, read full event detail. Read-only.
Full list with descriptions: docs/cli-reference.md →
How it works
One background daemon holds your Touch-ID-unlocked session and serves every tool over a local socket. Claude Desktop and Claude Code each attach through a tiny forwarder, so they share one session: unlock once, use everywhere; lock once, everything locks.
Reads are served straight from the local mirror. Writes pass through a per-tool policy. The full design — every binary, package, and the local mirror — is in docs/architecture.md.
Why it’s safe
proto-mcp is built so that an LLM driving your mailbox is a convenience, never a liability.
🔐 Your fingerprint on every send
Each write fires a native prompt showing the literal recipients and subject. mail_send has a TTL of zero, so it re-prompts every single time. No blanket approvals for sends.
🛡️ Default-deny by construction
Unknown tools don’t run. A tool with no policy entry fails to register — you can’t accidentally ship an unguarded write.
🍎 Signed, notarized, self-checking
Hardened-runtime, Developer-ID-signed, Apple-notarized binaries, plus a SHA-256 integrity check at startup that refuses to run a swapped daemon.
🔒 Locks when you walk away
Screen lock, sleep, or an idle timer zero the in-memory session; resuming takes Touch ID.
🧾 Honest, redacted audit log
Every call is logged — secrets scrubbed, bodies reduced to {sha256, bytes}, recipients kept literal so the verification chain stays truthful.
🏠 Local-only
The daemon listens on a 0600 Unix socket, never a network port. Mail content goes to Proton over TLS; nothing else leaves.
What a prompt actually looks like:
CC: charlie@example.com
Subject: Re: gear list
The full threat model — including the risks proto-mcp doesn’t defend against — is on the security page. Read it before you point this at a live mailbox.
Install
Requires macOS 13+. The binaries are Developer-ID-signed and Apple-notarized — no Gatekeeper warning, no network listener.
# 1. Install via Homebrew brew tap just-an-oldsalt/proto-mcp brew install --cask proto-mcp # 2. Log in and set up protonmcp login # Proton SRP password + 2FA + key unlock protonmcp backfill # one-time: pull message envelopes into the local mirror protonmcp daemon install # register + start the background daemon protonmcp install # connect it to Claude Desktop + Claude Code
Restart Claude, and the tools show up under protonmcp in /mcp. That’s it.
Prefer to build it yourself? See Build from source (macOS 13+, Go 1.26.4+, Xcode CLT).
Configurable, if you want it
Tune per-tool policy, rate limits, allowed recipients, the idle-lock timer, and the cached-body TTL with a single YAML file. For example, to cap LLM-driven sends and restrict them to one domain:
tools: mail_send: decision: prompt rate_limit: 5/hour allowed_recipients: ["@mydomain.com"] idle_lock_minutes: 30
Full reference, plus locking and the audit/observability commands: docs/configuration.md →
Common questions
Does Anthropic — or anyone else — see my mail?
No. The daemon runs entirely on your Mac and listens on a 0600 Unix socket, never a network port. Reads are served from a local SQLite mirror. The only thing that leaves your laptop is the mail itself, sent to Proton over TLS — exactly as any Proton client would.
What stops Claude from sending mail on its own?
Every send fires a native macOS Touch ID prompt showing the literal recipients and subject. mail_send has a TTL of zero, so it re-prompts every single time — there are no blanket approvals for sends. Without your fingerprint on that specific prompt, nothing goes out.
Is it safe to point at a live mailbox?
It’s built to be, but read the threat model first. Writes are deny-by-default, sends are Touch-ID-gated, and the audit log is honest. The main caveat: decrypted message bodies are cached in local SQLite (TTL-bounded, secure_delete on), so on a stolen, imaged disk they’re recoverable cleartext until purged. protonmcp purge --older-than 7d --vacuum shrinks that window; envelope encryption (SQLCipher) is a post-1.0 item.
Which Claude clients does it work with?
Claude Desktop and Claude Code. Both attach to one background daemon through a tiny forwarder, so they share a single Touch-ID-unlocked session — unlock once, use everywhere; lock once, everything locks. Run protonmcp install to wire both up.
Why macOS only?
The keystore and biometric helpers use Security.framework, LAContext, and AppKit. Linux builds compile for testing, but the auth flow won’t work. proto-mcp is built for one person and their mailbox on their Mac.
Is this an official Proton product?
No. proto-mcp is an independent, open-source project. It depends transitively on Proton’s go-proton-api and proton-bridge (both GPLv3) for the crypto and transport layer. Be a good Proton citizen: don’t rate-abuse, scrape, or run multi-account automation through it — anything that violates Proton’s Terms is no less a violation here.
Get proto-mcp
proto-mcp is free and open source under GPLv3. Grab it from Homebrew, or read the source on GitHub.