Skip to content

docs: document mailbox attachment download URLs#15

Merged
roshanjonah merged 13 commits into
mainfrom
agent/attachments-first-class
Jul 3, 2026
Merged

docs: document mailbox attachment download URLs#15
roshanjonah merged 13 commits into
mainfrom
agent/attachments-first-class

Conversation

@roshanjonah

Copy link
Copy Markdown
Member

Update the attachment guide, product changelog, OpenAPI app snapshot, and generated mailbox Postman collection for short-lived mailbox attachment download URLs.

Update the attachment guide, product changelog, OpenAPI app snapshot, and generated mailbox Postman collection for short-lived mailbox attachment download URLs.

@chatgpt-codex-connector chatgpt-codex-connector Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: ab89d5ccc0

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

Comment thread guides/attachments.mdx Outdated

The `download_url` is short-lived and grants access only to that attachment. Fetch it promptly with any HTTP client; no `Authorization` header is needed for the URL itself.

If the URL expires, call the message or attachment metadata endpoint again to get a fresh `download_url`. The authenticated attachment download endpoint continues to work for clients that send bearer credentials.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Document a real endpoint for refreshing URLs

When a short-lived URL expires, this tells users to call an “attachment metadata endpoint”, but the OpenAPI paths in this repo only expose /mailbox/attachments:upload and the binary GET /mailbox/messages/{message_id}/attachments/{attachment_id} for attachments, not a metadata endpoint. In that expiration scenario, clients following the guide have no actionable HTTP endpoint to call except re-reading message metadata, so the wording should either name the actual message metadata endpoint or add/document the missing attachment metadata endpoint.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chatgpt-codex-connector[bot] Fixed in 320c7dc. The guide now names concrete renewal paths: GET /mailbox/messages/{message_id}, list/search messages again, or MCP mailbox_get_attachment.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment thread openapi-app.json Outdated
Comment on lines +11035 to +11041
"in": "query",
"name": "download_token",
"required": false,
"schema": {
"description": "Short-lived token embedded in attachment metadata `download_url` values. Clients normally fetch the full URL rather than constructing this parameter manually.",
"type": "string"
}

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Allow token-only downloads in the OpenAPI security

Adding download_token here advertises the same no-Authorization download URL described in the guide, but the operation still declares only bearerAuth while the root spec also requires bearer auth. Generated docs/clients will therefore continue to mark this request as requiring an Authorization header even when the caller supplies the short-lived token, which breaks the documented clients that cannot add that header; model the token path as an alternate/anonymous security option or separate scheme.

Useful? React with 👍 / 👎.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@chatgpt-codex-connector[bot] Fixed in 320c7dc. The OpenAPI operation now allows bearer auth or presigned URL fetch via optional operation security, while keeping download_token as the documented query parameter.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@mintlify

mintlify Bot commented Jul 2, 2026

Copy link
Copy Markdown

Preview deployment for your docs. Learn more about Mintlify Previews.

Project Status Preview Updated (UTC)
sendmux 🟢 Ready View Preview Jul 2, 2026, 9:10 AM

💡 Tip: Enable Workflows to automatically generate PRs for you.

@roshanjonah roshanjonah merged commit 827a3a1 into main Jul 3, 2026
4 of 5 checks passed
@roshanjonah roshanjonah deleted the agent/attachments-first-class branch July 3, 2026 01:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant