Labsco
Sealjay logo

mcp-hey

β˜… 4

from Sealjay

Local MCP server for Hey.com email - read, search, send, reply, and manage the screener via stored session cookies.

πŸ”₯πŸ”₯πŸ”₯βœ“ VerifiedFreeQuick setup

mcp-hey

Sealjay/mcp-hey MCP server Bun TypeScript Python MCP License: MIT GitHub issues GitHub stars

A local Model Context Protocol (MCP) server that gives Claude read/write access to your Hey.com inbox via reverse-engineered web APIs.

mcp-hey has two moving parts: a Bun/TypeScript MCP server that exposes Hey tools over stdio, and a small Python helper that uses the system webview to capture session cookies at login. Everything runs locally β€” no cloud relay, no credentials stored, just session cookies on disk.

Warning β€” unofficial API. Hey.com does not publish a public API; mcp-hey reverse-engineers its web endpoints and pairs them with browser-identical HTTP requests. Things can break without notice. The current documented surface lives in docs/API.md.

Features

  • Read emails from Imbox, Feed, Paper Trail, Set Aside, Reply Later, Drafts, Trash, and Spam
  • Download attachments and parse calendar invites from emails
  • Send and reply to email threads
  • Search emails across boxes
  • Organise mail (set aside, reply later, screen in/out, bubble up)
  • Local SQLite cache for faster repeated reads and full-text search
  • Lightweight β€” around 30 MB idle memory
  • Browser-identical headers and TLS posture to avoid detection
  • Runs entirely on your machine; stdio transport with no network exposure

Architecture

ComponentDescription
MCP serverBun/TypeScript, stdio transport, ~30 MB idle memory
Auth helperPython/pywebview, spawns on-demand for login via system webview
CacheLocal SQLite store for messages, threads, and search index
CommunicationFile-based session sharing via data/hey-cookies.json

Data flow

  1. MCP client (Claude Code, Claude Desktop, Cursor, etc.) launches bun run src/index.ts over stdio.
  2. On startup the server validates data/hey-cookies.json. If missing or expired it spawns auth/hey-auth.py, which opens Hey in a system webview and writes fresh cookies.
  3. Tool calls hit Hey.com directly with browser-realistic headers; responses are parsed (HTML via node-html-parser) and cached in SQLite.
  4. Write operations fetch a fresh CSRF token before submitting.

Project structure

mcp-hey/
  src/
    index.ts           # MCP server entry point
    hey-client.ts      # HTTP client with cookie injection
    session.ts         # Session management and validation
    errors.ts          # Error classes and sanitisation
    cache/             # SQLite cache (db, schema, messages, search)
    tools/             # MCP tool implementations
      read.ts          # Reading and listing
      send.ts          # Send, reply, forward
      organise.ts      # Triage, labels, bubble up, etc.
      http-helpers.ts  # Shared CSRF retry and endpoint fallback
      attachments.ts   # Download attachments, parse calendar invites
    __tests__/         # Test suites
  auth/
    hey-auth.py        # Python auth helper (pywebview)
    requirements.txt
  data/
    hey-cookies.json   # Session storage (gitignored, chmod 600)
  docs/
    API.md             # Hey.com API surface documentation
    TOOLS.md           # MCP tool reference (34 tools)
    hey-features-doc.md  # Hey.com feature mapping

Available tools

34 tools grouped by function. See docs/TOOLS.md for parameters, return shapes, and error behaviour.

CategoryTools
Readhey_list_emails (imbox, feed, paper_trail, trash, spam, drafts), hey_imbox_summary, hey_list_set_aside, hey_list_reply_later, hey_list_screener, hey_read_email, hey_download_attachment, hey_get_calendar_invite
Labels & Collectionshey_list_labels, hey_list_label_emails, hey_label, hey_list_collections, hey_list_collection_emails, hey_collection
Sendhey_send_email, hey_reply, hey_forward
Triagehey_set_aside, hey_unset_aside, hey_reply_later, hey_remove_reply_later, hey_move_to, hey_set_status, hey_mark_unseen, hey_mark_seen, hey_read_status, hey_thread_mute
Bubble uphey_bubble_up, hey_bubble_up_if_no_reply, hey_pop_bubble
Screenerhey_screen, hey_screen_by_id
Searchhey_search
Cachehey_cache_status

Privacy and security

  • No credentials are ever stored β€” only session cookies, written with 600 permissions.
  • Authentication happens entirely inside Hey's own login page (system webview).
  • All data stays on your machine. No telemetry is emitted by this project.
  • MCP uses stdio transport β€” the server never opens a network listener.
  • Session validity is checked on startup and before sensitive operations.

See SECURITY.md for how to report vulnerabilities.

Contributing

Contributions welcome via pull request. Please:

  • Use conventional commits (feat, fix, docs, refactor, test, perf, cicd, revert, WIP).
  • Run bun run format and bun run lint before pushing (powered by Biome).
  • Ensure bun test passes.
  • Update docs/API.md if you discover or change any Hey.com API behaviour.

See CLAUDE.md for the full development workflow.

Licence

MIT Licence β€” see LICENCE.