Felixx Mail is a static UI paired with Vercel serverless functions that handle Lark OAuth and mailbox proxy calls. The frontend never stores refresh tokens; those stay in encrypted, HttpOnly cookies managed by the backend.
Browser → /api/auth/lark → Lark OAuth → /api/auth/callback
Browser → /api/mail/messages → Lark Mail API
Session: HttpOnly cookie (AES-GCM, SESSION_SECRET)
Use Lark Open Platform OAuth (Authorization Code flow). After the user authorizes, your backend exchanges the code for a user access token and refresh token, then stores them securely. The refresh token lets you keep users signed in without IMAP credentials.
https://YOUR_DOMAIN/api/auth/callback./api/auth/lark to start login.LARK_APP_ID=your_app_id
LARK_APP_SECRET=your_app_secret
LARK_REDIRECT_URI=https://your-domain/api/auth/callback
SESSION_SECRET=long_random_secret
ALLOWED_EMAILS=felix@felixx.dev
LARK_USER_INFO_URL=<from Lark console>
LARK_BASE_URL=<from Lark console>
LARK_AUTHORIZE_URL=<from Lark console>
LARK_ACCESS_TOKEN_URL=<from Lark console>
LARK_REFRESH_TOKEN_URL=<from Lark console>
LARK_APP_ACCESS_TOKEN_URL=<from Lark console>
LARK_MAIL_LIST_URL=<from Lark console>
LARK_MAIL_MESSAGE_URL=<from Lark console; use :id>
/api/mail/messages → { messages: [ ... ] }/api/mail/messages/:id → { message }/api/mail/messages/:id → { success: true }Only approved emails can complete OAuth login. Set ALLOWED_EMAILS to a comma-separated list (default is felix@felixx.dev).
/access.html?denied=1.Alias handling is configured in aliases.js. The inbox UI lets you switch aliases, and the selected alias is sent as ?alias= to the backend.
Landing stats update once per day for the felixx.dev domain, driven by landing.js. Other domains show static demo values.
Access is limited to the felixx.dev domain. Use the template on the access page to request credentials.