Recipient surface
The recipient-facing surface that powers the Keepable inbox apps. Covers the account profile, email capture and verification, the assurance-level model, and delivery notifications including held-pending releases.
The recipient surface is the API behind the Keepable inbox apps (web and mobile). It is a first-party BFF (backend-for-frontend), not a partner integration target: senders push content over the Sender API, while recipients read and manage that content through this surface. It is documented here so the people building and maintaining the inbox apps have one accurate contract to work from.
If you are integrating as a sender (a bank, employer, or agency pushing mail to recipients), you want the Sender API. This section is for the recipient-facing inbox, not for partner integrations, and it is not exposed as a partner reference.
Every request carries the Keepable-Version
date header, and every mutation carries an
Idempotency-Key, exactly as on the
Sender API.
What the recipient surface covers
Account profile
Read the recipient's profile: legal name, masked NIN, email, verification flags, and the assurance level they were onboarded at.
Email verification
Capture an email and prove control of it with a one-time code, so it can route notifications and recover access.
Assurance levels
What "email" versus "id_verified" means for a recipient, and why it gates what they can receive.
Delivery notifications
How a recipient learns mail arrived, including the held-pending to delivered release when they finally sign up.
Identity posture
Keepable never stores raw national identifiers or raw emails. The identity
registry keeps only salted hashes, so a recipient's raw NIN cannot be
reconstructed server-side. The profile the inbox shows is therefore a careful
blend: a masked NIN (already masked by the backend, for example
*******8901), the recipient's legal name and assurance level from the
consent-scoped profile store, and an email_verified flag derived strictly from
a recorded verification timestamp (never assumed true). See
Account profile for the exact shape.
Verify signatures
Every webhook delivery is HMAC-SHA256 signed with your endpoint's secret. Verify the signature, enforce a timestamp window, and de-duplicate on the event id before you trust a payload.
Account profile
GET /recipient/account returns the recipient's profile, the masked NIN, legal name, email, verification flags, and the assurance level they were onboarded at.