What is a temporary email address?

A temporary email address is a real, working inbox that receives emails like any normal address. It does not require an account or registration. The inbox automatically deletes itself after one hour.

Is TempEmail free to use?

Yes. TempEmail is completely free. There are no plans, no usage limits, and no credit card required.

How long does a temporary email inbox last?

The inbox stays active for one hour from when it was created. After that, the address and all emails in it are permanently deleted. You can bookmark the page URL to return to the same inbox within that window.

Can I choose my own temporary email address?

Not at the moment. Addresses are randomly generated each time you visit. Custom addresses are planned for a future update.

Can I send emails from a temporary email address?

No. TempEmail is a receive-only inbox. You can read emails sent to your temporary address but you cannot send emails from it.

What are legitimate uses for a temporary email address?

Common legitimate uses include testing your own application's email flows, signing up as a new user to test your product's onboarding experience, protecting your inbox while researching vendors or services, short-term project registrations, and maintaining privacy on public or shared computers.

Why didn't I receive the email I was expecting?

Some services actively block disposable or temporary email domains. If you did not receive an expected email, the sender may have rejected the address. This is the sender's decision and cannot be overridden.

Is my temporary email inbox private?

The inbox has no password, but the address is randomly generated and long enough that it cannot realistically be guessed. Do not use it for anything sensitive like banking or private communications.

Can I use TempEmail on my phone?

Yes. TempEmail works on any device with a browser, including mobile phones and tablets. Copy the address and emails will appear in real time just like on desktop.

How to Test Password Reset Flows as a Developer

Why password reset testing gets neglected

Password reset is one of the most attacked flows in any application — and paradoxically, one of the most under-tested. The reason is simple: developers use their own email address during development. After the third or fourth test run, your inbox is buried in "Reset your password" messages that all look identical. Subject lines thread together, you lose track of which link belongs to which run, and eventually testing becomes too annoying to do thoroughly. You start relying on the assumption that it works because it worked last time. That is the exact kind of complacency that lets serious bugs slip into production.

The stakes are high. Password reset is the primary mechanism by which users recover accounts — and by which attackers try to take them over. A flawed token that does not expire, a link that can be reused, or a reset endpoint without rate limiting can turn a minor credential leak into a full account compromise. According to data indexed by Have I Been Pwned, billions of credentials from old breaches are actively circulating, and attackers routinely attempt password resets against accounts they discover. If your reset flow has weaknesses, they will find them.

What you actually need to test in a password reset flow

A basic "does it send an email" smoke test is not sufficient. The OWASP Authentication Cheat Sheet outlines a comprehensive set of requirements for secure password reset, and each one deserves dedicated testing. Here is the full list of what you should actually be verifying:

Email delivery — does the reset email arrive, and does it arrive promptly? A reset email that takes 10 minutes will confuse users and drive support tickets.
Link correctness — does the link in the email go to the right page with the correct token in the URL or body?
Token expiry — if you wait 25 hours and then click the link, does the application correctly reject the expired token? Test this explicitly, not theoretically.
Single-use enforcement — can you click the same reset link twice? After a successful password change, the token must be invalidated. This is a mandatory requirement per OWASP, and it is frequently skipped.
Invalidation on re-request — if a user requests a reset, then requests another reset two minutes later, is the first token invalidated? Both tokens being valid simultaneously is a security flaw.
SSO account handling — what happens when a user who registered via Google, GitHub, or another OAuth provider requests a password reset? This flow is frequently broken because the account has no local password to reset.
HTTPS enforcement — is the reset link using HTTPS? A reset link over plain HTTP exposes the token to network interception.
Error message quality — when a link is expired, does the application show a clear, helpful message, or a generic 500 error? The user experience here matters.
Rate limiting — what happens if someone sends 10 reset requests for the same address in one minute? There should be a sensible limit that prevents enumeration and abuse.
Email enumeration prevention — does the response differ based on whether the email address exists in the system? A different response is an information leak that lets attackers enumerate valid accounts.

The temp email approach — a step-by-step walkthrough

The cleanest solution to all of these testing challenges is a fresh temporary email address for every test run. Here is exactly how it works in practice.

Open a temporary inbox, copy the address shown at the top, and go to your application. Register a new test account using that address. Navigate to the login page and click "Forgot Password". Enter the address and submit the request. Switch back to the temporary inbox — the reset email arrives in real time, typically within a few seconds. You can see the full email, inspect the subject line and sender details, click the link, verify it goes to the correct page, set a new password, and confirm the login works. Total time from start to finish: under two minutes. When you need to test a second scenario, open a new browser tab — you get a completely independent inbox with a different address. No cleanup, no threading confusion, no risk of accidentally clicking the wrong link from a previous run.

A real example walkthrough: testing before a release

I was preparing a SaaS application for a minor release that included an update to the authentication library. The password reset flow had not been explicitly changed, but auth library updates have a habit of silently breaking email token generation. Here is the full sequence I ran through.

I opened five browser tabs, each with an independent temporary inbox. Tab one: happy path — register, request reset, use the link within two minutes, confirm login. Tab two: expired token — register, request reset, wait for the email to arrive, set it aside for 25 hours (I came back to it the next day), then tried the link. The application correctly rejected it. Tab three: double-reset — register, request reset, immediately request reset again, then tried both links. The first link should have been invalidated; it was. Tab four: used-link reuse — register, request reset, use the link to change password successfully, then tried the same link a second time. Correctly rejected. Tab five: rate limiting — triggered reset requests rapidly to verify the rate limiter was functioning.

Every scenario used a clean, independent inbox. There was no ambiguity about which email belonged to which test. The auth library update had not broken anything, and I had documented proof. The whole test run took about 30 minutes including the overnight expired-token check.

Testing edge cases with multiple temp inboxes simultaneously

Each browser tab on a temporary email service is an independent inbox with its own unique address. This makes parallel testing straightforward. Open three tabs and you have three unique addresses. Register three test accounts, trigger password resets for all three simultaneously, and verify that each account only receives its own token — not someone else's. This cross-contamination test catches a particularly nasty bug where a poorly implemented reset system sends all tokens to the address that was registered first, or to a hardcoded address in a misconfigured environment.

You can also test what happens when a user requests a reset while already logged in, or what happens when a reset is requested for an email address that does not exist in the system. Each of these edge cases gets its own clean inbox, its own clean state, and produces unambiguous results.

Never hardcode a test email address in your codebase. Use a fresh temp mail inbox each time — it ensures you are testing real delivery through your actual email infrastructure, not a stub, and you always start with a completely clean state.

The token security checklist

Password reset tokens are one of the most common attack surfaces in web applications. OWASP is explicit about what a secure implementation requires, and the bar is higher than many teams realise. Every item on this list should be verifiable through your tests:

Minimum 32 characters, cryptographically random — short or predictable tokens can be brute-forced. Use your platform's cryptographically secure random number generator, not Math.random() or its equivalents.
Expires within 24 hours, ideally 1 hour — a token that never expires is a persistent attack surface. One hour is the recommended maximum for most applications.
Single-use only — the token must be invalidated the moment it is redeemed. A reusable reset token is a critical vulnerability.
Invalidated when a new reset is requested — if the user requests reset again, all previous outstanding tokens for that account must be voided.
Rate-limited per email address — prevent automated enumeration and abuse by limiting how many reset requests can be made per address per time window.
Never logged in plaintext — if your logging infrastructure captures request parameters, ensure reset tokens are excluded or hashed before logging.

What the reset email itself should look like

The content and presentation of the reset email matters more than most teams appreciate. A well-crafted reset email is plain and functional: a clear subject line ("Reset your password"), a single prominent button or link, a clear expiry statement ("This link expires in 1 hour"), and a note that if the user did not request this, they can safely ignore the email. No marketing copy, no social media icons, no newsletter footer. A transactional email should look transactional.

The sender details also matter. The from name should match your brand clearly, and the from address should be properly authenticated. An email that arrives with a mismatched sender name or that lands in the spam folder because of poor authentication configuration will cause real user confusion and support burden. Check your domain's SPF, DKIM, and DMARC configuration using a tool like MXToolbox, and read through the email authentication guide if any of those terms are unfamiliar.

The technical email specification — what is and is not a valid email, how delivery works end to end — is documented in RFC 5321. It is dense reading, but the overview sections are useful context for understanding what your email infrastructure is actually doing when it dispatches a reset email.

Why your real inbox is the wrong tool for this

Using your personal or work email address for test accounts creates a set of problems beyond inconvenience. Your address ends up in your own application's database as a test record. It may appear in application logs, in your mail server's sent history, in staging environment exports, and occasionally in database dumps shared with contractors or external QA teams. Staging environments often have looser access controls than production. The Electronic Frontier Foundation advocates for data minimisation as a foundational privacy principle — keeping your real address out of development and test systems is a direct application of that principle. A temporary inbox expires naturally, is never tied to your identity, and leaves no trail.

Include password reset in your regression suite

Password reset is the kind of flow that silently breaks when authentication libraries are updated, when email providers are rotated, or when API keys are refreshed. It rarely has dedicated automated tests because most teams treat it as a UI-only integration test that is hard to automate. That reasoning is understandable but dangerous.

At minimum, consider adding a basic end-to-end test in your staging or CI environment: programmatically create a test account with a generated address, trigger a reset request, intercept or inspect the outgoing email directly from your mail service's API, extract the token, attempt redemption, and verify the resulting state. This does not need to be elaborate. Even a single automated check that confirms the reset flow is functional after each deployment will catch the most common regression class: auth dependency changes that break token generation silently.

Additional resources for secure authentication

For a broader perspective on why secure password handling matters in practice, Troy Hunt covers real-world breach analysis in accessible and well-evidenced detail. His writing on credential stuffing and account takeover is directly relevant to why the reset flow deserves serious attention. The OWASP Authentication Cheat Sheet remains the most comprehensive single reference for everything your authentication system should be doing. Between those two resources and a disciplined testing practice using fresh inboxes for each run, you have the foundation for an authentication system that will hold up under real-world scrutiny.

Blog

How to Test Password Reset Flows Without Using Your Real Inbox