Appearance
Cypress Guide
If you haven't already, see Getting Started. The following examples will assume you have already received your API key and created a namespace.
cypress-mailisk
Mailisk provides an official library with a custom set of commands for testing email in Cypress. These commands wrap the API Reference endpoints.
Install cypress-mailisk
cypress-mailisk requires Node.js >=20 and Cypress >=15.10.0.
sh
npm install --save-dev cypress-mailiskAfter installing the package add the following in your project's cypress/support/e2e.js:
js
import "cypress-mailisk";Setup API Key
To be able to use the API you will need to add your API key to cypress.config.js:
js
module.exports = defineConfig({
env: {
MAILISK_API_KEY: "YOUR_API_KEY",
},
});Usage
The cypress-mailisk plugin provides additional commands which can be accessed on the cypress object, for example cy.mailiskSearchInbox(). These commands extend the Chainable object which allows you to use the then() method to chain commands.
cy.mailiskSearchInbox
This is the main command to interact with Mailisk, it wraps the Search Inbox endpoint.
js
cy.mailiskSearchInbox("yournamespace", { to_addr_prefix: "test.user@" }).then((response) => {
const emails = response.data;
// ...
});This Cypress command does a few extra things out of the box compared to calling the raw API directly:
- By default it polls until at least one matching email is received. Passing
wait: falsemakes a single request that can return an empty response immediately. - The request timeout is adjustable by passing
timeoutin the request options. By default it uses a timeout of 5 minutes. - By default it returns emails in the last 15 minutes. This ensures that only new emails are returned. This can be overridden by passing the
from_timestampparameter (from_timestamp: 0will disable filtering by email age).
js
// timeout of 5 minute
cy.mailiskSearchInbox(namespace);
// timeout of 1 minute
cy.mailiskSearchInbox(namespace, {}, { timeout: 1000 * 60 });
// returns immediately, even if the result would be empty
cy.mailiskSearchInbox(namespace, { wait: false });For the full list of filters and their description see the Search Inbox endpoint reference.
Filter by TO address
The to_addr_prefix option allows filtering by the email's TO address. Specifically the TO address has to start with this.
For example, if someone sends an email to my-user-1@yournamespace.mailisk.net, you can filter it by using my-user-1@:
js
cy.mailiskSearchInbox(namespace, {
to_addr_prefix: "my-user-1@",
});Filter by FROM address
The from_addr_includes option allows filtering by the email's FROM address. Specifically the FROM address has to include this. Note that this is different from the to address as it is includes not prefix.
For example, if someone sends an email from the example.com domain we could filter like so:
js
cy.mailiskSearchInbox(namespace, {
from_addr_includes: "@example.com",
});If we know a specific email address we want to listen to we can do this:
js
cy.mailiskSearchInbox(namespace, {
from_addr_includes: "no-reply@example.com",
});Filter by Subject
The subject_includes option allows filtering by the email's Subject. Specifically the Subject has to include this (case-insensitive).
If we're testing password reset that sends an email with the subject Password reset request. We could filter by something like this:
js
cy.mailiskSearchInbox(namespace, {
subject_includes: "password reset request",
});SMS Testing
If your plan includes SMS, request and activate a phone number in the dashboard (see SMS Testing). Once a number is active you can poll it directly from Cypress using cy.mailiskSearchSms.
cy.mailiskSearchSms
js
cy.env(["MAILISK_SMS_NUMBER"]).then(({ MAILISK_SMS_NUMBER: smsNumber }) => {
cy.mailiskSearchSms(
smsNumber,
{
body: "Your login code",
},
{
timeout: 1000 * 120,
}
).then(({ data }) => {
expect(data).to.not.be.empty;
const sms = data[0];
const otp = sms.body.match(/(\d{6})/)[1];
// use OTP in your flow
});
});This command mirrors cy.mailiskSearchInbox:
- By default it polls until at least one SMS matches the filters. Use
wait: falseto make a single request. - Pass a third
optionsargument to override the default 5 minute timeout for particularly long MFA flows. - The second argument accepts the same filters that the Search SMS API exposes, making it easy to target a specific OTP or sender.
Filter by body or sender
Use the body filter for substring matches inside the SMS payload (case-insensitive) and from_number to restrict the sender. from_number behaves as a prefix search, so +1555 would match all senders that start with that code.
js
cy.mailiskSearchSms(smsNumber, {
body: "verification code",
from_number: "+1555123",
});To avoid stale data between runs, prefer unique state in your application (e.g. unique account IDs) rather than relying on offset/limit pagination.
List SMS numbers
When you need to confirm which phone numbers are available to your API key (for example, before setting MAILISK_SMS_NUMBER in CI), call cy.mailiskListSmsNumbers().
js
cy.mailiskListSmsNumbers().then(({ data }) => {
expect(data).to.not.be.empty;
const [{ phone_number, status }] = data;
expect(status).to.equal("active");
cy.wrap(phone_number).as("smsNumber");
});Pairing this with cy.mailiskSearchSms ensures your specs always target an active, approved number.
Authenticator TOTP
cypress-mailisk can manage saved Mailisk authenticator devices and generate authenticator app OTP codes through the Mailisk API. The library does not generate TOTP codes locally.
TOTP commands require an organisation API key, prefixed with sk_org_. Configure it the same way as the other Cypress commands:
js
module.exports = defineConfig({
env: {
MAILISK_API_KEY: "sk_org_...",
},
});Each command returns a Cypress chainable value and accepts optional Cypress request options as the last argument.
| Use case | Command |
|---|---|
| List saved devices | cy.mailiskDeviceList(params?, options?) |
| Save a reusable device from a Base32 shared secret with default settings | cy.mailiskDeviceCreate(input, options?) |
| Save a reusable device with custom TOTP settings | cy.mailiskDeviceCreateCustom(input, options?) |
| Save a device from a Base32 secret-key field | cy.mailiskDeviceCreateFromBase32SecretKey(input, options?) |
Save a device from an otpauth://totp/... setup URL | cy.mailiskDeviceCreateFromOtpAuthUrl(input, options?) |
| Generate an OTP from a known Base32 secret without saving anything | cy.mailiskDeviceOtpBySharedSecret(sharedSecret, options?) |
| Generate an OTP for a saved device | cy.mailiskDeviceOtpByDeviceId(deviceId, options?) |
| Delete a saved device | cy.mailiskDeviceDelete(deviceId, options?) |
Generate a code without saving a device
Use this when your test already has a shared secret and does not need saved-device management.
js
cy.mailiskDeviceOtpBySharedSecret("JBSWY3DPEHPK3PXP").then((otp) => {
cy.get('[data-testid="mfa-code"]').type(otp.code);
});This one-off shared-secret flow uses the default TOTP settings: 6 digits, a 30 second period, and SHA1.
Save a device and reuse it later
Use cy.mailiskDeviceCreate for a saved device with the default TOTP settings.
js
cy.mailiskDeviceCreate({
name: "GitHub staging",
shared_secret: "JBSWY3DPEHPK3PXP",
expires_at: "2026-06-01T12:00:00.000Z",
}).then((device) => {
cy.mailiskDeviceOtpByDeviceId(device.id).then((otp) => {
cy.get('input[name="otp"]').type(otp.code);
});
});Use cy.mailiskDeviceCreateCustom when the application under test uses non-default settings or when you want issuer and username metadata on the saved device.
js
cy.mailiskDeviceCreateCustom({
name: "GitHub staging",
secret: "JBSWY3DPEHPK3PXP",
username: "qa@example.com",
issuer: "GitHub",
digits: 6,
period: 30,
algorithm: "SHA1",
}).then((device) => {
expect(device.source).to.equal("custom");
});Create a device from a Base32 secret key
Some setup flows expose the shared secret as a Base32 secret key. Use cy.mailiskDeviceCreateFromBase32SecretKey when that field name matches your integration.
js
cy.mailiskDeviceCreateFromBase32SecretKey({
base32_secret_key: "JBSWY3DPEHPK3PXP",
username: "qa@example.com",
issuer: "GitHub",
}).then((device) => {
expect(device.source).to.equal("base32_secret_key");
});Create a device from an otpauth URL
Use cy.mailiskDeviceCreateFromOtpAuthUrl when your application exposes the authenticator setup URL directly or through a QR-code payload.
js
cy.mailiskDeviceCreateFromOtpAuthUrl({
name: "GitHub staging",
otp_auth_url: "otpauth://totp/GitHub:qa@example.com?secret=JBSWY3DPEHPK3PXP&issuer=GitHub",
}).then((device) => {
cy.mailiskDeviceOtpByDeviceId(device.id).then((otp) => {
cy.get('input[name="otp"]').type(otp.code);
});
});The URL must include a secret query parameter. Values inside the URL are used for fields such as issuer, username, digits, period, and algorithm when present.
List and delete saved devices
cy.mailiskDeviceList returns active, non-expired devices for the organisation. issuer and username filters are case-insensitive partial matches. String filters are trimmed before sending, and empty string filters are omitted.
js
cy.mailiskDeviceList({
limit: 20,
offset: 0,
issuer: "GitHub",
username: "qa@example.com",
}).then((response) => {
expect(response.total_count).to.be.greaterThan(0);
expect(response.items[0].issuer).to.equal("GitHub");
});Delete saved devices when they are no longer needed.
js
cy.mailiskDeviceDelete("9b1f6ec0-b90d-4bd8-8dd0-f6b2d5138273");The delete command resolves without a response body.
Supported TOTP settings
Default settings:
| Setting | Default |
|---|---|
digits | 6 |
period | 30 seconds |
algorithm | SHA1 |
Supported custom values:
| Field | Accepted values |
|---|---|
digits | 6 or 8 |
period | Integer from 10 to 300 seconds |
algorithm | SHA1, SHA256, or SHA512 |
Secrets are write-only. The API accepts shared secrets when creating devices or generating codes, but saved device responses do not include the secret.
Response shapes
Saved device responses use this shape:
ts
type TotpDevice = {
id: string;
organisation_id: string;
name: string;
username?: string | null;
issuer?: string | null;
digits: number;
period: number;
algorithm: "SHA1" | "SHA256" | "SHA512";
source: "shared_secret" | "custom" | "base32_secret_key" | "otpauth_url" | string;
expires_at?: string | null;
created_at: string;
updated_at: string;
};OTP responses include the current code and an ISO timestamp for when that code expires:
ts
type TotpOtpResponse = {
code: string;
expires: string;
};For REST request examples and endpoint-level errors, see the Authenticator TOTP API reference.
Common test cases
Password reset page
This example demonstrates going to a password reset page, requesting a new password, receiving reset code link via email and finally setting the new password.
js
describe("Test password reset", () => {
let resetLink;
const namespace = "yournamespace";
const testEmailAddr = `test.test@${namespace}.mailisk.net`;
it("Starts a password reset", () => {
cy.visit("https://example.com/password_reset");
cy.get("#email_field").type(testEmailAddr);
cy.get("form").submit();
});
it("Gets a password reset email", () => {
cy.mailiskSearchInbox(namespace, {
to_addr_prefix: testEmailAddr,
subject_includes: "password",
}).then((response) => {
expect(response.data).to.not.be.empty;
const email = response.data[0];
expect(email.subject).to.equal("Please reset your password");
resetLink = email.text.match(/.(https:\/\/example.com\/password_reset\/.*)>\n*/)[1];
expect(resetLink).to.not.be.undefined;
});
});
it("Goes to password reset link", () => {
cy.visit(resetLink);
cy.title().should("contain", "Change your password");
cy.get("#password").type("MyNewPassword");
cy.get("#password_confirmation").type("MyNewPassword");
cy.get("form").submit();
});
});SMS-based MFA
This spec triggers an SMS one-time passcode and asserts it directly inside Cypress:
js
describe("SMS MFA", () => {
it("receives and uses OTP", () => {
cy.env(["MAILISK_SMS_NUMBER"]).then(({ MAILISK_SMS_NUMBER: smsNumber }) => {
cy.visit("https://example.com/login");
cy.contains("Use SMS instead").click();
cy.get("#phone").type(smsNumber);
cy.contains("Send code").click();
cy.mailiskSearchSms(smsNumber, {
body: "Your login code",
}).then(({ data }) => {
expect(data).to.not.be.empty;
const sms = data[0];
const otp = sms.body.match(/(\d{6})/)[1];
cy.get("#otp").type(otp);
cy.contains("Verify").click();
});
});
});
});For longer-lived OTP flows combine body with from_number or from_date so the command only resolves once the relevant verification SMS has landed.
Breaking changes
- With version v2.0.0 the default
from_timestamphas been changed from the past 5 seconds to the past 15 minutes. Since this can break existing tests a new major version has been released.