Implement Brevo inbound parse, secure webhooks, and a shared ingest core in Next.js + PayloadCMS to normalize email…
In-depth Next.js guides covering App Router, RSC, ISR, and deployment. Get code examples, optimization checklists, and prompts to accelerate development.
No spam. Unsubscribe anytime.
I was building a document-processing app where users could upload files from the UI, and everything worked well through a clean ingest pipeline. Then the practical request came in: users wanted to send invoices and documents directly by email, and have those attachments processed exactly like normal uploads. This guide shows the full implementation path for that flow in a Next.js + PayloadCMS app, using Brevo inbound parsing as the email entry point.
By the end, you will have a working architecture where:
Let’s define the exact use case first.
Your app already has a UI uploader in src/components/upload/FileUploadZone.tsx. That component sends files to POST /api/ingest. The ingest route creates:
ingestion-job,document,document-file,pipeline-run,This is already solid. The issue is that email does not naturally arrive as multipart/form-data to your existing UI route. It comes from an external SMTP world, through mail infrastructure, with different trust and parsing requirements.
So the real problem is not “how do I parse an email?” The real problem is:
That third point is critical. If you build a second ingestion path with different behavior, you will create drift and hard-to-debug production inconsistencies.
To receive email attachments in a web app, you need an inbound email provider. In this implementation we use Brevo Inbound Parse:
reply.yourdomain.com.DownloadTokens.The important architectural decision is this:
You do not call your current POST /api/ingest directly from Brevo.
Your current ingest route relies on an authenticated browser session. Brevo won’t have that session cookie. Instead, create a new webhook route and extract common ingest logic into a shared service used by both:
POST /api/ingest (UI path)POST /api/webhooks/email-ingest (email path)Here is the target shape:
User Email Client
-> SMTP
-> Brevo Inbound Parse
-> POST /api/webhooks/email-ingest
-> validate auth and tenant
-> fetch attachment bytes via DownloadToken
-> call shared ingest service
-> create ingestion-job, document, document-file, pipeline-run
-> upload to B2
-> queue publishOcr
And your UI flow remains:
FileUploadZone.tsx -> POST /api/ingest -> shared ingest service -> same pipeline
This means both channels converge into one ingest core.
Start in Brevo and your DNS provider.
Set a dedicated receiving subdomain, for example reply.yourdomain.com, then configure MX records:
reply.yourdomain.com priority 10 -> inbound1.sendinblue.com.reply.yourdomain.com priority 20 -> inbound2.sendinblue.com.Create a Brevo inbound webhook:
type: inboundevents: ["inboundEmailProcessed"]url: https://api.yourapp.com/api/webhooks/email-ingestdomain: reply.yourdomain.comEnable secure webhook calls with a bearer token, and make your backend validate it. This is your first security gate.
/api/ingestCreate a reusable service that accepts normalized files and context.
// File: src/lib/ingest/ingest-core.ts
import crypto from "crypto";
import { v4 as uuidv4 } from "uuid";
import { getPayloadClient } from "@/payload/db";
import { uploadToB2 } from "@/lib/backblaze";
type IngestSource = "pwa" | "api" | "desktop" | "email";
export interface NormalizedIngestFile {
fileName: string;
mimeType: string;
bytes: Buffer;
}
export interface IngestCoreInput {
tenantId: number;
source: IngestSource;
files: NormalizedIngestFile[];
note?: string;
emailMeta?: {
provider: "brevo";
messageId: string;
from?: string;
to?: string[];
subject?: string;
};
}
const B2_BUCKET_ID = process.env.B2_BUCKET_ID || "";
export async function ingestFilesCore(input: IngestCoreInput) {
const payload = await getPayloadClient();
const ingestionJob = await payload.create({
collection: "ingestion-jobs",
overrideAccess: true,
data: {
source: input.source,
note: input.note,
status: "processing",
fileCount: input.files.length,
tenant: input.tenantId,
},
});
const processed: Array<{
documentId: number;
pipelineRunId: number;
originalFilename: string;
}> = [];
const errors: Array<{ filename: string; error: string }> = [];
for (const f of input.files) {
try {
const date = new Date().toISOString().split("T")[0];
const fileId = uuidv4();
const sanitized = f.fileName.replace(/[^a-zA-Z0-9.-]/g, "_");
const objectKey = `uploads/${date}/${fileId}/${sanitized}`;
const sha256 = crypto.createHash("sha256").update(f.bytes).digest("hex");
await uploadToB2(f.bytes, objectKey, f.mimeType);
const doc = await payload.create({
collection: "documents",
overrideAccess: true,
data: {
title: f.fileName,
ingestionJob: ingestionJob.id,
status: "ingested",
tenant: input.tenantId,
},
});
await payload.create({
collection: "document-files",
overrideAccess: true,
data: {
document: doc.id,
storageProvider: "backblaze",
bucket: B2_BUCKET_ID,
objectKey,
originalFilename: f.fileName,
mimeType: f.mimeType,
fileSize: f.bytes.length,
sha256,
state: "intake",
tenant: input.tenantId,
},
});
const run = await payload.create({
collection: "pipeline-runs",
overrideAccess: true,
data: {
document: doc.id,
status: "queued",
currentStep: "ocr",
startedAt: new Date().toISOString(),
tenant: input.tenantId,
},
});
await payload.update({
collection: "documents",
id: doc.id,
overrideAccess: true,
data: { status: "ocr_pending" },
});
await payload.jobs.queue({
task: "publishOcr",
input: {
documentId: doc.id,
pipelineRunId: run.id,
objectKey,
mimeType: f.mimeType,
},
});
processed.push({
documentId: doc.id,
pipelineRunId: run.id,
originalFilename: f.fileName,
});
} catch (e) {
errors.push({ filename: f.fileName, error: String(e) });
}
}
const finalStatus =
errors.length === input.files.length
? "failed"
: errors.length > 0
? "needs_review"
: "complete";
await payload.update({
collection: "ingestion-jobs",
id: ingestionJob.id,
overrideAccess: true,
data: { status: finalStatus },
});
return { ingestionJobId: ingestionJob.id, processed, errors };
}
This service is the foundation. It gives you one place where all ingest side effects happen. From here on, every channel should call this function instead of duplicating logic.
/api/ingest route a thin wrapperNow wire your UI route to the shared core.
// File: src/app/api/ingest/route.ts
import { NextRequest, NextResponse } from "next/server";
import { headers } from "next/headers";
import type { User } from "@payload-types";
import { getPayloadClient } from "@/payload/db";
import { resolveActiveTenantId } from "@/payload/utilities/tenant-selection";
import { getTenantFromCookie } from "@/payload/utilities/getTenantFromCookie";
import { ingestFilesCore } from "@/lib/ingest/ingest-core";
export async function POST(req: NextRequest) {
const payload = await getPayloadClient();
const headersList = await headers();
const { user } = await payload.auth({ headers: headersList });
if (!user) return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
const authenticatedUser = user as User;
const requestedTenantId = getTenantFromCookie(headersList, "number");
const tenantId = resolveActiveTenantId(authenticatedUser, requestedTenantId);
if (!tenantId) return NextResponse.json({ error: "No tenant" }, { status: 403 });
const formData = await req.formData();
const files = (formData.getAll("files") as File[]) || [];
if (!files.length) return NextResponse.json({ error: "No files provided" }, { status: 400 });
const normalized = await Promise.all(
files.map(async (f) => ({
fileName: f.name,
mimeType: f.type,
bytes: Buffer.from(await f.arrayBuffer()),
})),
);
const result = await ingestFilesCore({
tenantId,
source: "pwa",
files: normalized,
});
return NextResponse.json({ success: true, ...result });
}
This preserves your current UX while removing logic duplication.
This route receives Brevo inbound payload, validates the request, normalizes attachments, and calls the same ingest core.
// File: src/app/api/webhooks/email-ingest/route.ts
import { NextRequest, NextResponse } from "next/server";
import { ingestFilesCore, type NormalizedIngestFile } from "@/lib/ingest/ingest-core";
import { getPayloadClient } from "@/payload/db";
type BrevoAttachment = {
Name: string;
ContentType: string;
ContentLength: number;
DownloadToken: string;
};
type BrevoItem = {
MessageId: string;
Subject?: string;
From?: { Address?: string };
To?: Array<{ Address?: string }>;
Recipients?: string[];
Attachments?: BrevoAttachment[];
};
type BrevoPayload = { items?: BrevoItem[] };
function unauthorized() {
return NextResponse.json({ error: "Unauthorized" }, { status: 401 });
}
function resolveTenantTokenFromRecipient(recipients: string[]): string | null {
// Example: t-abc123@reply.yourdomain.com -> token "abc123"
for (const r of recipients) {
const local = r.split("@")[0] || "";
if (local.startsWith("t-")) return local.slice(2);
}
return null;
}
async function downloadBrevoAttachment(downloadToken: string): Promise<Buffer> {
const apiKey = process.env.BREVO_API_KEY;
if (!apiKey) throw new Error("BREVO_API_KEY missing");
const response = await fetch(
`https://api.brevo.com/v3/inbound/attachments/${encodeURIComponent(downloadToken)}`,
{
method: "GET",
headers: { "api-key": apiKey },
},
);
if (!response.ok) {
throw new Error(`Brevo attachment download failed: ${response.status}`);
}
const bytes = Buffer.from(await response.arrayBuffer());
return bytes;
}
export async function POST(req: NextRequest) {
if (process.env.EMAIL_INGEST_ENABLED !== "true") {
return NextResponse.json({ error: "Disabled" }, { status: 404 });
}
const expectedBearer = process.env.BREVO_WEBHOOK_BEARER_TOKEN;
const authHeader = req.headers.get("authorization");
if (!expectedBearer || authHeader !== `Bearer ${expectedBearer}`) {
return unauthorized();
}
const payload = (await req.json()) as BrevoPayload;
const item = payload.items?.[0];
if (!item) return NextResponse.json({ error: "No inbound item" }, { status: 400 });
const recipients = [
...(item.Recipients || []),
...((item.To || []).map((m) => m.Address || "").filter(Boolean)),
];
const tenantToken = resolveTenantTokenFromRecipient(recipients);
if (!tenantToken) return NextResponse.json({ error: "Cannot resolve tenant" }, { status: 422 });
const cms = await getPayloadClient();
const tenantLookup = await cms.find({
collection: "tenants",
where: { inboundEmailToken: { equals: tenantToken } },
limit: 1,
});
const tenant = tenantLookup.docs[0];
if (!tenant) return NextResponse.json({ error: "Unknown tenant token" }, { status: 422 });
// Idempotency check by (tenant, MessageId)
const dupe = await cms.find({
collection: "ingestion-jobs",
where: {
and: [
{ tenant: { equals: tenant.id } },
{ externalMessageId: { equals: item.MessageId || "" } },
],
},
limit: 1,
});
if (dupe.totalDocs > 0) return NextResponse.json({ success: true, duplicated: true });
const maxAttachments = Number(process.env.EMAIL_INGEST_MAX_ATTACHMENTS || "20");
const maxTotalBytes = Number(process.env.EMAIL_INGEST_MAX_TOTAL_BYTES || `${35 * 1024 * 1024}`);
const allowedTypes = new Set(
(process.env.EMAIL_INGEST_ALLOWED_MIME_TYPES ||
"application/pdf,image/png,image/jpeg,image/jpg")
.split(",")
.map((s) => s.trim())
.filter(Boolean),
);
const attachments = item.Attachments || [];
if (attachments.length === 0) {
return NextResponse.json({ error: "No attachments" }, { status: 422 });
}
if (attachments.length > maxAttachments) {
return NextResponse.json({ error: "Too many attachments" }, { status: 422 });
}
const estimatedTotal = attachments.reduce((sum, a) => sum + (a.ContentLength || 0), 0);
if (estimatedTotal > maxTotalBytes) {
return NextResponse.json({ error: "Attachments too large" }, { status: 422 });
}
const normalized: NormalizedIngestFile[] = [];
for (const a of attachments) {
if (!allowedTypes.has(a.ContentType)) continue;
const bytes = await downloadBrevoAttachment(a.DownloadToken);
normalized.push({
fileName: a.Name,
mimeType: a.ContentType,
bytes,
});
}
if (!normalized.length) {
return NextResponse.json({ error: "No allowed attachments found" }, { status: 422 });
}
const result = await ingestFilesCore({
tenantId: tenant.id,
source: "email",
files: normalized,
emailMeta: {
provider: "brevo",
messageId: item.MessageId || "",
from: item.From?.Address,
to: recipients,
subject: item.Subject,
},
});
return NextResponse.json({ success: true, ...result });
}
This route is doing three jobs: trust boundary enforcement, payload normalization, and orchestration into shared ingest core.
You need a stable mapping between inbound recipient address and tenant.
Add a token field on tenant records and issue addresses like t-<token>@reply.yourdomain.com.
// File: src/payload/collections/tenants.ts
import type { CollectionConfig } from "payload";
export const Tenants: CollectionConfig = {
slug: "tenants",
fields: [
// ...existing fields
{
name: "inboundEmailToken",
type: "text",
unique: true,
index: true,
admin: {
description:
"Token used in inbound email address. Example: t-<token>@reply.yourdomain.com",
},
},
],
};
This keeps tenant identity out of obvious addresses and gives you rotation control if a token leaks.
To deduplicate by email message and make troubleshooting easy, store external message metadata on ingestion jobs.
// File: src/payload/collections/ingestion-jobs.ts
import type { CollectionConfig } from "payload";
export const IngestionJobs: CollectionConfig = {
slug: "ingestion-jobs",
fields: [
// ...existing fields
{
name: "externalProvider",
type: "select",
options: ["brevo", "postmark", "sendgrid", "mailgun"],
required: false,
},
{
name: "externalMessageId",
type: "text",
index: true,
required: false,
},
{
name: "emailFrom",
type: "text",
required: false,
},
{
name: "emailTo",
type: "array",
fields: [{ name: "address", type: "text" }],
required: false,
},
],
};
Then in your ingest core, when emailMeta exists, persist these values in the created ingestion job. That gives you deterministic dedupe and operational visibility.
Define runtime configuration in your environment.
# File: .env.local
EMAIL_INGEST_ENABLED=true
BREVO_WEBHOOK_BEARER_TOKEN=replace_with_long_random_secret
BREVO_API_KEY=replace_with_brevo_api_key
EMAIL_INGEST_MAX_ATTACHMENTS=20
EMAIL_INGEST_MAX_TOTAL_BYTES=36700160
EMAIL_INGEST_ALLOWED_MIME_TYPES=application/pdf,image/png,image/jpeg,image/jpg
Keep these separate from UI-upload limits. Email input is an external channel and needs explicit boundaries.
Once backend code is deployed:
https://api.yourapp.com/api/webhooks/email-ingest.t-abc123@reply.yourdomain.com.ingestion-jobsdocumentsdocument-filespipeline-runsocr_pending and OCR queue is populated.At this point, you have true channel parity: email and UI both flow through one ingestion behavior.
This design works because it treats inbound email as an external integration boundary, not as another version of UI upload.
The webhook route is intentionally narrow:
Everything else remains in your existing pipeline engine.
That separation lets you evolve providers later without rewriting ingestion. If you move from Brevo to another provider, you mostly rewrite one adapter route, not your document pipeline.
We solved a practical product problem: users can now send documents by email and still get the same processing flow as standard uploads. The key to this implementation is not email parsing by itself, but architectural convergence through a shared ingest core used by both UI and webhook channels.
You now have a concrete path to implement inbound email attachments safely with tenant mapping, deduplication, and consistent pipeline behavior in a Next.js + Payload stack.
Let me know in the comments if you have questions, and subscribe for more practical development guides.
Thanks, Matija