Account Manager
The Account Manager is the end-user surface of the Stalwart WebUI. It is mounted at /account on any HTTP listener that serves the WebUI bundle, and it is what a regular mailbox user sees after signing in. The Account Manager limits each user to the objects that belong to their own account and to the fields they are permitted to edit, so it can be exposed publicly without granting administrator reach.
Signing in uses the same authentication stack as every other client, including two-factor authentication when it has been enabled on the account. When an account without administrator permissions signs in at /admin, the browser is redirected to the Account Manager.
The rest of this page describes what an end user can do from the Account Manager. Each feature is backed by the same JMAP objects that administrators and the CLI operate on, so the Account Manager is effectively a curated front-end onto that object model.
Password
End users change their own password from the Account Manager. The form authenticates the current session by requiring the existing password, then accepts a new value that is stored on the account through the AccountPassword singleton (found in the WebUI under Account › Credentials › Password). Minimum length, maximum length, required strength, default expiry, and the hashing algorithm applied on save are governed by the Authentication singleton; see the password reference for the full list of settings and recognised hash schemes.
Self-service password change is available only for accounts stored in the internal directory. Installations backed by an external directory (LDAP or SQL) rely on the directory's own password-change workflow, and the Account Manager hides the password form in that case.
Application passwords
Legacy mail clients and automation that cannot perform an OAuth flow, and therefore cannot respond to a TOTP challenge, authenticate with application passwords instead of the account's primary password. The Account Manager lists the account's existing application passwords and allows new ones to be issued or individual entries revoked.
Each application password is represented by an AppPassword object (found in the WebUI under Account › Credentials › App Passwords). At creation time the end user supplies a short description, optionally restricts the credential to a set of client IP addresses, and optionally sets an expiry. The secret itself is generated by the server and shown once, at creation, so it can be pasted into the client being configured. Revocation takes effect immediately and does not affect any other application password or the main account password.
Like password change, self-service management of application passwords is available only for accounts in the internal directory; with an external directory the credentials are stored alongside the account entry in the directory itself, and an administrator must maintain them there.
Two-factor authentication
End users enable two-factor authentication from the Account Manager. The portal presents a TOTP QR code that the user scans with an authenticator application; the scan stores the shared secret on the account, after which sign-in requires the current TOTP code in addition to the password.
The OTP Auth URL backing the secret is stored as a credential on the account via AccountPassword. Once 2FA is enabled, clients that support the OAUTHBEARER or XOAUTH2 SASL mechanisms prompt for the TOTP code only during the initial OAuth exchange and then refresh the token automatically. Legacy clients that cannot run an OAuth flow either authenticate with an application password or use the concatenated password$code form described in the 2FA reference.
Self-service 2FA management is available only for accounts in the internal directory. When the server is configured with an external directory, the OTP Auth URL is provisioned by an administrator as one of the account secrets in that directory.
Masked email
On the Enterprise Edition, end users can create disposable addresses from the Account Manager instead of handing out their real mailbox address. Each mask is a MaskedEmail object (found in the WebUI under Account › Masked Addresses) tied to the signed-in account; incoming mail for the mask delivers into the mailbox, and the mask can be disabled or destroyed without affecting any of the others. See masked email for the address-generation rules, lifecycle, and quota settings.
Masked email is available exclusively in the Enterprise Edition of Stalwart and is not included in the Community Edition.