AppPassword
App password credential for programmatic access.
This object can be configured from the WebUI under Account › Credentials › App Passwords
Fields
description
Type:
String· requiredDescription of the credential
secret
Type:
String· read-only · server-set · secretSecret value of the credential
createdAt
Type:
UTCDateTime· read-only · server-setCreation date of the credential
expiresAt
Type:
UTCDateTime?Expiration date of the credential
permissions
Type:
CredentialPermissions· requiredList of permissions assigned to this credential
allowedIps
Type:
IpMask[]List of allowed IP addresses or CIDR ranges for this credential
JMAP API
The AppPassword object is available via the urn:stalwart:jmap capability.
x:AppPassword/get
This is a standard Foo/get method as defined in RFC 8620, Section 5.1.
This method requires the sysAppPasswordGet permission.
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:AppPassword/get",
{
"ids": [
"id1"
]
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'
x:AppPassword/set
This is a standard Foo/set method as defined in RFC 8620, Section 5.3.
Supports create, update, and destroy operations in a single call.
Create
This operation requires the sysAppPasswordCreate permission.
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:AppPassword/set",
{
"create": {
"new1": {
"allowedIps": [],
"description": "Example",
"expiresAt": "2026-01-01T00:00:00Z",
"permissions": {
"@type": "Inherit"
}
}
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'
Update
This operation requires the sysAppPasswordUpdate permission.
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:AppPassword/set",
{
"update": {
"id1": {
"description": "updated value"
}
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'
Destroy
This operation requires the sysAppPasswordDestroy permission.
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:AppPassword/set",
{
"destroy": [
"id1"
]
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'
x:AppPassword/query
This is a standard Foo/query method as defined in RFC 8620, Section 5.5.
This method requires the sysAppPasswordQuery permission.
curl -X POST https://mail.example.com/api \
-H 'Authorization: Bearer $TOKEN' \
-H 'Content-Type: application/json' \
-d '{
"methodCalls": [
[
"x:AppPassword/query",
{
"filter": {
"expiresAt": "2026-01-01T00:00:00Z"
}
},
"c1"
]
],
"using": [
"urn:ietf:params:jmap:core",
"urn:stalwart:jmap"
]
}'
The x:AppPassword/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):
| Condition | Kind |
|---|---|
expiresAt | date |
CLI
stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.
Fetch
stalwart-cli get app-password id1
Create
stalwart-cli create app-password \
--field description=Example \
--field expiresAt=2026-01-01T00:00:00Z \
--field 'permissions={"@type":"Inherit"}' \
--field 'allowedIps=[]'
Query
stalwart-cli query app-password
stalwart-cli query app-password --where expiresAt=2026-01-01T00:00:00Z
Update
stalwart-cli update app-password id1 --field description='Updated'
Delete
stalwart-cli delete app-password --ids id1
Nested types
CredentialPermissions
Permission assignment mode for a credential.
Inherit: Same permissions as account. No additional fields.Disable: Disable some permissions. Carries the fields ofCredentialPermissionsList.Replace: Replace all permissions. Carries the fields ofCredentialPermissionsList.
CredentialPermissionsList
List of permissions to assign to a credential.
permissions
Type:
Permission[]List of permissions to assign.