AppPassword

AppPassword

App password credential for programmatic access.

This object can be configured from the WebUI under Account › Credentials › App Passwords

Fields

description

Type: String · required

Description of the credential

secret

Type: String · read-only · server-set · secret

Secret value of the credential

createdAt

Type: UTCDateTime · read-only · server-set

Creation date of the credential

expiresAt

Type: UTCDateTime?

Expiration date of the credential

permissions

Type: CredentialPermissions · required

List of permissions assigned to this credential

allowedIps

Type: IpMask[]

List of allowed IP addresses or CIDR ranges for this credential

JMAP API

The AppPassword object is available via the urn:stalwart:jmap capability.

x:AppPassword/get

This is a standard Foo/get method as defined in RFC 8620, Section 5.1.

This method requires the sysAppPasswordGet permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:AppPassword/get",
          {
            "ids": [
              "id1"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:AppPassword/set

This is a standard Foo/set method as defined in RFC 8620, Section 5.3.

Supports create, update, and destroy operations in a single call.

Create

This operation requires the sysAppPasswordCreate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:AppPassword/set",
          {
            "create": {
              "new1": {
                "allowedIps": {},
                "description": "Example",
                "permissions": {
                  "@type": "Inherit"
                }
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

Update

This operation requires the sysAppPasswordUpdate permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:AppPassword/set",
          {
            "update": {
              "id1": {
                "description": "updated value"
              }
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

Destroy

This operation requires the sysAppPasswordDestroy permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:AppPassword/set",
          {
            "destroy": [
              "id1"
            ]
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

x:AppPassword/query

This is a standard Foo/query method as defined in RFC 8620, Section 5.5.

This method requires the sysAppPasswordQuery permission.

curl -X POST https://mail.example.com/api \
  -H 'Authorization: Bearer $TOKEN' \
  -H 'Content-Type: application/json' \
  -d '{
      "methodCalls": [
        [
          "x:AppPassword/query",
          {
            "filter": {
              "expiresAt": "2026-01-01T00:00:00Z"
            }
          },
          "c1"
        ]
      ],
      "using": [
        "urn:ietf:params:jmap:core",
        "urn:stalwart:jmap"
      ]
    }'

The x:AppPassword/query filter argument accepts the following conditions (combinable with AnyOf / AllOf / Not per RFC 8620):

Condition	Kind
expiresAt	date

CLI

stalwart-cli wraps the same JMAP calls. See the CLI reference for installation, authentication, and general usage.

Fetch

stalwart-cli get AppPassword id1

Create

stalwart-cli create AppPassword \
  --field description=Example \
  --field 'permissions={"@type":"Inherit"}' \
  --field 'allowedIps={}'

Query

stalwart-cli query AppPassword
stalwart-cli query AppPassword --where expiresAt=2026-01-01T00:00:00Z

Update

stalwart-cli update AppPassword id1 --field description='updated value'

Delete

stalwart-cli delete AppPassword --ids id1

Nested types

CredentialPermissions

Permission assignment mode for a credential.

• Inherit: Same permissions as account. No additional fields.
• Disable: Disable some permissions. Carries the fields of CredentialPermissionsList.
• Replace: Replace all permissions. Carries the fields of CredentialPermissionsList.

CredentialPermissionsList

List of permissions to assign to a credential.

permissions

Type: Permission[]

List of permissions to assign.