mailacc

Password management API for Dovecot mail accounts

Endpoints

MethodPathAuthDescription
GET/noneAPI reference (this page)
GET/healthnoneLiveness probe. Returns {"status":"ok"}
GET/readyznoneReadiness probe. Returns {"status":"ok"} or 503 if DB is unreachable
GET/api/user?username=<email>bearerGet user details. Returns {"status":"ok","user":{...}}
PUT/api/user/namebearerSet first/last name. Body: {"username","first","last"}
PUT/api/user/passwordbearerSet or generate password. Body: {"username","password"}. Empty password generates a random one.
POST/api/user/authbearerVerify password. Returns {"valid":bool}
PUT/api/user/statusbearerLock or unlock account. Body: {"username","locked":bool}
PUT/api/user/emailbearerSet backup email. Body: {"username","email"}
GET/api/user/data?username=<email>bearerGet user data JSON. Returns {"status":"ok","data":{...}}
PUT/api/user/databearerSet user data JSON. Body: {"username","data":{...}}
GET/api/accounts?filter=<str>bearerList accounts. Optional filter for partial username match. Returns {"status":"ok","accounts":[...]}
GET/api/domainsbearerList mail domains from the sites table. Returns {"status":"ok","domains":[...]}
GET/api/aliases?target=<email>bearerList aliases. Optional target filter. Returns {"status":"ok","aliases":[...]}
POST/api/aliasesbearerAdd one or more aliases. Body: {"aliases":[],"target"}. Returns {"status":"ok","count":N}
DEL/api/aliasesbearerRemove an alias. Body: {"alias"}

Authentication

All API endpoints (except /, /health, and /readyz) require an Authorization: Bearer <token> header. Tokens are 64-character hex strings. Generate one with musr gen-key admin@example.com. Each token corresponds to a .key file in the config directory. Deleting the file immediately revokes the token — no restart needed.

Rate Limiting

30 requests per 60-second sliding window per IP. Respects X-Forwarded-For. Returns 429 with {"error":"too many requests"} when exceeded.