Overview
Stalwart authenticates users against several backends, allowing integration with existing identity systems. Supported backends include LDAP directories, SQL databases such as PostgreSQL, MySQL, and SQLite, and an internal directory managed directly by the server.
Passwords
Account passwords can be stored in the internal directory or in an external directory such as LDAP or SQL. The server supports multiple password hashing schemes, and accounts may hold more than one password hash simultaneously. Storing passwords in plain text is possible but strongly discouraged.
Two-Factor Authentication
Two-Factor Authentication (2FA) is an additional layer of security used to ensure that individuals trying to access an account are who they claim to be. It typically combines two credential categories: something known (an additional password, a PIN, or the answer to a security question), something possessed (a phone, security token, or smart card), or something inherent (a fingerprint, retina scan, or voice recognition).
App Passwords
Application Passwords are unique passwords that allow users to access their email accounts from devices or applications that do not support Two-Factor Authentication. They provide a way to use legacy mail clients or tools that do not support the OAUTHBEARER or XOAUTH2 SASL mechanisms while preserving the benefits of 2FA on the primary account password.
API Keys
An API key is a long-lived credential used to authenticate against the Stalwart management JMAP API. API keys are intended for automation, scripts, and external tools that need to drive administrative operations such as provisioning accounts, managing domains, or updating configuration objects. They do not grant access to mail protocols: an API key cannot be used to log in over IMAP, POP3, JMAP mail, SMTP submission, or any CalDAV, CardDAV, or WebDAV service. Mail and collaboration protocols continue to authenticate through the account password, an application password, or OAuth.