Overview
Stalwart includes an HTTP service that is enabled by default. It supports JMAP access, WebDAV access, API management, ACME certificate issuance, autoconfig/autodiscover protocols, well-known resources, metrics collection, and OAuth authentication.
Multiple HTTP services can be defined, each with custom access control rules expressed on the Http singleton (found in the WebUI under Settings › Network › HTTP › General, Settings › Network › HTTP › Security). Rules can filter requests by IP address, resource, method name, or listener identity.
HTTP Endpoints
The following endpoints are available through the HTTP service:
/jmap: The JMAP endpoint provides access to the JMAP API, allowing clients to interact with mailboxes, messages, and other resources./dav/*: The WebDAV endpoint provides access to WebDAV resources, allowing clients to manage calendar, contact and file resources./calendar/rsvp: The Calendar Scheduling RSVP endpoint allows participants to respond to calendar invitations using a simple web interface./.well-known/*: The well-known endpoint provides access to resources that are commonly used by clients to discover service information./api/*: Provides access to the HTTP API, a small set of endpoints for authentication, account introspection, configuration schema retrieval, and live telemetry. Server configuration and mailbox data are accessed through JMAP, not through this endpoint./auth/device: The device authorization endpoint is used for OAuth device authorization./auth/token: The token endpoint is used for OAuth token exchange./auth/introspect: The token introspection endpoint is used for OAuth token introspection./auth/userinfo: The user information endpoint is used for OpenID user information./auth/jwks.json: The JSON Web Key Set (JWKS) endpoint provides public keys for JWT verification./mail/config-v1.1.xml: The autodiscover endpoint provides email client configuration information./autodiscover/autodiscover.xml: The autodiscover endpoint provides email client configuration information./metrics/prometheus: The Prometheus metrics endpoint provides metrics for monitoring the server's performance./form: The form endpoint is used for Form submissions./healthz/ready: The health check endpoint indicates whether the server is ready to accept requests./healthz/live: The health check endpoint indicates whether the server is live and operational./robots.txt: The robots.txt file provides instructions to web crawlers and other user agents about the server's content./*: The default endpoint serves static files from the WebUI bundle.
Well-known Resources
The following well-known resources are available through the HTTP service:
/.well-known/jmap: The JMAP well-known resource provides information about the JMAP endpoint./.well-known/caldav: The CalDAV well-known resource provides information about the CalDAV endpoint./.well-known/carddav: The CardDAV well-known resource provides information about the CardDAV endpoint./.well-known/oauth-authorization-server: The OAuth authorization server well-known resource provides information about the OAuth authorization server./.well-known/openid-configuration: The OIDC discovery well-known resource provides information about the OIDC discovery endpoint./.well-known/acme-challenge: The ACME challenge well-known resource provides the HTTP-01 challenge for ACME certificate issuance./.well-known/mta-sts.txt: The MTA-STS well-known resource provides information about the MTA-STS policy./.well-known/mail-v1.xml: The mail configuration well-known resource provides information about the configuration endpoint./.well-known/autoconfig/mail/config-v1.1.xml: The autoconfig mail configuration well-known resource provides information about the autconfig mail configuration endpoint.