VIA API manage PGP key for user

JanAxelJonsson · June 12, 2026, 7:51am

Your question

Hi, if i via the JMAP api from a custom app like to set the PGP key for a user, what is the best approach? Can i use an “admin” account and set it for any user, or do i need to prompt user for password ,and OATH with that correct user? This in order to enforce encryption and make the step nessesarry fewer and automated.

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

on

helpbot · June 12, 2026, 7:52am

Here is a clear answer to both of your questions:

Yes, an admin account can set a PGP key for any user without knowing the user’s password. The relevant JMAP methods are x:PublicKey/set (to register the key) and x:AccountSettings/set (to enable encryption at rest). Both are callable by any account that holds the appropriate admin permissions – specifically sysPublicKeyCreate and sysAccountSettingsUpdate – so you can do this entirely from a service/admin token without prompting the end user for credentials.

The two-step process via JMAP API is:

Create a PublicKey object for the target account using x:PublicKey/set with create. The accountId field is read-only/server-set and will be tied to the authenticated account context. To create it for a specific user, query by accountId first to target the right account, or use the admin token in the context of that user’s account.
Enable encryption at rest by updating the AccountSettings singleton with encryptionAtRest set to Aes256 (or Aes128), referencing the newly created key’s ID:
```
{
  "encryptionAtRest": {
    "@type": "Aes256",
    "publicKey": "<key-id>",
    "encryptOnAppend": false,
    "allowSpamTraining": false
  }
}
```

One important note: x:PublicKey/query accepts an accountId filter, so you can look up and manage keys per-user from an admin context. The sysPublicKeyCreate, sysPublicKeyUpdate, and sysPublicKeyDestroy permissions need to be granted to whichever admin account or API key your app uses.

Relevant docs:

This is an automated reply from the Stalwart Help Bot. Other community members may follow up if this answer is incomplete or wrong.

stalwart · June 15, 2026, 1:05pm

Yes, an admin can set it for any user through the management API without the user’s password. The PGP (or S/MIME) public key is a registry object scoped to the account, the same surface the admin WebUI uses, so you target the account and set its public key; PGP and S/MIME can’t be mixed on one account.

The key just has to be a valid public key. One thing to keep separate: setting the key doesn’t by itself turn on encryption at rest; that’s the per-account encryption setting. See the encryption-at-rest docs for the enforcement side.

Topic		Replies	Views
I get this error message when trying to active encryption at rest for a certain user: Questions	6	17	June 6, 2026
JMAP principal list secrets (hash) in order to verify against hash(pwd) Questions	2	15	May 20, 2026
Problem with using rest API after moving to v016 Questions no-ai	2	38	May 18, 2026
Stalwart 0.16 JMAP impersonation auth test results (single-string username attempts) Questions	5	75	May 8, 2026
JMAP authentication does not work correctly when using an external OIDC directory Issues	2	38	May 30, 2026

VIA API manage PGP key for user

Your question

I understand that topics in this category are triaged by a bot first but a human reply will follow up. If I’d prefer a human-only reply, I’ll add the no-ai tag to my topic.

Related topics