Kuju Email API Reference
Complete REST API documentation for integrating with Kuju Email. All endpoints return JSON and accept JSON request bodies.
Overview
Base URL
Public API (JWT):
http(s)://<host>:8080Internal API:
http(s)://<host>:2525Authentication
Public endpoints require a JWT in the Authorization header:
Authorization: Bearer <token>Admin endpoints require is_admin=true in the JWT claims. Domain admin endpoints require is_domain_admin=true or site admin privileges.
Public API
Auth
POST
/api/auth/loginPOST
/api/auth/logoutPOST
/api/auth/refreshPOST
/api/invite— accept invite and set password (public, token-based)POST
/api/forgot-password— request password reset emailPOST
/api/reset-password— reset password with tokenTwo-Factor Authentication (TOTP)
GET
/api/auth/totp/status— check if TOTP is enabledJWTPOST
/api/auth/totp/setup— generate secret + QR codeJWTPOST
/api/auth/totp/confirm?session_id=...— verify code, enable TOTP, return backup codesJWTPOST
/api/auth/totp/verify— verify TOTP code during login, issue JWTDELETE
/api/auth/totp— disable TOTP (requires current code)JWTFolders
GET
/api/foldersPOST
/api/foldersPUT
/api/folders/:idDELETE
/api/folders/:idGET
/api/folders/:id/messagesMessages
POST
/api/messages— compose / sendGET
/api/messages/:idGET
/api/messages/:id/raw— raw RFC 822 sourceGET
/api/messages/:id/body— rendered bodyGET
/api/messages/:id/attachments/:aid— download attachmentPATCH
/api/messages/:id/flags— update flags (read, starred, etc.)PATCH
/api/messages/:id/movePATCH
/api/messages/:id/copyDELETE
/api/messages/:idPOST
/api/messages/search— advanced searchGET
/api/messages/search?q=...— quick searchMessage Analysis
GET
/api/messages/:id/analysis— cached results + feature availabilityGET
/api/messages/:id/analysis/instant— header analysis (auth, sender, hops, URLs)POST
/api/messages/:id/analysis/ai— AI threat assessment (?force=true to re-analyze)POST
/api/messages/:id/analysis/av-rescan— ClamAV attachment scanPOST
/api/messages/:id/analysis/url-safety— Google Safe Browsing URL checkAttachment Knowledge
GET
/api/messages/:id/attachments/:aid/knowledge— cached extraction resultPOST
/api/messages/:id/attachments/:aid/knowledge— extract text + AI summarizeDrafts
GET
/api/draftsPOST
/api/draftsGET
/api/drafts/:idPUT
/api/drafts/:idDELETE
/api/drafts/:idPOST
/api/drafts/:id/send— send a saved draftCalendars & Events
Calendars
GET
/api/calendars— list calendarsPOST
/api/calendars— create calendarPUT
/api/calendars/:id— update calendarDELETE
/api/calendars/:id— delete calendarEvents
GET
/api/calendars/:calId/events?start=...&end=...— list events (optional RFC 3339 range filter)GET
/api/calendars/:calId/events/:id— get eventPOST
/api/calendars/:calId/events— create eventPUT
/api/calendars/:calId/events/:id— update eventDELETE
/api/calendars/:calId/events/:id— delete eventAddress Books & Contacts
Address Books
GET
/api/address-books— list address booksPOST
/api/address-books— create address bookPUT
/api/address-books/:id— update address bookDELETE
/api/address-books/:id— delete address bookContacts
GET
/api/address-books/:abId/contacts?q=...— list contacts (optional search)GET
/api/address-books/:abId/contacts/:id— get contactPOST
/api/address-books/:abId/contacts— create contactPUT
/api/address-books/:abId/contacts/:id— update contactDELETE
/api/address-books/:abId/contacts/:id— delete contactCalDAV / CardDAV
Standard CalDAV and CardDAV endpoints are available for syncing calendars and contacts with third-party clients. Authentication uses HTTP Basic Auth with your email and password.
GET
/.well-known/caldav— redirects to /caldav/GET
/.well-known/carddav— redirects to /carddav/GET
/caldav/{accountId}/{calendarName}/— CalDAV endpointBasicGET
/carddav/{accountId}/{addressBookName}/— CardDAV endpointBasicBranding
GET
/api/branding— branding config for the authenticated user's domainGET
/api/branding/assets/:filename— branding asset file (logo, favicon, CSS)Account API
All account API endpoints require a valid JWT.
Preferences
PUT
/api/account/preferences— update account preferences (spam_folder, plus_tag_filing, etc.)AI & Intelligence
GET
/api/messages/:id/thread-ai-state— get AI triage state for a threadPOST
/api/messages/:id/ai-reply— generate AI reply draftPOST
/api/messages/:id/rewrite-draft— rewrite compose draft with tone controlPOST
/api/messages/:id/thread-document— generate document-centric thread analysisPOST
/api/analysis/natural-search— interpret natural language search queryPOST
/api/analysis/backfill-body-search— backfill body search indexThread Graph
GET
/api/messages/:id/thread-graph— get conversation graph (nodes + edges)Vacation
GET
/api/vacation— get vacation responder settingsPUT
/api/vacation— update vacation responder (enabled, subject, body, start/end dates)Waiting On Reply
GET
/api/waiting— list sent messages awaiting replyPUT
/api/waiting/:id— update waiting status (resolved, snoozed)POST
/api/waiting/:id/nudge— send follow-up nudgeTasks
GET
/api/tasks— list tasksPOST
/api/tasks— create taskPUT
/api/tasks/:id— update taskDELETE
/api/tasks/:id— delete taskPOST
/api/tasks/:id/to-calendar— convert task to calendar eventActivity Feed
GET
/api/feed?limit=...— merged chronological feed (messages, events, tasks)Contact Intelligence
GET
/api/contacts/intelligence/top— top contacts by email frequencyGET
/api/contacts/intelligence/dormant— contacts with no recent communicationGET
/api/contacts/intelligence/:email— per-email communication statsPOST
/api/contacts/quick-add— quick-add sender to address bookInbox Summary
GET
/api/inbox-summary— dashboard stats (volume, security, productivity, classifications)Workspaces
GET
/api/workspaces— list workspaces with message countsPOST
/api/workspaces— create workspacePUT
/api/workspaces/:id— update workspace (name, color, rules, etc.)DELETE
/api/workspaces/:id— delete workspace (messages preserved)GET
/api/workspaces/:id/messages?page=1&per_page=50— paginated messagesPOST
/api/workspaces/:id/messages— assign messageDELETE
/api/workspaces/:id/messages/:messageId— remove message from workspaceGET
/api/messages/:id/workspaces— get workspaces a message belongs toNL Commands
POST
/api/commands/interpret— AI interprets natural language commandPOST
/api/commands/execute— execute a command plan (move, archive, delete, flag)Domain Admin API
Requires a JWT with is_domain_admin or is_admin claims.
Accounts & Stats
GET
/api/domain-admin/statsGET
/api/domain-admin/accountsPOST
/api/domain-admin/accounts— create account (see Account Creation below)PUT
/api/domain-admin/accounts/:idDELETE
/api/domain-admin/accounts/:idPOST
/api/domain-admin/accounts/:id/resend-invite— resend invite email (pending accounts only)POST
/api/domain-admin/accounts/:id/recover— send password reset to recovery emailGET
/api/domain-admin/delivery-logGET
/api/domain-admin/dns/check-records— verify DNS records for the admin's domainRetention Policies
GET
/api/domain-admin/retention— get effective retention (domain + account policies)PUT
/api/domain-admin/retention/domain— upsert retention for own domainGET
/api/domain-admin/accounts/:id/retention— get account retention overridePUT
/api/domain-admin/accounts/:id/retention— upsert account retention overrideDELETE
/api/domain-admin/accounts/:id/retention— remove account retention overrideAccount Creation
POST /api/domain-admin/accounts accepts a mode field:
- "password" (default): Admin sets the password. Account is immediately active.
- "invite": Requires
invite_email(external address). Account starts aspending_invite. An invite email is sent; the recipient sets their own password.
// Invite mode example
POST /api/domain-admin/accounts
{
"local_part": "alice",
"mode": "invite",
"invite_email": "alice@gmail.com",
"display_name": "Alice",
"quota_bytes": 1073741824
}Site Admin API
Requires a JWT with is_admin=true.
Domains
GET
/api/admin/domainsPOST
/api/admin/domainsPUT
/api/admin/domains/:idDELETE
/api/admin/domains/:idAccounts
GET
/api/admin/accountsPOST
/api/admin/accountsPUT
/api/admin/accounts/:id— update account; set is_admin to promote/demoteDELETE
/api/admin/accounts/:idBranding (Admin)
GET
/api/admin/branding/:domain— branding configGET
/api/admin/branding/:domain/files— list branding filesPOST
/api/admin/branding/:domain/archive— upload tar.gz/zip archiveGET
/api/admin/branding/:domain/:filename— download/preview assetPOST
/api/admin/branding/:domain/:filename— upload single assetDELETE
/api/admin/branding/:domain/:filename— delete assetSystem & Licensing
GET
/api/admin/statsGET
/api/admin/delivery-logGET
/api/admin/licensePUT
/api/admin/licenseGET
/api/admin/system-infoGET
/api/admin/settings— system settings (key-value)PUT
/api/admin/settings/corporate-domain— update corporate domainPUT
/api/admin/settings/safe-browsing-key— save Google Safe Browsing API keyGET
/api/admin/dns/check-records?domain=...— verify DNS records (MX, SPF, DKIM, DMARC)GET
/api/admin/openapi.yamlDelivery Thresholds
GET
/api/admin/domains/:domainId/thresholds— get spam score thresholdsPUT
/api/admin/domains/:domainId/thresholds— update junk/drop thresholds and quarantine expiryGET
/api/admin/delivery/drops— hard drop statisticsRetention Policies
GET
/api/admin/domains/:domainId/retention— get domain retention policyPUT
/api/admin/domains/:domainId/retention— upsert domain retention policyDELETE
/api/admin/domains/:domainId/retention— remove domain retention policyKumoMTA Proxy
Proxy endpoints for managing the embedded KumoMTA instance.
GET
/api/admin/kumomta/metrics— raw KumoMTA metrics (includes uptime, version)GET
/api/admin/kumomta/{endpoint}— proxy GET (bounces, suspensions, ready-q-suspensions)POST
/api/admin/kumomta/{endpoint}— create bounce/suspend rulesDELETE
/api/admin/kumomta/{endpoint}— delete bounce/suspend rulesPlugins
POST
/api/admin/plugins/{id}/enable-all— enable a plugin for all domainsConcepts
Account Status
| Status | Meaning |
|---|---|
active | Normal account — can login and receive mail |
pending_invite | Awaiting invite acceptance — can receive mail but cannot login |
inactive | Disabled — cannot login or receive mail |
Pending accounts that are not activated within 14 days are automatically deleted by the cleanup worker.
Domain Fields
Domains support a catch_all_account_id field. When set, mail to unknown addresses at the domain is delivered to the designated account.
PUT /api/admin/domains/:id
{"catch_all_account_id": 5} // enable catch-all → account 5
{"catch_all_account_id": null} // disable catch-allPlus Addressing
Mail sent to user+tag@domain delivers to user@domain. The tag is stored in messages.plus_tag for filtering. No configuration needed — always active.
Auto-filing: Users can enable plus_tag_filing in their preferences. When enabled, emails to user+tag@domain are automatically placed in a folder named after the tag (created if needed). Spam routing takes priority.
Branding Files
Per-domain branding lets you customize the webmail UI for each domain: logo, favicon, colors, app name, and custom CSS.
Allowed files:
branding.jsonlogo.svglogo.pngfavicon.icofavicon.svgcustom.cssSize limits:
- Images: 512 KB
- CSS / JSON: 64 KB
- Archives: 2 MB
branding.json format:
{
"app_name": "My Mail",
"primary_color": "#667eea",
"accent_color": "#764ba2"
}Examples
Login:
curl -s -X POST http://localhost:8080/api/auth/login \
-H "Content-Type: application/json" \
-d '{"email":"admin@example.com","password":"secret"}'List folders:
curl -s http://localhost:8080/api/folders \
-H "Authorization: Bearer $TOKEN"Compose and send:
curl -s -X POST http://localhost:8080/api/messages \
-H "Authorization: Bearer $TOKEN" \
-H "Content-Type: application/json" \
-d '{"from":"admin@example.com","to":["user@example.com"],"subject":"Hello","text":"Hi"}'List admin domains:
curl -s http://localhost:8080/api/admin/domains \
-H "Authorization: Bearer $ADMIN_TOKEN"