OPenAPI and AUTH (user_key)

Good morning,

I am trying to use API on MiaB. The documentation states that, if 2FA is present, “Authentication via a user:user_key pair is possible without the header being present.”.

Can anyone point me out on where the user_key is? I have tried the one in /var/lib/mailinabox but with no success.

Additionally, the examples in the API docs, in the login example, are providing CURL GET instead of CURL POST when accessing the /login endpoint.

Thanks and have a great Sunday


I believe the user_key is the api_key returned from a LOGIN operation as described here


that is correct.

What I am looking for is different. As I have MFA enables, it seems that the docs specifies that you can still login without TOTP using they user_key…

The /var/lib/mailinabox/api.key is basically a blank check to do whatever you want; that is, every operation you do with that key is treated as an unspecified administrator.

However, this key isn’t exactly permanent, every time the management daemon restarts (the machine reboots or you run the setup), this key is re-generated. Thus, it’s only viable to use this key on applications that are already inside the box and that can read this file.

To use this key on curl (this is an example):

curl -s -d $POSTDATA --user $(</var/lib/mailinabox/api.key):

Basically the user of the authentication header is the key. The password part is to be left empty.

Thanks Davness, that clears out all the questions.



Good afternoon,

I am coming back to this topic as I have been unable to login to the box, despite all the tried. Even with Postman i keep getting “Invalid password”.

Are you sure the above is correct? Does it work for you when you try to call the /admin/login end point?