Fastmail API Operations
Setup
On first use, read setup.md for account integration preferences, activation rules, and credential handling.
When to Use
User needs to automate Fastmail through API calls: mailbox management, message search, draft/send flows, identity settings, contact operations, or calendar events. Agent handles capability discovery, safe request construction, and high-impact confirmation.
Architecture
Memory lives in ~/fastmail-api/. See memory-template.md for structure.
~/fastmail-api/
├── memory.md # Account context, IDs, and operating preferences
├── request-log.md # High-impact API actions and outcomes
└── snapshots/ # Optional payload backups before bulk writes
Quick Reference
Use these files when you need details beyond core operating rules.
| Topic | File |
|---|---|
| Setup flow | setup.md |
| Memory template | memory-template.md |
| Session and method call patterns | jmap-patterns.md |
| Mailbox and message workflows | mail-workflows.md |
| Contacts and calendar operations | calendar-contacts.md |
| Error handling and recovery | troubleshooting.md |
Requirements
curljqFASTMAIL_API_TOKEN- Optional:
FASTMAIL_API_BASE(defaults tohttps://api.fastmail.com/jmap/api)
Never commit bearer tokens to repository files, shell history, or shared logs.
Data Storage
~/fastmail-api/memory.mdfor account ID, preferred defaults, and workflow context~/fastmail-api/request-log.mdfor high-impact action history~/fastmail-api/snapshots/for payload backups before bulk updates
Core Rules
1. Discover Session Capabilities Before First Write
- Call the Fastmail JMAP session endpoint first to confirm
apiUrl,primaryAccounts, and capability support. - Cache discovered account IDs in memory to avoid writing to the wrong account.
curl -sS https://api.fastmail.com/jmap/session \
-H "Authorization: Bearer $FASTMAIL_API_TOKEN" | jq
2. Build Method Calls with Explicit Account Scope
- Include
usingcapabilities and account-specific IDs in each method call set. - Use deterministic
clientCallIdvalues so retries can be traced safely.
curl -sS "${FASTMAIL_API_BASE:-https://api.fastmail.com/jmap/api}" \
-H "Authorization: Bearer $FASTMAIL_API_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"using": ["urn:ietf:params:jmap:mail", "urn:ietf:params:jmap:core"],
"methodCalls": [
["Mailbox/get", {"accountId": "u123", "ids": null}, "c1"]
]
}' | jq
3. Use Safe Pagination and Narrow Filters
- Do not run unbounded queries on large inboxes; always set limits and filters.
- Prefer
Email/queryplusEmail/getwindows over full mailbox dumps.
4. Confirm Destructive and Broad-Impact Actions
- Confirm before mailbox deletes, message moves affecting many threads, identity updates, or bulk calendar edits.
- For high-impact writes, record pre-change payloads in
~/fastmail-api/snapshots/.
5. Treat Partial Failures as First-Class Results
- Inspect
notCreated,notUpdated, and method-level errors after every write. - Report partial success explicitly and propose rollback or retry paths.
6. Redact Sensitive Data in Outputs
- Never print raw authorization headers or full token strings in normal responses.
- Redact addresses and subject lines when logs are shared outside trusted contexts.
7. Verify Post-Write State with Follow-Up Reads
- After writes, run targeted read calls (
Mailbox/get,Email/get,Contact/get,CalendarEvent/get) to confirm final state. - Only close tasks after state verification succeeds.
Safety Checklist
Before bulk updates, deletes, send flows, or identity changes:
- Confirm target account ID and environment.
- Capture a request snapshot for rollback context.
- Confirm user intent for irreversible actions.
- Execute smallest safe batch first.
- Verify resulting state with read calls.
Fastmail API Traps
- Skipping session discovery can send writes to an incorrect account ID.
- Missing capabilities in
usingcauses method failures that look like auth issues. - Bulk message moves without filters can reorganize entire mailboxes accidentally.
- Assuming all writes succeeded without checking
notUpdatedhides partial failure. - Logging bearer tokens in debugging output creates credential exposure risk.
External Endpoints
Only the official Fastmail JMAP endpoints below are used by this skill.
| Endpoint | Data Sent | Purpose |
|---|---|---|
https://api.fastmail.com/jmap/session | Bearer token in Authorization header | Discover API URLs, capabilities, and account IDs |
https://api.fastmail.com/jmap/api | JMAP method payloads for mail, mailbox, identity, contacts, and calendar operations | Execute read and write workflows |
No other data is sent externally.
Security & Privacy
Data that leaves your machine:
- Authenticated JMAP payloads for mailbox, message, contact, and calendar operations
- Message metadata required for requested queries and write actions
Data that stays local:
- Operational context in
~/fastmail-api/memory.md - High-impact action history in
~/fastmail-api/request-log.md - Optional payload snapshots in
~/fastmail-api/snapshots/
This skill does NOT:
- Send undeclared API traffic
- Store bearer tokens in repository files
- Execute destructive writes without explicit confirmation
Trust
By using this skill, mailbox and calendar operation data is sent to Fastmail infrastructure. Only install if you trust Fastmail with this operational data.
Related Skills
Install with clawhub install <slug> if user confirms:
api- Build robust HTTP request and response workflows for complex APIsoauth- Handle token lifecycle and secure delegated authorization flowsmail- Plan high-quality email workflows, tone, and delivery structurewebhook- Orchestrate event-driven integrations that react to API-side changes
Feedback
- If useful:
clawhub star fastmail-api - Stay updated:
clawhub sync