[robn_fastmail]

Yes, via the Authorization: header with a negotiated access token.

The spec includes a discovery and authentication mechanism that a client can use to get an access token and can work fine with passwords, OAuth, etc. We don't actually have a lot of experience with this part of the protocol though. We expect that vendors may want to provide an alternate method to obtain access tokens (maybe using OAuth tokens directly). We're expecting to learn more about these use cases as more implementations appear.

[gdamjan1]

I hope it works with 2 factor auth (like TOTP) for applications too. Perhaps it's a bit outside of the protocol scope, but a "best practice" suggestion would be great.

[robn_fastmail]

I don't believe there's anything in it that would prevent that. If you squint, the auth exchange looks a lot like SASL, and that supports pretty much anything.

This is something we'll gain more experience with at FastMail over the coming year. We'll be sure to share that experience.