OAuth2 can handle this; you authenticate the mail client with an offline token that's valid for a long time. The mail client can refresh their tokens regularly and use a short-live token to authenticate their JMAP requests.
OAuth2 doesn't particularly care how the token is obtained, so it can handle any arbitrary authentication flow, including WebAuthn.
And it's a widely supported protocol; there are libs for C++, Java, Go, JS and others, so it should be easy to integrate.
OAuth2 doesn't particularly care how the token is obtained, so it can handle any arbitrary authentication flow, including WebAuthn.
And it's a widely supported protocol; there are libs for C++, Java, Go, JS and others, so it should be easy to integrate.