Settings

Manage your account and API keys

Account Information

No API Keys

Create an API key to use with CLI tools or ShareX.

Create API Key

Save this key! It won't be shown again.

API keys are upload-only. Delete and view operations are restricted to cookie/JWT auth from your browser session (the relevant routes don't accept the X-API-Key header). The delete / view flags in the underlying model are reserved for future use.

Change Password

Changing your password will re-encrypt your master key. Your images will remain accessible.

Two-factor authentication

Adds a TOTP code (e.g. Google Authenticator, 1Password, Authy) on top of your password at sign-in. Strongly recommended.

Enabled Disabled

Click below to enroll. You'll scan a QR code (or paste a secret) into your authenticator app, then confirm a code to activate MFA.

MFA is active on this account. To disable, you'll need both your password and a current TOTP/backup code.

Scan the QR code with your authenticator app (or paste the manual entry key below if your app can't scan), then enter the 6-digit code it shows to activate MFA. The secret is shown ONCE — back it up now or you'll need to start enrollment over.

Manual entry key
Show otpauth URI (for QR-import tools or troubleshooting)
otpauth URI

Save these backup codes NOW. Each works once if you lose access to your authenticator. They are shown only this one time and can't be retrieved later — store them somewhere safe (password manager or paper).
Disabling MFA removes your second factor. Anyone with your password alone will be able to sign in. Re-enroll any time below.

Recovery Phrase

A 24-word phrase that lets you recover access to your encrypted images if you forget your password. Without it, a forgotten password means losing all your images.

Enrolled Not enrolled

Click below to generate your recovery phrase. You'll need your account password to unlock the encryption key first — the phrase is computed in your browser and the server never sees it.

Encryption isn't set up on this account yet. Enrolling a recovery phrase will also initialize your encryption key from your password — no separate setup step required.

You already have a recovery phrase enrolled. You can rotate it (generate a fresh phrase) below — your old phrase will stop working immediately.

Enter your account password so your browser can unlock the master encryption key (the key the new phrase will wrap).

Write these 24 words down NOW. They will only be shown once. Anyone with this phrase can unlock your account — store it somewhere only you can reach (paper in a safe; password manager).
Not enrolled yet. Click "I've written it down" below and complete the next confirmation step to activate this phrase. If you close this tab now, the phrase is discarded and you'll need to start over.

Quick check: type the words at these positions to confirm you wrote the phrase down. (We can't help if you typed it wrong — please double-check before continuing.)

Recovery phrase saved. If you forget your password, use this phrase at the "Forgot password?" link on the login page to recover access without losing any encrypted images.

Active Sessions

Manage your active login sessions across devices

Loading sessions...
No active sessions found

Danger Zone

Permanently delete your account and all associated data:

  • All your encrypted images and thumbnails
  • All your albums (your sharing links will 404)
  • All your API keys (any ShareX/CLI integrations will stop working)
  • Your master-key wrap and recovery wrap

Audit log entries are preserved for operator forensics but become anonymized (no longer attributed to your account by FK).

This cannot be undone. By E2EE design, even the operator cannot recover deleted images — the per-image keys live only in your browser.

Final confirmation. Enter your password and check the acknowledgement to proceed. If you change your mind, click Cancel — nothing has been deleted yet.