Security

Memos is self-hosted by design. You control the infrastructure, storage, and access policies.

Token security model

Three token types handle authentication:

The JWT secret is auto-generated as a UUID on first run and stored in the database. In demo mode, the fixed secret usememos is used — never deploy demo mode as production.

Core recommendations

• set a public instance URL with MEMOS_INSTANCE_URL when running behind a reverse proxy
• disable user registration if your instance is private
• disable public memo visibility if you do not want any public content
• use HTTPS in front of the instance
• review who can create personal access tokens and who can publish public memos

Session and auth hygiene

• protect the host admin account carefully
• prefer SSO for team deployments when available
• rotate credentials and tokens that are exposed or no longer needed
• avoid leaving old PATs active indefinitely
• never enable demo mode on a production instance (it uses a hardcoded JWT secret)

Reverse proxy requirements

Your proxy should:

• terminate TLS
• preserve Host and X-Forwarded-* headers
• expose the same public URL configured in MEMOS_INSTANCE_URL

Attachment and sharing considerations

Security is not only about login. Public memos may expose:

• memo body content
• attached files
• links and references embedded in the memo

Treat visibility and attachment review as part of your security model.

Backup and recovery

Security is also about recoverability. Keep regular backups of:

• the database
• attachment storage when it is not stored in the database
• deployment configuration needed to recreate the instance