Swush Documentation

Runtime Settings Storage Uploads Streaming & Previews Email Limits & Quotas Security Cloudflare Jobs & Cron

Configuration

Security

Auth, API keys, and passwords.

Auth

Session-based web auth
Device flow for extension access
Optional two-factor support

API keys

API keys are required for external automation
Keys can be scoped and revoked
Admins can disable API tokens globally
Admins can disable API tokens per user
Rotate keys if shared or leaked

Passwords

Item passwords are hashed with Argon2. The app also supports legacy bcrypt hashes.

Sharing & anonymity

Anonymous sharing hides owner identity and stays enforced once enabled
Sharing pages use /v/{slug} for a viewer layer and /x/{slug} for raw access
Spoiler tags are respected in previews

Recommendations

Use HTTPS in production
Restrict CORS_ORIGIN to trusted domains
Keep database and storage private
Disable API tokens for untrusted users or public instances

Limits & Quotas

Storage, upload, and per-module limits.

Cloudflare

Cache rules and tunnels.

On this page

Auth API keys Passwords Sharing & anonymity Recommendations