jot — encrypted notes, zero friction

// notes without the noise.

ENCRYPTED·ANONYMOUS·ONE BINARY

→ one command. one binary. zero setup.

CLIjot add · list · share · login
TUIjot tui
APIREST + WebSocket · OAuth 2.1 + PKCE
SPAlocalhost:3000
MCP/mcp HTTP + jot-mcp stdio
AndroidFlutter + FFI beta

ver v0.1.0
license MIT
released 2026-05-20
deps 0
platforms 10

§01 what it does

universal encrypted notes. think digital post-its for hackers.

01 end-to-end encrypted

AES-256-GCM per-note DEKs, X25519 key wrapping, HKDF-SHA-256. The server stores ciphertext only — your private key never leaves the device.

02 no email, no password

Identity is a local UUID + Ed25519 keypair generated on first run. Pair new devices with a QR code, a 4-digit code, or jot link <token>.

03 CLI · TUI · SPA · mobile

One binary serves the REST API and embeds the Preact web app. Drive it from the shell, the terminal UI, the browser, or the Android client.

04 blocks & backlinks

Notes are block trees with [[note]], ((block)) and #tag references. Journal view groups by day; todo view aggregates checkboxes; graph view renders backlinks.

05 mcp-native

Built-in MCP server at POST /mcp plus the jot-mcp stdio bridge. Claude Desktop, Claude Code and Cursor read & write your notes via OAuth.

06 oauth 2.1 + pkce

Authorization Code + PKCE + Dynamic Client Registration. Same tokens.json shared between CLI, SPA, mobile and the MCP bridge — auto-refresh built in.

07 share what you want

Per-note, per-board or per-block sharing with read / write / delete permissions. Recent contacts as quick-pick chips. Invites are one-shot tokens — no email required.

08 runs anywhere, owns nothing

SQLite + local blobs by default, S3-compatible (R2/MinIO/AWS) optional. Static musl binaries for Linux, native for macOS, Windows. Zero runtime deps.

stack — Rust · Axum · SQLite · RustCrypto · Preact · Flutter

§02 self-host the server

one binary. sqlite + local blobs. zero deps. own your notes.

01 install jot-server
```
$ curl -fsSL jot.mindlog.today/install.sh | sh -s -- --component server
```
Windows : $env:JOT_COMPONENT='server'; irm jot.mindlog.today/install.ps1 | iex
02 start it
```
$ jot-server serve --bind 0.0.0.0:3000
```
Generates an X25519 identity + Ed25519 keypair in ~/.local/share/jot/, applies migrations, prints the local device token. Add --open-registration for a public instance.

03 open the SPA & log a client in

$ open http://localhost:3000        # register via QR or invite
$ jot login --server http://localhost:3000   # OAuth + PKCE

The CLI, TUI and jot-mcp share ~/.config/jot/tokens.json with auto-refresh.

04 wire Claude Desktop / Code (optional)
```
# ~/.config/Claude/claude_desktop_config.json
{
  "mcpServers": {
    "jot": { "command": "jot-mcp" }
  }
}
```
The bridge proxies stdio ↔ POST /mcp and reuses your OAuth tokens. Tools exposed : list_boards, read_note, add_note, list_journal, list_todo, …
05 add another device
```
$ jot link-init                  # prints token + 4-digit code + QR URL
$ jot link <token>               # on the new device
```
Or scan the QR from the SPA / Android app. The new device fetches the private key over the authenticated channel so end-to-end encryption stays seamless.

advanced — environment & storage

JOT_STORAGE=local (default) — blobs under ~/.local/share/jot/blobs/
JOT_STORAGE=s3 + standard AWS_* env — Cloudflare R2, MinIO, AWS S3
--legacy-device-tokens — keep the pre-OAuth device JWT path alive during migration
jot migrate — apply pending migrations without starting the server
jot-server openapi > openapi.json — dump the OpenAPI 3 spec

§03 downloads

pre-built static binaries. pick a target.

or build from source — cargo build --release

§01 what it does

§02 self-host the server

§03 downloads

jot — CLI / TUI

jot-server — API + SPA + MCP

jot-mcp — stdio MCP bridge