A friendly, private, end-to-end encrypted notes app you run yourself — with every feature included, no paid tier, and nothing gatekept.
Standard Red Notes is an open, AGPL-3.0 licensed, self-hosted fork of
Standard Notes. It keeps the things that make
Standard Notes great — strong end-to-end encryption, a clean cross-platform
client, and a sync server you can host yourself — and removes the part that
gets in the way: the subscription. Where the upstream project puts a number of
features behind a paid plan, this fork ships the full feature set on by
default. The server runs with STANDARD_RED_FEATURES_MODE=included, so
feature and subscription checks return full access without any subscription
provisioning. You host it, you own the data, and nothing is held back.
This is an independent project and is not affiliated with, sponsored by, or endorsed by Standard Notes. Upstream copyright and attribution are preserved.
New here and want to use the app? Read the onboarding guide — accounts, editors, organizing notes, the AI assistant, and what stays private. Want to run a server? Jump to the Docker quickstart or the full self-hosting guide.
- Why this fork
- What's different / improved
- Feature comparison
- Repository layout
- Docker quickstart
- Building from source
- Command-line tools
- API
- License
Standard Notes is genuinely great software — strong end-to-end encryption, a clean cross-platform client, and a self-hostable sync server. But upstream development has largely stalled, and a project this good shouldn't be allowed to quietly slide into abandonware. This fork is, first and foremost, about modernization: keeping great software alive, current, and moving forward instead of letting a vacuum form around it. Concretely, that means an updated dependency stack and toolchain, refreshed builds and Docker/reverse-proxy setup, ongoing bug fixes, and a steady stream of new capabilities — so you're running a living, maintained codebase rather than a frozen snapshot of an app that deserves to keep going.
The second thing it changes is the business model. Standard Notes gates some of the nicer features behind a subscription; if you are happy to run your own server, you do not need that gate. Standard Red Notes takes the AGPL-3.0 source and makes the self-hosted product the first-class target:
- No paid tier, nothing gatekept. Every included feature is on for every account on your instance. There is no "upgrade to unlock" and no subscription to provision — full access is the baseline product mode, not a perk.
- Self-hosted first. The defaults target your own server, not a hosted
service. One setup script generates a complete
.envwith secure secrets and brings the Docker Compose stack up. - You own your data. Notes are end-to-end encrypted on your device before they sync; the server only ever stores ciphertext it cannot read.
- Genuinely open. AGPL-3.0 means you can inspect, modify, and run it yourself — and anyone you offer it to over a network is entitled to the source.
On top of the upstream client and server, this fork adds and unlocks a broad set of features — and brings the whole project up to date: the frontend and backend dependencies and toolchain have been modernized (libraries updated, builds and Docker/reverse-proxy setup refreshed) so you're running a current, maintained stack rather than a frozen snapshot. The highlights below are all present in this repository:
| Area | What you get |
|---|---|
| All features included | The server runs in included features mode, so no feature or note type is gated behind a subscription. |
| Modernized stack | Frontend and backend dependencies and build toolchain updated, reverse-proxy-friendly Docker setup, a top-level Makefile, and documented HTTP API. |
| AI assistant | An optional assistant (Preferences → Assistant) you point at any OpenAI-compatible endpoint — local (LM Studio, Ollama) or hosted. You pick the context scope (current note, whole notebook, a tag/folder/selection) so it only sees what you choose. AI features are opt-in and off by default. |
| Assistant actions | Suggest tags, auto-organize notes, conflict-merge assistance, AI auto-resolve conflicts, note narration / text-to-speech, speech-to-text / dictation, contextual AI search (re-rank results), and a bounded deep-research mode over your own notes. |
| Many note types | Plain text, Super rich blocks, Canvas (freeform drawing), Bases, Calendar, Kanban, Timeline, Flashcards (with study mode), a Map type (mind maps / family trees), and code sandboxes — a JS Sandbox (jsfiddle-style) and a Web App Sandbox (codepen-style live preview). |
| Super editor blocks | Checklists, tables, code, math, footnotes, web embeds, kanban, timeline, QR codes, TradingView & stock charts, an in-browser SQL block, gantt / timing / music-staff charts, and a live clock / world-clock — from the / block picker. |
| Super editing power | Collapsible / foldable sections, multi-cursor editing, a customizable Word-style toolbar with contextual widget groups, and block zoom. |
| Reminders & journaling | Per-note reminders (one-off and recurring), browser notifications, optional server-sent email reminders, and a diary mode that prompts a daily entry. |
| Dashboards & views | A Dashboard with account stats, Achievements, and aggregate views for Reminders, Calendar, Todos, and a Zotero-like Research library — plus a fully customizable Home page. |
| Sync & real-time | Websocket-first delta sync (HTTP fallback), an optional manual-sync mode, live co-editing + presence in shared vaults, and a Sync control pane showing what's local-only. |
| Search | Full-text search with a local index and relevance ranking, advanced operators (tag:, type:, is:, dates…), find-in-PDF, and optional AI re-ranking — all in your browser. |
| Files | Bulk file & folder uploads, large local-only files, automatic EXIF/metadata stripping on image upload, in-app audio playback, and download-all-images-as-zip. |
| Account & security | Passkey sign-in and passkey app-lock, multiple workspaces per email (server-configurable), trusted devices, burn-note one-view shares, bannable users, app passwords / MCP tokens, and scheduled encrypted email backups. |
| Import / export | Import from Evernote, Google Keep, OneNote, Zoho Notebook, CSV; export to .ics, Excel/Word (spreadsheets), print/PDF, and encrypted backups. |
| Linking & navigation | Bidirectional links and backlinks, the constellation graph, and an extended keyboard-driven command palette. |
| Collaboration | Vaults, contacts, and invites, surfaced in a Sharing settings pane. |
| Privacy controls | Protected notes, selective sync, trusted devices, and configurable trash auto-cleanup. |
| Appearance & personalization | Auto light/dark theme, custom themes with custom accent colors, font ligatures, per-note colors, a per-note hero cover image, and a profile picture. |
| Localization | An i18n framework with 16 locales, switchable in settings. |
| Spellcheck | Multi-language spellcheck configuration. |
| CLI tools | srn-client (real end-to-end-encrypted note CRUD from the terminal) and srn-server (operator helpers: health, status, logs, config validation). |
| MCP bridge | An MCP stdio bridge (mcp/) so MCP-capable clients can talk to your server. |
| Self-hosting | One-command setup scripts (scripts/setup.sh / scripts/setup.ps1) and a documented, reverse-proxy-ready Docker Compose stack. |
A note on accuracy: features like the AI assistant and narration decrypt notes locally but send the content you point them at to the AI provider you configure. See the onboarding guide for an honest breakdown of what crosses the end-to-end boundary.
How the upstream hosted Standard Notes offering compares with Standard Red Notes (this fork). Standard Notes is excellent software with a sustainable business; it offers a capable free tier and reserves a number of "Productivity" features for its paid subscription. Standard Red Notes targets self-hosting instead: every included feature is on for every account, with no paid tier — the trade-off is that you run and maintain the server yourself. This table is cross-checked against the "What's different / improved" features this repository actually ships.
| Capability | Standard Notes (free) | Standard Notes (paid / Productivity) | Standard Red Notes (this fork) |
|---|---|---|---|
| End-to-end encryption | Yes | Yes | Yes |
| Unlimited notes, tags, nested folders | Yes | Yes | Yes |
| Multi-device sync | Yes | Yes | Yes |
| Plain text / basic editing | Yes | Yes | Yes |
| Rich / Super block editor, Markdown, code, advanced note types | Limited | Subscription-gated | Included (Super blocks, Canvas, Bases, Calendar, Kanban, Timeline, code sandboxes) |
| Themes / appearance | Default theme | Extra themes via subscription | Included (auto light/dark + extra themes) |
| Encrypted file attachments / storage | Not on free tier | Subscription-gated (storage quota) | Included (limits are your server's storage) |
| Note history / revisions | Short retention | Extended retention via subscription | Included (retention is your server's config) |
| Two-factor authentication | Yes | Yes | Yes (TOTP, magic link, WebAuthn) |
| Encrypted backups & email backups | Local export | Email/cloud backups via subscription | Included (export, and email/automatic where configured) |
| Collaboration / shared vaults | No | Yes (on supported plans) | Included (vaults, contacts, invites, realtime relay) |
| AI assistant / actions | Not offered | Not offered | Included (bring-your-own OpenAI-compatible endpoint or server proxy) |
| Public share links, dead-man's switch, email reminders | No | No | Included (fork-specific) |
| App passwords / scoped MCP tokens / MCP bridge | No | No | Included (fork-specific) |
| Hosting | Managed by Standard Notes | Managed by Standard Notes | Self-hosted by you |
| Cost | Free | Paid subscription | Free (you provide the server) |
"Subscription-gated" reflects upstream's hosted product at a high level and may shift over time; check standardnotes.com for their current plans. The right-most column reflects what this repository ships today. Self-hosting means you are responsible for running, securing, and backing up the server.
This repository preserves the upstream package boundaries:
app/— web, desktop, mobile, and shared client packages.server/— auth, sync, files, revisions, websockets, home server, and supporting packages.mcp/— Standard Red Notes MCP bridge bootstrap.cli/— standalone command-line tools (srn-client,srn-server).scripts/— self-hosting setup scripts.docs/— onboarding, self-hosting, and project planning docs.
The app and server still use their upstream Yarn projects internally. The root package is a coordinator for monorepo scripts and new packages while the larger workspace migration is phased in.
Run your own instance in three commands. Prerequisite: Docker with the Compose plugin, installed and running.
git clone https://github.com/supermarsx/standard-red-notes.git
cd standard-red-notes
./scripts/setup.sh --up # Windows (PowerShell): ./scripts/setup.ps1 -Upsetup generates a complete .env with secure secrets; --up then brings the
stack up (web app, server, MySQL, Redis, LocalStack). When it finishes, open
http://localhost:3001 and choose Register — every feature is included,
nothing to purchase.
Manual setup & everyday commands
./scripts/setup.sh # write .env only (add --yes to accept all defaults)
docker compose up -d # start the stack
docker compose ps # what's running
docker compose logs -f # follow logs (append a service name to narrow)
docker compose down # stop
docker compose pull && docker compose up -d # update and restart
docker compose --profile mcp run --rm mcp # optional MCP stdio bridgeOther endpoints: API gateway http://localhost:3000, files http://localhost:3125.
For production — every environment variable, reverse proxy (nginx / Traefik), data locations, upgrades, and backup/restore — see the self-hosting guide.
Root-level coordinator scripts:
yarn install
yarn build:mcp
yarn start:mcp
yarn deps:auditThe full app and server builds still run through their existing project-level scripts:
yarn --cwd app build:all
yarn --cwd server buildYou can also drive the Docker stack via the coordinator scripts:
yarn docker:config
yarn docker:upTwo standalone CLI tools live in cli/ (each is independent and does not touch
the app/server lockfiles):
srn-client— manage a Standard Red Notes account from the terminal with real, end-to-end-encrypted note CRUD. It runs the actual protocol (SRP sign-in, argon2 root-key derivation, items-key decryption) via an embedded headless@standardnotes/snjsclient, so changes sync back encrypted exactly like the web/desktop app. Seecli/srn-client/README.md.srn-server— operator helpers for the Docker stack: health checks, stack status, logs, config validation, and thindocker composewrappers. Zero runtime dependencies. Seecli/srn-server/README.md.
A third tool, srn-admin, ships inside the server image (it drives the
auth service's own database and use-cases, so it is not a downloadable binary) —
see In-container admin below.
Each CLI tool is released independently as native, single-file executables via GitHub Actions — no manual tagging required. Releases roll automatically:
- Triggers. Pushing to
mainruns the per-tool workflow when that tool's directory changes —srn-client.ymloncli/srn-client/**,srn-server.ymloncli/srn-server/**. Both can also be run on demand from the Actions tab (workflow_dispatch). - Pipeline. Each workflow is gated: check → build → package → release
(a stage only runs if the previous one passed). Packaging cross-compiles with
@yao-pkg/pkgon a single Linux runner. - Versioning. Rolling, per tool,
YY.Nresetting each year (e.g. the first 2025 client release is25.1, the next25.2, …). The server tool counts independently. The workflow computesNat release time from existing releases and creates a namespaced tag (srn-client-v25.1,srn-server-v25.1). - Artifacts. Every release attaches 6 executables — Windows, macOS, and
Linux, each in
x64andarm64(Windows ones end in.exe) — plus aSHA256SUMS.txt. Download the one matching your platform, verify the checksum, and run it directly. The two tools release as separate GitHub Releases.
Grab the prebuilt executable for your platform from the
Releases page.
The two tools publish independently, so pick the newest release tagged
srn-client-v* (client) or srn-server-v* (server). Node is baked in — there's
nothing to install; download, verify, make it executable, and run.
srn-client — terminal note CRUD (end-to-end encrypted):
| Platform | x64 | arm64 |
|---|---|---|
| Windows | srn-client-windows-x64.exe |
srn-client-windows-arm64.exe |
| macOS | srn-client-macos-x64 |
srn-client-macos-arm64 |
| Linux | srn-client-linux-x64 |
srn-client-linux-arm64 |
srn-server — operator helpers for the Docker stack:
| Platform | x64 | arm64 |
|---|---|---|
| Windows | srn-server-windows-x64.exe |
srn-server-windows-arm64.exe |
| macOS | srn-server-macos-x64 |
srn-server-macos-arm64 |
| Linux | srn-server-linux-x64 |
srn-server-linux-arm64 |
Direct download follows the tagged-release URL pattern (replace the tag with the current one from the Releases page, and the asset with your platform's row):
# Example: srn-client for Linux x64 from release srn-client-v25.1
base=https://github.com/supermarsx/standard-red-notes/releases/download/srn-client-v25.1
curl -LO "$base/srn-client-linux-x64"
curl -LO "$base/SHA256SUMS.txt"
sha256sum -c SHA256SUMS.txt --ignore-missing # verify integrity
chmod +x srn-client-linux-x64 # Linux/macOS only
./srn-client-linux-x64 --helpOn Windows, download the matching .exe and run it from PowerShell or
double-click; verify with Get-FileHash srn-client-windows-x64.exe -Algorithm SHA256
against SHA256SUMS.txt. On macOS you may need to clear the quarantine flag with
xattr -d com.apple.quarantine ./srn-client-macos-arm64 before first run.
The desktop app (built with electron-builder) publishes as its own rolling
release, tagged with a semver vYY.M.<build> (e.g. v25.6.123) — distinct from
the CLI tools' srn-*-v* tags. Grab the installer for your platform from the
Releases page:
| Platform | Formats (x64 + arm64) |
|---|---|
| Windows | .exe NSIS installer |
| macOS | .dmg and .zip (Intel + Apple Silicon) |
| Linux | .AppImage, .deb, plus .snap (x64) |
Auto-update is built in via electron-updater (it reads the GitHub release); it defaults to off and is opt-in under Preferences. The public builds are unsigned, so on first launch macOS may need right-click → Open and Windows SmartScreen may warn (More info → Run anyway).
srn-admin is baked into the server image and runs admin operations
directly against the auth database — it reuses the auth service's own
use-cases and repositories (no HTTP, no admin session, no separate container).
Use it to bootstrap the first admin, manage RBAC groups, reset 2FA, or fix a
storage quota. Run it inside the running stack:
docker compose exec server srn-admin help
docker compose exec server srn-admin whois user@example.com # uuid, email, roles
docker compose exec server srn-admin grant-admin user@example.com # → INTERNAL_TEAM_USER
docker compose exec server srn-admin revoke-admin user@example.com
docker compose exec server srn-admin list-roles user@example.com # direct + effective
docker compose exec server srn-admin reset-mfa user@example.com # clear 2FA + recovery codes
docker compose exec server srn-admin fix-quota user@example.com # recalculate storage usageA <user> may be an email or a user uuid. RBAC groups are managed via
the group subcommands:
docker compose exec server srn-admin group list
docker compose exec server srn-admin group create "Editors" CORE_USER,INTERNAL_TEAM_USER
docker compose exec server srn-admin group set-roles <groupUuid> CORE_USER
docker compose exec server srn-admin group members <groupUuid>
docker compose exec server srn-admin group add-user <groupUuid> user@example.com
docker compose exec server srn-admin group remove-user <groupUuid> user@example.com
docker compose exec server srn-admin group delete <groupUuid>Granting INTERNAL_TEAM_USER is the same role the server reads from the
ADMIN_EMAILS env var at boot — srn-admin grant-admin is the ad-hoc
equivalent for an already-registered user.
Your self-hosted server exposes the full Standard Notes HTTP API through the API
gateway — sign-in (PKCE), sync (POST /v1/items), items/files, settings,
sessions, two-factor, collaboration, plus this fork's additions (app passwords,
MCP tokens, public share links, the AI assistant proxy, and more).
See docs/API.md for the full reference: base URL and
versioning, the authentication model (PKCE + bcrypt-derived server password,
Authorization: Bearer access tokens, refresh), a curl walkthrough, and every
endpoint grouped by area. Because notes are end-to-end encrypted, item payloads
are ciphertext — the easiest faithful client is the bundled
srn-client, which runs the real protocol. The API
docs are also linked in-app under Preferences → Documentation → Automation
(MCP) → The HTTP API.
Standard Red Notes is licensed under the GNU Affero General Public License v3.0 (AGPL-3.0). See the LICENSE.md file for the full text. Because the AGPL covers network use, anyone you offer this software to over a network is entitled to its corresponding source.
This project is a self-hosted fork of Standard Notes, which is also distributed under the AGPL-3.0. Upstream copyright and attribution notices are preserved. Standard Red Notes is an independent project and is not affiliated with, sponsored by, or endorsed by Standard Notes.