diff --git a/CHANGELOG.markdown b/CHANGELOG.markdown
index dcbfc91..540c01c 100644
--- a/CHANGELOG.markdown
+++ b/CHANGELOG.markdown
@@ -1,5 +1,7 @@
 ## vNEXT
 
+* add: instance hidelist
+  <https://github.com/codl/forget/pull/590>
 * removed: migration path for known instances list from cookie to localstorage
   <https://github.com/codl/forget/pull/545>
 
diff --git a/config.example.py b/config.example.py
index 9cb3ef7..b22c663 100644
--- a/config.example.py
+++ b/config.example.py
@@ -47,7 +47,23 @@ SENTRY
 
 If you want to send exceptions to sentry, enter your sentry DSN here
 """
-# SENTRY_DSN=
+# SENTRY_DSN=''
+
+"""
+HIDDEN INSTANCES
+
+The front page shows one-click login buttons for the mastodon and
+misskey instances that see the most heavy use. Instances configured in this
+list will be prevented from appearing in these buttons.
+
+They will still appear if a user has previously logged into them and their
+browser remembers it. A user will still be able to log into them by manually
+typing the address into the log in form.
+
+This is a space-delimited list. Example syntax:
+HIDDEN_INSTANCES='social.example.com pleroma.example.net mk.example.org'
+"""
+# HIDDEN_INSTANCES=''
 
 """
 ADVANCED FLASK CONFIG
diff --git a/routes/__init__.py b/routes/__init__.py
index f665fe6..187ba61 100644
--- a/routes/__init__.py
+++ b/routes/__init__.py
@@ -37,8 +37,9 @@ def index():
 
 @app.route('/about/')
 def about():
-    mastodon_instances = libforget.mastodon.suggested_instances()
-    misskey_instances = libforget.misskey.suggested_instances()
+    blocklist = app.config.get('HIDDEN_INSTANCES', '').split()
+    mastodon_instances = libforget.mastodon.suggested_instances(blocklist=blocklist)
+    misskey_instances = libforget.misskey.suggested_instances(blocklist=blocklist)
     return render_template(
             'about.html',
             mastodon_instances=mastodon_instances,
@@ -186,9 +187,11 @@ def mastodon_login_step1(instance=None):
                     or request.form.get('instance_url', None))
 
     if not instance_url:
+        blocklist = app.config.get('HIDDEN_INSTANCES', '').split()
         instances = libforget.mastodon.suggested_instances(
                 limit=30,
-                min_popularity=1
+                min_popularity=1,
+                blocklist=blocklist,
         )
         return render_template(
                 'mastodon_login.html', instances=instances,
@@ -202,15 +205,15 @@ def mastodon_login_step1(instance=None):
                        instance_url=instance_url, _external=True)
 
     try:
-        app = libforget.mastodon.get_or_create_app(
+        mastoapp = libforget.mastodon.get_or_create_app(
                 instance_url,
                 callback,
                 url_for('index', _external=True))
-        db.session.merge(app)
+        db.session.merge(mastoapp)
 
         db.session.commit()
 
-        return redirect(libforget.mastodon.login_url(app, callback))
+        return redirect(libforget.mastodon.login_url(mastoapp, callback))
 
     except Exception:
         if sentry:
@@ -221,14 +224,14 @@ def mastodon_login_step1(instance=None):
 @app.route('/login/mastodon/callback/<instance_url>')
 def mastodon_login_step2(instance_url):
     code = request.args.get('code', None)
-    app = MastodonApp.query.get(instance_url)
-    if not code or not app:
+    mastoapp = MastodonApp.query.get(instance_url)
+    if not code or not mastoapp:
         return redirect(url_for('mastodon_login_step1', error=True))
 
     callback = url_for('mastodon_login_step2',
                        instance_url=instance_url, _external=True)
 
-    token = libforget.mastodon.receive_code(code, app, callback)
+    token = libforget.mastodon.receive_code(code, mastoapp, callback)
     account = token.account
 
     session = login(account.id)
@@ -245,11 +248,13 @@ def mastodon_login_step2(instance_url):
 def misskey_login(instance=None):
     instance_url = (request.args.get('instance_url', None)
                     or request.form.get('instance_url', None))
-    
+
     if not instance_url:
+        blocklist = app.config.get('HIDDEN_INSTANCES', '').split()
         instances = libforget.misskey.suggested_instances(
             limit = 30,
-            min_popularity = 1
+            min_popularity = 1,
+            blocklist=blocklist,
         )
         return render_template(
                 'misskey_login.html', instances=instances,
@@ -258,22 +263,22 @@ def misskey_login(instance=None):
                 )
 
     instance_url = domain_from_url(instance_url)
-    
+
     callback = url_for('misskey_callback',
                        instance_url=instance_url, _external=True)
 
     try:
         session = make_session()
-        app = libforget.misskey.get_or_create_app(
+        mkapp = libforget.misskey.get_or_create_app(
                 instance_url,
                 callback,
                 url_for('index', _external=True),
                 session)
-        db.session.merge(app)
+        db.session.merge(mkapp)
 
         db.session.commit()
 
-        return redirect(libforget.misskey.login_url(app, callback, session))
+        return redirect(libforget.misskey.login_url(mkapp, callback, session))
 
     except Exception:
         if sentry:
@@ -285,11 +290,11 @@ def misskey_login(instance=None):
 def misskey_callback(instance_url):
     # legacy auth and miauth use different parameter names
     token = request.args.get('token', None) or request.args.get('session', None)
-    app = MisskeyApp.query.get(instance_url)
-    if not token or not app:
+    mkapp = MisskeyApp.query.get(instance_url)
+    if not token or not mkapp:
         return redirect(url_for('misskey_login', error=True))
 
-    token = libforget.misskey.receive_token(token, app)
+    token = libforget.misskey.receive_token(token, mkapp)
     account = token.account
 
     session = login(account.id)