chore: add stale issue action

chore: add search bar in archived page
chore: create memo visibility when creating
2025-06-05 22:09:59 +02:00 · 2024-01-18 16:18:18 +08:00 · 2024-01-18 15:28:37 +08:00 · 2024-01-18 15:20:22 +08:00 · 2024-01-18 14:52:57 +08:00 · 2024-01-18 14:30:20 +08:00
762 changed files with 78525 additions and 25330 deletions
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@@ -1,11 +1,11 @@
 name: Bug Report
-description: Create a report to help us improve
+description: If something isn't working as expected
 labels: [bug]
 body:
  - type: markdown
    attributes:
      value: |
-        If you are reporting a new issue, make sure that we do not have any duplicates already open. You can ensure this by searching the issue list for this repository. If there is a duplicate, please close your issue and add a comment to the existing issue instead.
+        Before submitting a bug report, please check if the issue is already present in the issues. If it is, please add a reaction to the issue. If it isn't, please fill out the form below.
  - type: textarea
    attributes:
      label: Describe the bug
@@ -24,8 +24,15 @@ body:
        3. See error
    validations:
      required: true
+  - type: input
+    attributes:
+      label: The version of Memos you're using
+      description: |
+        Provide the version of Memos you're using.
+    validations:
+      required: true
  - type: textarea
    attributes:
      label: Screenshots or additional context
      description: |
-        Add screenshots or any other context about the problem.
+        If applicable, add screenshots to help explain your problem. And add any other context about the problem here. Such as the device you're using, etc.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@@ -0,0 +1 @@
+blank_issues_enabled: false
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@@ -1,28 +1,36 @@
 name: Feature Request
-description: Suggest an idea for this project
+description: If you have a suggestion for a new feature
 labels: [enhancement]
 body:
  - type: markdown
    attributes:
      value: |
-        Thanks for taking the time to suggest an idea for Memos!
-  - type: textarea
-    attributes:
-      label: Is your feature request related to a problem?
-      description: |
-        A clear and concise description of what the problem is.
-      placeholder: |
-        I'm always frustrated when [...]
-    validations:
-      required: true
+        Before submitting a feature request, please check if the issue is already present in the issues. If it is, please add a reaction to the issue. If it isn't, please fill out the form below.
  - type: textarea
    attributes:
      label: Describe the solution you'd like
      description: |
        A clear and concise description of what you want to happen.
+      placeholder: |
+        It would be great if [...]
+    validations:
+      required: true
+  - type: dropdown
+    attributes:
+      label: Type of feature
+      description: What type of feature is this?
+      options:
+        - User Interface (UI)
+        - User Experience (UX)
+        - API
+        - Documentation
+        - Integrations
+        - Other
+      default: 0
    validations:
      required: true
  - type: textarea
    attributes:
      label: Additional context
-      description: Add any other context or screenshots about the feature request.
+      description: |
+        What are you trying to do? Why is this important to you?
--- a/.github/workflows/backend-tests.yml
+++ b/.github/workflows/backend-tests.yml
@@ -1,38 +1,45 @@
 name: Backend Test

 on:
+  push:
+    branches: [main]
  pull_request:
    branches:
      - main
      - "release/*.*.*"
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "**.go"

 jobs:
  go-static-checks:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: 1.19
+          go-version: 1.21
          check-latest: true
          cache: true
      - name: Verify go.mod is tidy
        run: |
-          go mod tidy -go=1.19
+          go mod tidy -go=1.21
          git diff --exit-code
      - name: golangci-lint
        uses: golangci/golangci-lint-action@v3
        with:
-          args: -v
+          version: v1.54.1
+          args: --verbose --timeout=3m
          skip-cache: true

  go-tests:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-go@v3
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
        with:
-          go-version: 1.19
+          go-version: 1.21
          check-latest: true
          cache: true
      - name: Run all tests
--- a/.github/workflows/build-and-push-release-image.yml
+++ b/.github/workflows/build-and-push-release-image.yml
@@ -9,11 +9,14 @@ on:
 jobs:
  build-and-push-release-image:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Extract build args
        # Extract version from branch name
@@ -22,24 +25,44 @@ jobs:
          echo "VERSION=${GITHUB_REF_NAME#release/}" >> $GITHUB_ENV

      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: neosmemo
          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}

+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          install: true
          version: v0.9.1

+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            neosmemo/memos
+            ghcr.io/usememos/memos
+          tags: |
+            type=raw,value=latest
+            type=semver,pattern={{version}},value=${{ env.VERSION }}
+            type=semver,pattern={{major}}.{{minor}},value=${{ env.VERSION }}
+
      - name: Build and Push
        id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        with:
          context: ./
          file: ./Dockerfile
          platforms: linux/amd64,linux/arm64
          push: true
-          tags: neosmemo/memos:latest, neosmemo/memos:${{ env.VERSION }}
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/build-and-push-test-image.yml
+++ b/.github/workflows/build-and-push-test-image.yml
@@ -7,31 +7,54 @@ on:
 jobs:
  build-and-push-test-image:
    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      packages: write
    steps:
-      - uses: actions/checkout@v3
+      - uses: actions/checkout@v4

      - name: Set up QEMU
-        uses: docker/setup-qemu-action@v2
+        uses: docker/setup-qemu-action@v3

      - name: Login to Docker Hub
-        uses: docker/login-action@v2
+        uses: docker/login-action@v3
        with:
          username: neosmemo
          password: ${{ secrets.DOCKER_NEOSMEMO_TOKEN }}

+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ github.token }}
+
      - name: Set up Docker Buildx
        id: buildx
-        uses: docker/setup-buildx-action@v2
+        uses: docker/setup-buildx-action@v3
        with:
          install: true
          version: v0.9.1

+      - name: Docker meta
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: |
+            neosmemo/memos
+            ghcr.io/usememos/memos
+          flavor: |
+            latest=false
+          tags: |
+            type=raw,value=test
+
      - name: Build and Push
        id: docker_build
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v5
        with:
          context: ./
          file: ./Dockerfile
          platforms: linux/amd64
          push: true
-          tags: neosmemo/memos:test
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
--- a/.github/workflows/codeql.yml
+++ b/.github/workflows/codeql.yml
@@ -17,6 +17,12 @@ on:
  pull_request:
    # The branches below must be a subset of the branches above
    branches: [main]
+    paths:
+      - "go.mod"
+      - "go.sum"
+      - "**.go"
+      - "proto/**"
+      - "web/**"

 jobs:
  analyze:
@@ -36,11 +42,11 @@ jobs:

    steps:
      - name: Checkout repository
-        uses: actions/checkout@v2
+        uses: actions/checkout@v4

      # Initializes the CodeQL tools for scanning.
      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
+        uses: github/codeql-action/init@v2
        with:
          languages: ${{ matrix.language }}
          # If you wish to specify custom queries, you can do so here or in a config file.
@@ -51,7 +57,7 @@ jobs:
      # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
      # If this step fails, then you should remove it and run the build manually (see below)
      - name: Autobuild
-        uses: github/codeql-action/autobuild@v1
+        uses: github/codeql-action/autobuild@v2

      # ℹ️ Command-line programs to run using the OS shell.
      # 📚 https://git.io/JvXDl
@@ -65,4 +71,4 @@ jobs:
      #   make release

      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v2
--- a/.github/workflows/frontend-tests.yml
+++ b/.github/workflows/frontend-tests.yml
@@ -1,38 +1,52 @@
 name: Frontend Test

 on:
+  push:
+    branches: [main]
  pull_request:
    branches:
      - main
      - "release/*.*.*"
+    paths:
+      - "web/**"

 jobs:
  eslint-checks:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v2.4.0
        with:
-          node-version: "18"
-          cache: yarn
-          cache-dependency-path: "web/yarn.lock"
-      - run: yarn
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: pnpm
+          cache-dependency-path: "web/pnpm-lock.yaml"
+      - run: pnpm install
+        working-directory: web
+      - run: pnpm type-gen
        working-directory: web
      - name: Run eslint check
-        run: yarn lint
+        run: pnpm lint
        working-directory: web

  frontend-build:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/checkout@v3
-      - uses: actions/setup-node@v3
+      - uses: actions/checkout@v4
+      - uses: pnpm/action-setup@v2.4.0
        with:
-          node-version: "18"
-          cache: yarn
-          cache-dependency-path: "web/yarn.lock"
-      - run: yarn
+          version: 8
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+          cache: pnpm
+          cache-dependency-path: "web/pnpm-lock.yaml"
+      - run: pnpm install
+        working-directory: web
+      - run: pnpm type-gen
        working-directory: web
      - name: Run frontend build
-        run: yarn build
+        run: pnpm build
        working-directory: web
--- a/.github/workflows/proto-linter.yml
+++ b/.github/workflows/proto-linter.yml
@@ -0,0 +1,34 @@
+name: Proto linter
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches:
+      - main
+      - "release/*.*.*"
+    paths:
+      - "proto/**"
+
+jobs:
+  lint-protos:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: Setup buf
+        uses: bufbuild/buf-setup-action@v1
+        with:
+          github_token: ${{ github.token }}
+      - name: buf lint
+        uses: bufbuild/buf-lint-action@v1
+        with:
+          input: "proto"
+      - name: buf format
+        run: |
+          if [[ $(buf format -d) ]]; then
+            echo "Run 'buf format -w'"
+            exit 1
+          fi
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@@ -0,0 +1,19 @@
+name: Close Stale Issues
+
+on:
+  schedule:
+    - cron: "0 0 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    permissions:
+      issues: write
+
+    steps:
+      - uses: actions/stale@v9.0.0
+        with:
+          stale-issue-message: "This issue is stale because it has been open 14 days with no activity."
+          close-issue-message: "This issue was closed because it has been stalled for 28 days with no activity."
+          days-before-issue-stale: 14
+          days-before-issue-close: 14
--- a/.github/workflows/uffizzi-build.yml
+++ b/.github/workflows/uffizzi-build.yml
@@ -1,97 +0,0 @@
-name: Build PR Image
-on:
-  pull_request:
-    types: [opened, synchronize, reopened, closed]
-
-jobs:
-  build-memos:
-    name: Build and push `Memos`
-    runs-on: ubuntu-latest
-    outputs:
-      tags: ${{ steps.meta.outputs.tags }}
-    if: ${{ github.event.action != 'closed' }}
-    steps:
-      - name: Checkout git repo
-        uses: actions/checkout@v3
-
-      - name: Set up Docker Buildx
-        uses: docker/setup-buildx-action@v2
-
-      - name: Generate UUID image name
-        id: uuid
-        run: echo "UUID_WORKER=$(uuidgen)" >> $GITHUB_ENV
-
-      - name: Docker metadata
-        id: meta
-        uses: docker/metadata-action@v4
-        with:
-          images: registry.uffizzi.com/${{ env.UUID_WORKER }}
-          tags: |
-            type=raw,value=60d
-
-      - name: Build and Push Image to registry.uffizzi.com - Uffizzi's ephemeral Registry
-        uses: docker/build-push-action@v3
-        with:
-          context: ./
-          file: Dockerfile
-          tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
-          push: true
-          cache-from: type=gha
-          cache-to: type=gha, mode=max
-
-  render-compose-file:
-    name: Render Docker Compose File
-    # Pass output of this workflow to another triggered by `workflow_run` event.
-    runs-on: ubuntu-latest
-    needs:
-      - build-memos
-    outputs:
-      compose-file-cache-key: ${{ steps.hash.outputs.hash }}
-    steps:
-      - name: Checkout git repo
-        uses: actions/checkout@v3
-      - name: Render Compose File
-        run: |
-          MEMOS_IMAGE=${{ needs.build-memos.outputs.tags }}
-          export MEMOS_IMAGE
-          # Render simple template from environment variables.
-          envsubst < docker-compose.uffizzi.yml > docker-compose.rendered.yml
-          cat docker-compose.rendered.yml
-      - name: Upload Rendered Compose File as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: docker-compose.rendered.yml
-          retention-days: 2
-      - name: Serialize PR Event to File
-        run: |
-          cat << EOF > event.json
-          ${{ toJSON(github.event) }}
-
-          EOF
-      - name: Upload PR Event as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: event.json
-          retention-days: 2
-
-  delete-preview:
-    name: Call for Preview Deletion
-    runs-on: ubuntu-latest
-    if: ${{ github.event.action == 'closed' }}
-    steps:
-      # If this PR is closing, we will not render a compose file nor pass it to the next workflow.
-      - name: Serialize PR Event to File
-        run: |
-          cat << EOF > event.json
-          ${{ toJSON(github.event) }}
-
-          EOF
-      - name: Upload PR Event as Artifact
-        uses: actions/upload-artifact@v3
-        with:
-          name: preview-spec
-          path: event.json
-          retention-days: 2
--- a/.github/workflows/uffizzi-preview.yml
+++ b/.github/workflows/uffizzi-preview.yml
@@ -1,88 +0,0 @@
-name: Deploy Uffizzi Preview
-
-on:
-  workflow_run:
-    workflows:
-      - "Build PR Image"
-    types:
-      - completed
-
-
-jobs:
-  cache-compose-file:
-    name: Cache Compose File
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    runs-on: ubuntu-latest
-    outputs:
-      compose-file-cache-key: ${{ env.HASH }}
-      pr-number: ${{ env.PR_NUMBER }}
-    steps:
-      - name: 'Download artifacts'
-        # Fetch output (zip archive) from the workflow run that triggered this workflow.
-        uses: actions/github-script@v6
-        with:
-          script: |
-            let allArtifacts = await github.rest.actions.listWorkflowRunArtifacts({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               run_id: context.payload.workflow_run.id,
-            });
-            let matchArtifact = allArtifacts.data.artifacts.filter((artifact) => {
-              return artifact.name == "preview-spec"
-            })[0];
-            let download = await github.rest.actions.downloadArtifact({
-               owner: context.repo.owner,
-               repo: context.repo.repo,
-               artifact_id: matchArtifact.id,
-               archive_format: 'zip',
-            });
-            let fs = require('fs');
-            fs.writeFileSync(`${process.env.GITHUB_WORKSPACE}/preview-spec.zip`, Buffer.from(download.data));
-
-      - name: 'Unzip artifact'
-        run: unzip preview-spec.zip
-      - name: Read Event into ENV
-        run: |
-          echo 'EVENT_JSON<<EOF' >> $GITHUB_ENV
-          cat event.json >> $GITHUB_ENV
-          echo 'EOF' >> $GITHUB_ENV
-
-      - name: Hash Rendered Compose File
-        id: hash
-        # If the previous workflow was triggered by a PR close event, we will not have a compose file artifact.
-        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
-        run: echo "HASH=$(md5sum docker-compose.rendered.yml | awk '{ print $1 }')" >> $GITHUB_ENV
-      - name: Cache Rendered Compose File
-        if: ${{ fromJSON(env.EVENT_JSON).action != 'closed' }}
-        uses: actions/cache@v3
-        with:
-          path: docker-compose.rendered.yml
-          key: ${{ env.HASH }}
-
-      - name: Read PR Number From Event Object
-        id: pr
-        run: echo "PR_NUMBER=${{ fromJSON(env.EVENT_JSON).number }}" >> $GITHUB_ENV
-      - name: DEBUG - Print Job Outputs
-        if: ${{ runner.debug }}
-        run: |
-          echo "PR number: ${{ env.PR_NUMBER }}"
-          echo "Compose file hash: ${{ env.HASH }}"
-          cat event.json
-
-  deploy-uffizzi-preview:
-    name: Use Remote Workflow to Preview on Uffizzi
-    if: ${{ github.event.workflow_run.conclusion == 'success' }}
-    needs:
-      - cache-compose-file
-    uses: UffizziCloud/preview-action/.github/workflows/reusable.yaml@v2
-    with:
-      # If this workflow was triggered by a PR close event, cache-key will be an empty string
-      # and this reusable workflow will delete the preview deployment.
-      compose-file-cache-key: ${{ needs.cache-compose-file.outputs.compose-file-cache-key }}
-      compose-file-cache-path: docker-compose.rendered.yml
-      server: https://app.uffizzi.com
-      pr-number: ${{ needs.cache-compose-file.outputs.pr-number }}
-    permissions:
-      contents: read
-      pull-requests: write
-      id-token: write
--- a/.gitignore
+++ b/.gitignore
@@ -6,6 +6,7 @@ tmp

 # Frontend asset
 web/dist
+server/frontend/dist

 # build folder
 build
@@ -15,4 +16,9 @@ build
 # Jetbrains
 .idea

+# Docker Compose Environment File
+.env
+
 bin/air
+
+dev-dist
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -1,5 +1,8 @@
+run:
+  timeout: 10m
 linters:
  enable:
+    - errcheck
    - goimports
    - revive
    - govet
@@ -10,17 +13,30 @@ linters:
    - rowserrcheck
    - nilerr
    - godot
+    - forbidigo
+    - mirror
+    - bodyclose

 issues:
+  include:
+    # https://golangci-lint.run/usage/configuration/#command-line-options
  exclude:
    - Rollback
+    - logger.Sync
+    - pgInstance.Stop
    - fmt.Printf
-    - fmt.Print
+    - Enter(.*)_(.*)
+    - Exit(.*)_(.*)

 linters-settings:
+  goimports:
+    # Put imports beginning with prefix after 3rd-party packages.
+    local-prefixes: github.com/usememos/memos
  revive:
+    # Default to run all linters so that new rules in the future could automatically be added to the static check.
    enable-all-rules: true
    rules:
+      # The following rules are too strict and make coding harder. We do not enable them for now.
      - name: file-header
        disabled: true
      - name: line-length-limit
@@ -51,14 +67,25 @@ linters-settings:
        disabled: true
      - name: early-return
        disabled: true
+      - name: use-any
+        disabled: true
+      - name: exported
+        disabled: true
+      - name: unhandled-error
+        disabled: true
  gocritic:
    disabled-checks:
      - ifElseChain
  govet:
    settings:
-      printf:
-        funcs:
+      printf: # The name of the analyzer, run `go tool vet help` to see the list of all analyzers
+        funcs: # Run `go tool vet help printf` to see the full configuration of `printf`.
          - common.Errorf
+    enable-all: true
+    disable:
+      - fieldalignment
+      - shadow
  forbidigo:
    forbid:
      - 'fmt\.Errorf(# Please use errors\.Wrap\|Wrapf\|Errorf instead)?'
+      - 'ioutil\.ReadDir(# Please use os\.ReadDir)?'
--- a/.vscode/extensions.json
+++ b/.vscode/extensions.json
@@ -1,3 +0,0 @@
-{
-  "recommendations": ["golang.go"]
-}
--- a/.vscode/project.code-workspace
+++ b/.vscode/project.code-workspace
@@ -1,12 +0,0 @@
-{
-  "folders": [
-    {
-      "name": "server",
-      "path": "../"
-    },
-    {
-      "name": "web",
-      "path": "../web"
-    }
-  ]
-}
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,5 +0,0 @@
-{
-  "go.lintOnSave": "workspace",
-  "go.lintTool": "golangci-lint",
-  "go.inferGopath": false
-}
--- a/31
+++ b/31
@@ -1,29 +1,40 @@
 # Build frontend dist.
-FROM node:18.12.1-alpine3.16 AS frontend
+FROM node:20-alpine AS frontend
 WORKDIR /frontend-build

-COPY ./web/ .
+COPY . .

-RUN yarn && yarn build
+WORKDIR /frontend-build/web
+
+RUN corepack enable && pnpm i --frozen-lockfile && pnpm type-gen
+
+RUN pnpm build

 # Build backend exec file.
-FROM golang:1.19.3-alpine3.16 AS backend
+FROM golang:1.21-alpine AS backend
 WORKDIR /backend-build

-RUN apk update && apk add --no-cache gcc musl-dev
-
 COPY . .
-COPY --from=frontend /frontend-build/dist ./server/dist

-RUN go build -o memos ./main.go
+RUN CGO_ENABLED=0 go build -o memos ./bin/memos/main.go

 # Make workspace with above generated files.
-FROM alpine:3.16 AS monolithic
+FROM alpine:latest AS monolithic
 WORKDIR /usr/local/memos

+RUN apk add --no-cache tzdata
+ENV TZ="UTC"
+
+COPY --from=frontend /frontend-build/web/dist /usr/local/memos/dist
 COPY --from=backend /backend-build/memos /usr/local/memos/

+EXPOSE 5230
+
 # Directory to store the data, which can be referenced as the mounting point.
 RUN mkdir -p /var/opt/memos
+VOLUME /var/opt/memos

-ENTRYPOINT ["./memos", "--mode", "prod", "--port", "5230"]
+ENV MEMOS_MODE="prod"
+ENV MEMOS_PORT="5230"
+
+ENTRYPOINT ["./memos"]
--- a/README.md
+++ b/README.md
@@ -1,91 +1,61 @@
-<p align="center"><a href="https://usememos.com"><img height="64px" src="https://raw.githubusercontent.com/usememos/memos/main/resources/logo-full.webp" alt="✍️ memos" /></a></p>
+<img height="56px" src="https://www.usememos.com/full-logo-landscape.png" alt="Memos" />

-<p align="center">
-  <a href="https://github.com/usememos/memos/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/usememos/memos" /></a>
-  <a href="https://hub.docker.com/r/neosmemo/memos"><img alt="Docker pull" src="https://img.shields.io/docker/pulls/neosmemo/memos.svg" /></a>
-  <a href="https://hosted.weblate.org/engage/memos/"><img src="https://hosted.weblate.org/widgets/memos/-/svg-badge.svg" alt="Translation status" /></a>
+A privacy-first, lightweight note-taking service. Easily capture and share your great thoughts.
+
+<a href="https://www.usememos.com">Home Page</a> •
+<a href="https://www.usememos.com/blog">Blogs</a> •
+<a href="https://www.usememos.com/docs">Docs</a> •
+<a href="https://demo.usememos.com/">Live Demo</a>
+
+<p>
+  <a href="https://github.com/usememos/memos/stargazers"><img alt="GitHub stars" src="https://img.shields.io/github/stars/usememos/memos?logo=github" /></a>
+  <a href="https://hub.docker.com/r/neosmemo/memos"><img alt="Docker pull" src="https://img.shields.io/docker/pulls/neosmemo/memos.svg"/></a>
+  <a href="https://hosted.weblate.org/engage/memos-i18n/"><img src="https://hosted.weblate.org/widget/memos-i18n/english/svg-badge.svg" alt="Translation status" /></a>
  <a href="https://discord.gg/tfPJa4UmAv"><img alt="Discord" src="https://img.shields.io/badge/discord-chat-5865f2?logo=discord&logoColor=f5f5f5" /></a>
 </p>

-<p align="center">
-  <a href="https://demo.usememos.com/">Live Demo</a> •
-  Discuss in <a href="https://t.me/+-_tNF1k70UU4ZTc9">Telegram</a> / <a href="https://discord.gg/tfPJa4UmAv">Discord</a>
-</p>
+![demo](https://www.usememos.com/demo.webp)

-![demo](./resources/demo.webp)
+## Key points

-## Features
-
- 🦄 Open source and free forever
- 🚀 Support for self-hosting with `Docker` in seconds
- 📜 Plain textarea first and support some useful Markdown syntax
- 👥 Set memo private or public to others
- 🧑‍💻 RESTful API for self-service
- 📋 Embed memos on other sites using iframe
- #️⃣ Hashtags for organizing memos
- 📆 Interactive calendar view
- 💾 Easy data migration and backups
+- **Open source and free forever**. Embrace a future where creativity knows no boundaries with our open-source solution – free today, tomorrow, and always.
+- **Self-hosting with Docker in just seconds**. Enjoy the flexibility, scalability, and ease of setup that Docker provides, allowing you to have full control over your data and privacy.
+- **Pure text with added Markdown support.** Say goodbye to the overwhelming mental burden of rich formatting and embrace a minimalist approach.
+- **Customize and share your notes effortlessly**. With our intuitive sharing features, you can easily collaborate and distribute your notes with others.
+- **RESTful API for third-party services.** Embrace the power of integration and unleash new possibilities with our RESTful API support.

 ## Deploy with Docker in seconds

-### Docker Run
-
-```docker
-docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos neosmemo/memos:latest
+```bash
+docker run -d --name memos -p 5230:5230 -v ~/.memos/:/var/opt/memos ghcr.io/usememos/memos:latest
 ```

-> `~/.memos/` will be used as the data directory in your machine and `/var/opt/memos` is the directory of the volume in Docker and should not be modified.
+> The `~/.memos/` directory will be used as the data directory on your local machine, while `/var/opt/memos` is the directory of the volume in Docker and should not be modified.

-### Docker Compose
+Learn more about [other installation methods](https://www.usememos.com/docs/install).

- Provided docker compose YAML file: [`docker-compose.yaml`](./docker-compose.yaml).
+## Contribution

- You can upgrade to the latest version memos with:
+Contributions are what make the open-source community such an amazing place to learn, inspire, and create. We greatly appreciate any contributions you make. Thank you for being a part of our community! 🥰

-```sh
-docker-compose down && docker image rm neosmemo/memos:latest && docker-compose up -d
-```
+<a href="https://github.com/usememos/memos/graphs/contributors">
+  <img src="https://contri-graphy.yourselfhosted.com/graph?repo=usememos/memos&format=svg" />
+</a>

-### Other installation methods
-
- [Deploy on render.com](./docs/deploy-with-render.md)
- [Deploy on fly.io](https://github.com/hu3rror/memos-on-fly)
-
-## Contribute
-
-Contributions are what make the open source community such an amazing place to learn, inspire, and create. Any contributions you make are greatly appreciated. 🥰
-
-Learn more about contributing in [development guide](./docs/development.md).
-
-### Products made by our Community
+---

 - [Moe Memos](https://memos.moe/) - Third party client for iOS and Android
 - [lmm214/memos-bber](https://github.com/lmm214/memos-bber) - Chrome extension
 - [Rabithua/memos_wmp](https://github.com/Rabithua/memos_wmp) - WeChat MiniProgram
 - [qazxcdswe123/telegramMemoBot](https://github.com/qazxcdswe123/telegramMemoBot) - Telegram bot
- [eallion/memos.top](https://github.com/eallion/memos.top) - A static page rendered with the Memos API
- [eindex/logseq-memos-sync](https://github.com/EINDEX/logseq-memos-sync) - A Logseq plugin
- [JakeLaoyu/memos-import-from-flomo](https://github.com/JakeLaoyu/memos-import-from-flomo) - Import data. Support from flomo, wechat reading.
- [Send to memos](https://sharecuts.cn/shortcut/12640) - A shortcut for iOS.
- [Memos Raycast Extension](https://www.raycast.com/JakeYu/memos) - Raycast extension, [source code](https://github.com/JakeLaoyu/memos-raycast).
-
-### User stories
-
- [Memos - A Twitter Like Notes App You can Self Host](https://noted.lol/memos/)
-
-### Join the community to build memos together!
-
-<a href="https://github.com/usememos/memos/graphs/contributors">
-  <img src="https://contrib.rocks/image?repo=usememos/memos" />
-</a>
-
-## Acknowledgements
-
- Thanks [Uffizzi](https://www.uffizzi.com/) for sponsoring preview environments for PRs.
-
-## License
-
-[MIT License](https://github.com/usememos/memos/blob/main/LICENSE)
+- [eallion/memos.top](https://github.com/eallion/memos.top) - Static page rendered with the Memos API
+- [eindex/logseq-memos-sync](https://github.com/EINDEX/logseq-memos-sync) - Logseq plugin
+- [quanru/obsidian-periodic-para](https://github.com/quanru/obsidian-periodic-para#daily-record) - Obsidian plugin
+- [JakeLaoyu/memos-import-from-flomo](https://github.com/JakeLaoyu/memos-import-from-flomo) - Import data. Support from flomo, wechat reading
+- [Quick Memo](https://www.icloud.com/shortcuts/1eaef307112843ed9f91d256f5ee7ad9) - Shortcuts (iOS, iPadOS or macOS)
+- [Memos Raycast Extension](https://www.raycast.com/JakeYu/memos) - Raycast extension
+- [Memos Desktop](https://github.com/xudaolong/memos-desktop) - Third party client for MacOS and Windows
+- [MemosGallery](https://github.com/BarryYangi/MemosGallery) - A static Gallery rendered with the Memos API

 ## Star history

--- a/SECURITY.md
+++ b/SECURITY.md
@@ -4,4 +4,4 @@

 Report security bugs via GitHub [issues](https://github.com/usememos/memos/issues).

-For more information, please contact [stevenlgtm@gmail.com](stevenlgtm@gmail.com).
+For more information, please contact [usememos@gmail.com](usememos@gmail.com).
--- a/api/activity.go
+++ b/api/activity.go
@@ -1,137 +0,0 @@
-package api
-
-import "github.com/usememos/memos/server/profile"
-
-// ActivityType is the type for an activity.
-type ActivityType string
-
-const (
-	// User related.
-
-	// ActivityUserCreate is the type for creating users.
-	ActivityUserCreate ActivityType = "user.create"
-	// ActivityUserUpdate is the type for updating users.
-	ActivityUserUpdate ActivityType = "user.update"
-	// ActivityUserDelete is the type for deleting users.
-	ActivityUserDelete ActivityType = "user.delete"
-	// ActivityUserAuthSignIn is the type for user signin.
-	ActivityUserAuthSignIn ActivityType = "user.auth.signin"
-	// ActivityUserAuthSignUp is the type for user signup.
-	ActivityUserAuthSignUp ActivityType = "user.auth.signup"
-	// ActivityUserSettingUpdate is the type for updating user settings.
-	ActivityUserSettingUpdate ActivityType = "user.setting.update"
-
-	// Memo related.
-
-	// ActivityMemoCreate is the type for creating memos.
-	ActivityMemoCreate ActivityType = "memo.create"
-	// ActivityMemoUpdate is the type for updating memos.
-	ActivityMemoUpdate ActivityType = "memo.update"
-	// ActivityMemoDelete is the type for deleting memos.
-	ActivityMemoDelete ActivityType = "memo.delete"
-
-	// Shortcut related.
-
-	// ActivityShortcutCreate is the type for creating shortcuts.
-	ActivityShortcutCreate ActivityType = "shortcut.create"
-	// ActivityShortcutUpdate is the type for updating shortcuts.
-	ActivityShortcutUpdate ActivityType = "shortcut.update"
-	// ActivityShortcutDelete is the type for deleting shortcuts.
-	ActivityShortcutDelete ActivityType = "shortcut.delete"
-
-	// Resource related.
-
-	// ActivityResourceCreate is the type for creating resources.
-	ActivityResourceCreate ActivityType = "resource.create"
-	// ActivityResourceDelete is the type for deleting resources.
-	ActivityResourceDelete ActivityType = "resource.delete"
-
-	// Tag related.
-
-	// ActivityTagCreate is the type for creating tags.
-	ActivityTagCreate ActivityType = "tag.create"
-	// ActivityTagDelete is the type for deleting tags.
-	ActivityTagDelete ActivityType = "tag.delete"
-
-	// Server related.
-
-	// ActivityServerStart is the type for starting server.
-	ActivityServerStart ActivityType = "server.start"
-)
-
-// ActivityLevel is the level of activities.
-type ActivityLevel string
-
-const (
-	// ActivityInfo is the INFO level of activities.
-	ActivityInfo ActivityLevel = "INFO"
-	// ActivityWarn is the WARN level of activities.
-	ActivityWarn ActivityLevel = "WARN"
-	// ActivityError is the ERROR level of activities.
-	ActivityError ActivityLevel = "ERROR"
-)
-
-type ActivityUserCreatePayload struct {
-	UserID   int    `json:"userId"`
-	Username string `json:"username"`
-	Role     Role   `json:"role"`
-}
-
-type ActivityUserAuthSignInPayload struct {
-	UserID int    `json:"userId"`
-	IP     string `json:"ip"`
-}
-
-type ActivityUserAuthSignUpPayload struct {
-	Username string `json:"username"`
-	IP       string `json:"ip"`
-}
-
-type ActivityMemoCreatePayload struct {
-	Content    string `json:"content"`
-	Visibility string `json:"visibility"`
-}
-
-type ActivityShortcutCreatePayload struct {
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ActivityResourceCreatePayload struct {
-	Filename string `json:"filename"`
-	Type     string `json:"type"`
-	Size     int64  `json:"size"`
-}
-
-type ActivityTagCreatePayload struct {
-	TagName string `json:"tagName"`
-}
-
-type ActivityServerStartPayload struct {
-	ServerID string           `json:"serverId"`
-	Profile  *profile.Profile `json:"profile"`
-}
-
-type Activity struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	CreatorID int   `json:"creatorId"`
-	CreatedTs int64 `json:"createdTs"`
-
-	// Domain specific fields
-	Type    ActivityType  `json:"type"`
-	Level   ActivityLevel `json:"level"`
-	Payload string        `json:"payload"`
-}
-
-// ActivityCreate is the API message for creating an activity.
-type ActivityCreate struct {
-	// Standard fields
-	CreatorID int
-
-	// Domain specific fields
-	Type    ActivityType `json:"type"`
-	Level   ActivityLevel
-	Payload string `json:"payload"`
-}
--- a/api/auth.go
+++ b/api/auth.go
@@ -1,17 +0,0 @@
-package api
-
-type SignIn struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
-
-type SSOSignIn struct {
-	IdentityProviderID int    `json:"identityProviderId"`
-	Code               string `json:"code"`
-	RedirectURI        string `json:"redirectUri"`
-}
-
-type SignUp struct {
-	Username string `json:"username"`
-	Password string `json:"password"`
-}
--- a/api/auth/auth.go
+++ b/api/auth/auth.go
@@ -0,0 +1,63 @@
+package auth
+
+import (
+	"fmt"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+)
+
+const (
+	// issuer is the issuer of the jwt token.
+	Issuer = "memos"
+	// Signing key section. For now, this is only used for signing, not for verifying since we only
+	// have 1 version. But it will be used to maintain backward compatibility if we change the signing mechanism.
+	KeyID = "v1"
+	// AccessTokenAudienceName is the audience name of the access token.
+	AccessTokenAudienceName = "user.access-token"
+	AccessTokenDuration     = 7 * 24 * time.Hour
+
+	// CookieExpDuration expires slightly earlier than the jwt expiration. Client would be logged out if the user
+	// cookie expires, thus the client would always logout first before attempting to make a request with the expired jwt.
+	CookieExpDuration = AccessTokenDuration - 1*time.Minute
+	// AccessTokenCookieName is the cookie name of access token.
+	AccessTokenCookieName = "memos.access-token"
+)
+
+type ClaimsMessage struct {
+	Name string `json:"name"`
+	jwt.RegisteredClaims
+}
+
+// GenerateAccessToken generates an access token.
+func GenerateAccessToken(username string, userID int32, expirationTime time.Time, secret []byte) (string, error) {
+	return generateToken(username, userID, AccessTokenAudienceName, expirationTime, secret)
+}
+
+// generateToken generates a jwt token.
+func generateToken(username string, userID int32, audience string, expirationTime time.Time, secret []byte) (string, error) {
+	registeredClaims := jwt.RegisteredClaims{
+		Issuer:   Issuer,
+		Audience: jwt.ClaimStrings{audience},
+		IssuedAt: jwt.NewNumericDate(time.Now()),
+		Subject:  fmt.Sprint(userID),
+	}
+	if !expirationTime.IsZero() {
+		registeredClaims.ExpiresAt = jwt.NewNumericDate(expirationTime)
+	}
+
+	// Declare the token with the HS256 algorithm used for signing, and the claims.
+	token := jwt.NewWithClaims(jwt.SigningMethodHS256, &ClaimsMessage{
+		Name:             username,
+		RegisteredClaims: registeredClaims,
+	})
+	token.Header["kid"] = KeyID
+
+	// Create the JWT string.
+	tokenString, err := token.SignedString(secret)
+	if err != nil {
+		return "", err
+	}
+
+	return tokenString, nil
+}
--- a/api/idp.go
+++ b/api/idp.go
@@ -1,58 +0,0 @@
-package api
-
-type IdentityProviderType string
-
-const (
-	IdentityProviderOAuth2 IdentityProviderType = "OAUTH2"
-)
-
-type IdentityProviderConfig struct {
-	OAuth2Config *IdentityProviderOAuth2Config `json:"oauth2Config"`
-}
-
-type IdentityProviderOAuth2Config struct {
-	ClientID     string        `json:"clientId"`
-	ClientSecret string        `json:"clientSecret"`
-	AuthURL      string        `json:"authUrl"`
-	TokenURL     string        `json:"tokenUrl"`
-	UserInfoURL  string        `json:"userInfoUrl"`
-	Scopes       []string      `json:"scopes"`
-	FieldMapping *FieldMapping `json:"fieldMapping"`
-}
-
-type FieldMapping struct {
-	Identifier  string `json:"identifier"`
-	DisplayName string `json:"displayName"`
-	Email       string `json:"email"`
-}
-
-type IdentityProvider struct {
-	ID               int                     `json:"id"`
-	Name             string                  `json:"name"`
-	Type             IdentityProviderType    `json:"type"`
-	IdentifierFilter string                  `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderCreate struct {
-	Name             string                  `json:"name"`
-	Type             IdentityProviderType    `json:"type"`
-	IdentifierFilter string                  `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderFind struct {
-	ID *int
-}
-
-type IdentityProviderPatch struct {
-	ID               int
-	Type             IdentityProviderType    `json:"type"`
-	Name             *string                 `json:"name"`
-	IdentifierFilter *string                 `json:"identifierFilter"`
-	Config           *IdentityProviderConfig `json:"config"`
-}
-
-type IdentityProviderDelete struct {
-	ID int
-}
--- a/api/memo.go
+++ b/api/memo.go
@@ -1,97 +0,0 @@
-package api
-
-// MaxContentLength means the max memo content bytes is 1MB.
-const MaxContentLength = 1 << 30
-
-// Visibility is the type of a visibility.
-type Visibility string
-
-const (
-	// Public is the PUBLIC visibility.
-	Public Visibility = "PUBLIC"
-	// Protected is the PROTECTED visibility.
-	Protected Visibility = "PROTECTED"
-	// Private is the PRIVATE visibility.
-	Private Visibility = "PRIVATE"
-)
-
-func (e Visibility) String() string {
-	switch e {
-	case Public:
-		return "PUBLIC"
-	case Protected:
-		return "PROTECTED"
-	case Private:
-		return "PRIVATE"
-	}
-	return "PRIVATE"
-}
-
-type Memo struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatorID int       `json:"creatorId"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Content    string     `json:"content"`
-	Visibility Visibility `json:"visibility"`
-	Pinned     bool       `json:"pinned"`
-
-	// Related fields
-	CreatorName  string      `json:"creatorName"`
-	ResourceList []*Resource `json:"resourceList"`
-}
-
-type MemoCreate struct {
-	// Standard fields
-	CreatorID int    `json:"-"`
-	CreatedTs *int64 `json:"createdTs"`
-
-	// Domain specific fields
-	Visibility Visibility `json:"visibility"`
-	Content    string     `json:"content"`
-
-	// Related fields
-	ResourceIDList []int `json:"resourceIdList"`
-}
-
-type MemoPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	CreatedTs *int64 `json:"createdTs"`
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Content    *string     `json:"content"`
-	Visibility *Visibility `json:"visibility"`
-
-	// Related fields
-	ResourceIDList []int `json:"resourceIdList"`
-}
-
-type MemoFind struct {
-	ID *int
-
-	// Standard fields
-	RowStatus *RowStatus
-	CreatorID *int
-
-	// Domain specific fields
-	Pinned         *bool
-	ContentSearch  *string
-	VisibilityList []Visibility
-
-	// Pagination
-	Limit  *int
-	Offset *int
-}
-
-type MemoDelete struct {
-	ID int
-}
--- a/api/memo_organizer.go
+++ b/api/memo_organizer.go
@@ -1,26 +0,0 @@
-package api
-
-type MemoOrganizer struct {
-	ID int
-
-	// Domain specific fields
-	MemoID int
-	UserID int
-	Pinned bool
-}
-
-type MemoOrganizerUpsert struct {
-	MemoID int  `json:"-"`
-	UserID int  `json:"-"`
-	Pinned bool `json:"pinned"`
-}
-
-type MemoOrganizerFind struct {
-	MemoID int
-	UserID int
-}
-
-type MemoOrganizerDelete struct {
-	MemoID *int
-	UserID *int
-}
--- a/api/memo_resource.go
+++ b/api/memo_resource.go
@@ -1,24 +0,0 @@
-package api
-
-type MemoResource struct {
-	MemoID     int
-	ResourceID int
-	CreatedTs  int64
-	UpdatedTs  int64
-}
-
-type MemoResourceUpsert struct {
-	MemoID     int `json:"-"`
-	ResourceID int
-	UpdatedTs  *int64
-}
-
-type MemoResourceFind struct {
-	MemoID     *int
-	ResourceID *int
-}
-
-type MemoResourceDelete struct {
-	MemoID     *int
-	ResourceID *int
-}
--- a/api/openai.go
+++ b/api/openai.go
@@ -1,5 +0,0 @@
-package api
-
-type OpenAICompletionRequest struct {
-	Prompt string `json:"prompt"`
-}
--- a/api/resource.go
+++ b/api/resource.go
@@ -1,61 +0,0 @@
-package api
-
-type Resource struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	CreatorID int   `json:"creatorId"`
-	CreatedTs int64 `json:"createdTs"`
-	UpdatedTs int64 `json:"updatedTs"`
-
-	// Domain specific fields
-	Filename     string     `json:"filename"`
-	Blob         []byte     `json:"-"`
-	ExternalLink string     `json:"externalLink"`
-	Type         string     `json:"type"`
-	Size         int64      `json:"size"`
-	Visibility   Visibility `json:"visibility"`
-
-	// Related fields
-	LinkedMemoAmount int `json:"linkedMemoAmount"`
-}
-
-type ResourceCreate struct {
-	// Standard fields
-	CreatorID int `json:"-"`
-
-	// Domain specific fields
-	Filename     string     `json:"filename"`
-	Blob         []byte     `json:"-"`
-	ExternalLink string     `json:"externalLink"`
-	Type         string     `json:"type"`
-	Size         int64      `json:"-"`
-	Visibility   Visibility `json:"visibility"`
-}
-
-type ResourceFind struct {
-	ID *int `json:"id"`
-
-	// Standard fields
-	CreatorID *int `json:"creatorId"`
-
-	// Domain specific fields
-	Filename *string `json:"filename"`
-	MemoID   *int
-	GetBlob  bool
-}
-
-type ResourcePatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-
-	// Domain specific fields
-	Filename   *string     `json:"filename"`
-	Visibility *Visibility `json:"visibility"`
-}
-
-type ResourceDelete struct {
-	ID int
-}
--- a/api/resource/resource.go
+++ b/api/resource/resource.go
@@ -0,0 +1,168 @@
+package resource
+
+import (
+	"bytes"
+	"fmt"
+	"io"
+	"net/http"
+	"os"
+	"path/filepath"
+	"strings"
+	"sync/atomic"
+	"time"
+
+	"github.com/disintegration/imaging"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// The key name used to store user id in the context
+	// user id is extracted from the jwt token subject field.
+	userIDContextKey = "user-id"
+	// thumbnailImagePath is the directory to store image thumbnails.
+	thumbnailImagePath = ".thumbnail_cache"
+)
+
+type Service struct {
+	Profile *profile.Profile
+	Store   *store.Store
+}
+
+func NewService(profile *profile.Profile, store *store.Store) *Service {
+	return &Service{
+		Profile: profile,
+		Store:   store,
+	}
+}
+
+func (s *Service) RegisterResourcePublicRoutes(g *echo.Group) {
+	g.GET("/r/:resourceId", s.streamResource)
+	g.GET("/r/:resourceId/*", s.streamResource)
+}
+
+func (s *Service) streamResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	resourceID, err := util.ConvertStringToInt32(c.Param("resourceId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+	}
+
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID:      &resourceID,
+		GetBlob: true,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find resource by ID: %v", resourceID)).SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %d", resourceID))
+	}
+	// Check the related memo visibility.
+	if resource.MemoID != nil {
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: resource.MemoID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", resource.MemoID)).SetInternal(err)
+		}
+		if memo != nil && memo.Visibility != store.Public {
+			userID, ok := c.Get(userIDContextKey).(int32)
+			if !ok || (memo.Visibility == store.Private && userID != resource.CreatorID) {
+				return echo.NewHTTPError(http.StatusUnauthorized, "Resource visibility not match")
+			}
+		}
+	}
+
+	blob := resource.Blob
+	if resource.InternalPath != "" {
+		resourcePath := filepath.FromSlash(resource.InternalPath)
+		if !filepath.IsAbs(resourcePath) {
+			resourcePath = filepath.Join(s.Profile.Data, resourcePath)
+		}
+
+		src, err := os.Open(resourcePath)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to open the local resource: %s", resourcePath)).SetInternal(err)
+		}
+		defer src.Close()
+		blob, err = io.ReadAll(src)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to read the local resource: %s", resourcePath)).SetInternal(err)
+		}
+	}
+
+	if c.QueryParam("thumbnail") == "1" && util.HasPrefixes(resource.Type, "image/png", "image/jpeg") {
+		ext := filepath.Ext(resource.Filename)
+		thumbnailPath := filepath.Join(s.Profile.Data, thumbnailImagePath, fmt.Sprintf("%d%s", resource.ID, ext))
+		thumbnailBlob, err := getOrGenerateThumbnailImage(blob, thumbnailPath)
+		if err != nil {
+			log.Warn(fmt.Sprintf("failed to get or generate local thumbnail with path %s", thumbnailPath), zap.Error(err))
+		} else {
+			blob = thumbnailBlob
+		}
+	}
+
+	c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=3600")
+	c.Response().Writer.Header().Set(echo.HeaderContentSecurityPolicy, "default-src 'none'; script-src 'none'; img-src 'self'; media-src 'self'; sandbox;")
+	c.Response().Writer.Header().Set("Content-Disposition", fmt.Sprintf(`filename="%s"`, resource.Filename))
+	resourceType := strings.ToLower(resource.Type)
+	if strings.HasPrefix(resourceType, "text") {
+		resourceType = echo.MIMETextPlainCharsetUTF8
+	} else if strings.HasPrefix(resourceType, "video") || strings.HasPrefix(resourceType, "audio") {
+		http.ServeContent(c.Response(), c.Request(), resource.Filename, time.Unix(resource.UpdatedTs, 0), bytes.NewReader(blob))
+		return nil
+	}
+	return c.Stream(http.StatusOK, resourceType, bytes.NewReader(blob))
+}
+
+var availableGeneratorAmount int32 = 32
+
+func getOrGenerateThumbnailImage(srcBlob []byte, dstPath string) ([]byte, error) {
+	if _, err := os.Stat(dstPath); err != nil {
+		if !errors.Is(err, os.ErrNotExist) {
+			return nil, errors.Wrap(err, "failed to check thumbnail image stat")
+		}
+
+		if atomic.LoadInt32(&availableGeneratorAmount) <= 0 {
+			return nil, errors.New("not enough available generator amount")
+		}
+		atomic.AddInt32(&availableGeneratorAmount, -1)
+		defer func() {
+			atomic.AddInt32(&availableGeneratorAmount, 1)
+		}()
+
+		reader := bytes.NewReader(srcBlob)
+		src, err := imaging.Decode(reader, imaging.AutoOrientation(true))
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to decode thumbnail image")
+		}
+		thumbnailImage := imaging.Resize(src, 512, 0, imaging.Lanczos)
+
+		dstDir := filepath.Dir(dstPath)
+		if err := os.MkdirAll(dstDir, os.ModePerm); err != nil {
+			return nil, errors.Wrap(err, "failed to create thumbnail dir")
+		}
+
+		if err := imaging.Save(thumbnailImage, dstPath); err != nil {
+			return nil, errors.Wrap(err, "failed to resize thumbnail image")
+		}
+	}
+
+	dstFile, err := os.Open(dstPath)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to open the local resource")
+	}
+	defer dstFile.Close()
+	dstBlob, err := io.ReadAll(dstFile)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to read the local resource")
+	}
+	return dstBlob, nil
+}
--- a/api/shortcut.go
+++ b/api/shortcut.go
@@ -1,53 +0,0 @@
-package api
-
-type Shortcut struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatorID int       `json:"creatorId"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ShortcutCreate struct {
-	// Standard fields
-	CreatorID int `json:"-"`
-
-	// Domain specific fields
-	Title   string `json:"title"`
-	Payload string `json:"payload"`
-}
-
-type ShortcutPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Title   *string `json:"title"`
-	Payload *string `json:"payload"`
-}
-
-type ShortcutFind struct {
-	ID *int
-
-	// Standard fields
-	CreatorID *int
-
-	// Domain specific fields
-	Title *string `json:"title"`
-}
-
-type ShortcutDelete struct {
-	ID *int
-
-	// Standard fields
-	CreatorID *int
-}
--- a/api/storage.go
+++ b/api/storage.go
@@ -1,49 +0,0 @@
-package api
-
-type StorageType string
-
-const (
-	StorageS3 StorageType = "S3"
-)
-
-type StorageConfig struct {
-	S3Config *StorageS3Config `json:"s3Config"`
-}
-
-type StorageS3Config struct {
-	EndPoint  string `json:"endPoint"`
-	Path      string `json:"path"`
-	Region    string `json:"region"`
-	AccessKey string `json:"accessKey"`
-	SecretKey string `json:"secretKey"`
-	Bucket    string `json:"bucket"`
-	URLPrefix string `json:"urlPrefix"`
-}
-
-type Storage struct {
-	ID     int            `json:"id"`
-	Name   string         `json:"name"`
-	Type   StorageType    `json:"type"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StorageCreate struct {
-	Name   string         `json:"name"`
-	Type   StorageType    `json:"type"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StoragePatch struct {
-	ID     int            `json:"id"`
-	Type   StorageType    `json:"type"`
-	Name   *string        `json:"name"`
-	Config *StorageConfig `json:"config"`
-}
-
-type StorageFind struct {
-	ID *int `json:"id"`
-}
-
-type StorageDelete struct {
-	ID int `json:"id"`
-}
--- a/api/system.go
+++ b/api/system.go
@@ -1,22 +0,0 @@
-package api
-
-import "github.com/usememos/memos/server/profile"
-
-type SystemStatus struct {
-	Host    *User           `json:"host"`
-	Profile profile.Profile `json:"profile"`
-	DBSize  int64           `json:"dbSize"`
-
-	// System settings
-	// Allow sign up.
-	AllowSignUp bool `json:"allowSignUp"`
-	// Disable public memos.
-	DisablePublicMemos bool `json:"disablePublicMemos"`
-	// Additional style.
-	AdditionalStyle string `json:"additionalStyle"`
-	// Additional script.
-	AdditionalScript string `json:"additionalScript"`
-	// Customized server profile, including server name and external url.
-	CustomizedProfile CustomizedProfile `json:"customizedProfile"`
-	StorageServiceID  int               `json:"storageServiceId"`
-}
--- a/api/system_setting.go
+++ b/api/system_setting.go
@@ -1,183 +0,0 @@
-package api
-
-import (
-	"encoding/json"
-	"errors"
-	"fmt"
-
-	"golang.org/x/exp/slices"
-)
-
-type SystemSettingName string
-
-const (
-	// SystemSettingServerID is the key type of server id.
-	SystemSettingServerID SystemSettingName = "serverId"
-	// SystemSettingSecretSessionName is the key type of secret session name.
-	SystemSettingSecretSessionName SystemSettingName = "secretSessionName"
-	// SystemSettingAllowSignUpName is the key type of allow signup setting.
-	SystemSettingAllowSignUpName SystemSettingName = "allowSignUp"
-	// SystemSettingDisablePublicMemosName is the key type of disable public memos setting.
-	SystemSettingDisablePublicMemosName SystemSettingName = "disablePublicMemos"
-	// SystemSettingAdditionalStyleName is the key type of additional style.
-	SystemSettingAdditionalStyleName SystemSettingName = "additionalStyle"
-	// SystemSettingAdditionalScriptName is the key type of additional script.
-	SystemSettingAdditionalScriptName SystemSettingName = "additionalScript"
-	// SystemSettingCustomizedProfileName is the key type of customized server profile.
-	SystemSettingCustomizedProfileName SystemSettingName = "customizedProfile"
-	// SystemSettingStorageServiceIDName is the key type of storage service ID.
-	SystemSettingStorageServiceIDName SystemSettingName = "storageServiceId"
-	// SystemSettingOpenAIAPIKeyName is the key type of OpenAI API key.
-	SystemSettingOpenAIAPIKeyName SystemSettingName = "openAIApiKey"
-)
-
-// CustomizedProfile is the struct definition for SystemSettingCustomizedProfileName system setting item.
-type CustomizedProfile struct {
-	// Name is the server name, default is `memos`
-	Name string `json:"name"`
-	// LogoURL is the url of logo image.
-	LogoURL string `json:"logoUrl"`
-	// Description is the server description.
-	Description string `json:"description"`
-	// Locale is the server default locale.
-	Locale string `json:"locale"`
-	// Appearance is the server default appearance.
-	Appearance string `json:"appearance"`
-	// ExternalURL is the external url of server. e.g. https://usermemos.com
-	ExternalURL string `json:"externalUrl"`
-}
-
-func (key SystemSettingName) String() string {
-	switch key {
-	case SystemSettingServerID:
-		return "serverId"
-	case SystemSettingSecretSessionName:
-		return "secretSessionName"
-	case SystemSettingAllowSignUpName:
-		return "allowSignUp"
-	case SystemSettingDisablePublicMemosName:
-		return "disablePublicMemos"
-	case SystemSettingAdditionalStyleName:
-		return "additionalStyle"
-	case SystemSettingAdditionalScriptName:
-		return "additionalScript"
-	case SystemSettingCustomizedProfileName:
-		return "customizedProfile"
-	case SystemSettingStorageServiceIDName:
-		return "storageServiceId"
-	case SystemSettingOpenAIAPIKeyName:
-		return "openAIApiKey"
-	}
-	return ""
-}
-
-var (
-	SystemSettingAllowSignUpValue        = []bool{true, false}
-	SystemSettingDisablePublicMemosValue = []bool{true, false}
-)
-
-type SystemSetting struct {
-	Name SystemSettingName
-	// Value is a JSON string with basic value.
-	Value       string
-	Description string
-}
-
-type SystemSettingUpsert struct {
-	Name        SystemSettingName `json:"name"`
-	Value       string            `json:"value"`
-	Description string            `json:"description"`
-}
-
-func (upsert SystemSettingUpsert) Validate() error {
-	if upsert.Name == SystemSettingServerID {
-		return errors.New("update server id is not allowed")
-	} else if upsert.Name == SystemSettingAllowSignUpName {
-		value := false
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting allow signup value")
-		}
-
-		invalid := true
-		for _, v := range SystemSettingAllowSignUpValue {
-			if value == v {
-				invalid = false
-				break
-			}
-		}
-		if invalid {
-			return fmt.Errorf("invalid system setting allow signup value")
-		}
-	} else if upsert.Name == SystemSettingDisablePublicMemosName {
-		value := false
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting disable public memos value")
-		}
-
-		invalid := true
-		for _, v := range SystemSettingDisablePublicMemosValue {
-			if value == v {
-				invalid = false
-				break
-			}
-		}
-
-		if invalid {
-			return fmt.Errorf("invalid system setting disable public memos value")
-		}
-	} else if upsert.Name == SystemSettingAdditionalStyleName {
-		value := ""
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting additional style value")
-		}
-	} else if upsert.Name == SystemSettingAdditionalScriptName {
-		value := ""
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting additional script value")
-		}
-	} else if upsert.Name == SystemSettingCustomizedProfileName {
-		customizedProfile := CustomizedProfile{
-			Name:        "memos",
-			LogoURL:     "",
-			Description: "",
-			Locale:      "en",
-			Appearance:  "system",
-			ExternalURL: "",
-		}
-		err := json.Unmarshal([]byte(upsert.Value), &customizedProfile)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting customized profile value")
-		}
-		if !slices.Contains(UserSettingLocaleValue, customizedProfile.Locale) {
-			return fmt.Errorf("invalid locale value")
-		}
-		if !slices.Contains(UserSettingAppearanceValue, customizedProfile.Appearance) {
-			return fmt.Errorf("invalid appearance value")
-		}
-	} else if upsert.Name == SystemSettingStorageServiceIDName {
-		value := 0
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting storage service id value")
-		}
-		return nil
-	} else if upsert.Name == SystemSettingOpenAIAPIKeyName {
-		value := ""
-		err := json.Unmarshal([]byte(upsert.Value), &value)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal system setting openai api key value")
-		}
-	} else {
-		return fmt.Errorf("invalid system setting name")
-	}
-
-	return nil
-}
-
-type SystemSettingFind struct {
-	Name SystemSettingName `json:"name"`
-}
--- a/api/tag.go
+++ b/api/tag.go
@@ -1,20 +0,0 @@
-package api
-
-type Tag struct {
-	Name      string
-	CreatorID int
-}
-
-type TagUpsert struct {
-	Name      string
-	CreatorID int `json:"-"`
-}
-
-type TagFind struct {
-	CreatorID int
-}
-
-type TagDelete struct {
-	Name      string `json:"name"`
-	CreatorID int
-}
--- a/api/user.go
+++ b/api/user.go
@@ -1,158 +0,0 @@
-package api
-
-import (
-	"fmt"
-
-	"github.com/usememos/memos/common"
-)
-
-// Role is the type of a role.
-type Role string
-
-const (
-	// Host is the HOST role.
-	Host Role = "HOST"
-	// Admin is the ADMIN role.
-	Admin Role = "ADMIN"
-	// NormalUser is the USER role.
-	NormalUser Role = "USER"
-)
-
-func (e Role) String() string {
-	switch e {
-	case Host:
-		return "HOST"
-	case Admin:
-		return "ADMIN"
-	case NormalUser:
-		return "USER"
-	}
-	return "USER"
-}
-
-type User struct {
-	ID int `json:"id"`
-
-	// Standard fields
-	RowStatus RowStatus `json:"rowStatus"`
-	CreatedTs int64     `json:"createdTs"`
-	UpdatedTs int64     `json:"updatedTs"`
-
-	// Domain specific fields
-	Username        string         `json:"username"`
-	Role            Role           `json:"role"`
-	Email           string         `json:"email"`
-	Nickname        string         `json:"nickname"`
-	PasswordHash    string         `json:"-"`
-	OpenID          string         `json:"openId"`
-	AvatarURL       string         `json:"avatarUrl"`
-	UserSettingList []*UserSetting `json:"userSettingList"`
-}
-
-type UserCreate struct {
-	// Domain specific fields
-	Username     string `json:"username"`
-	Role         Role   `json:"role"`
-	Email        string `json:"email"`
-	Nickname     string `json:"nickname"`
-	Password     string `json:"password"`
-	PasswordHash string
-	OpenID       string
-}
-
-func (create UserCreate) Validate() error {
-	if len(create.Username) < 3 {
-		return fmt.Errorf("username is too short, minimum length is 3")
-	}
-	if len(create.Username) > 32 {
-		return fmt.Errorf("username is too long, maximum length is 32")
-	}
-	if len(create.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
-	}
-	if len(create.Password) > 512 {
-		return fmt.Errorf("password is too long, maximum length is 512")
-	}
-	if len(create.Nickname) > 64 {
-		return fmt.Errorf("nickname is too long, maximum length is 64")
-	}
-	if create.Email != "" {
-		if len(create.Email) > 256 {
-			return fmt.Errorf("email is too long, maximum length is 256")
-		}
-		if !common.ValidateEmail(create.Email) {
-			return fmt.Errorf("invalid email format")
-		}
-	}
-
-	return nil
-}
-
-type UserPatch struct {
-	ID int `json:"-"`
-
-	// Standard fields
-	UpdatedTs *int64
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Username     *string `json:"username"`
-	Email        *string `json:"email"`
-	Nickname     *string `json:"nickname"`
-	Password     *string `json:"password"`
-	ResetOpenID  *bool   `json:"resetOpenId"`
-	AvatarURL    *string `json:"avatarUrl"`
-	PasswordHash *string
-	OpenID       *string
-}
-
-func (patch UserPatch) Validate() error {
-	if patch.Username != nil && len(*patch.Username) < 3 {
-		return fmt.Errorf("username is too short, minimum length is 3")
-	}
-	if patch.Username != nil && len(*patch.Username) > 32 {
-		return fmt.Errorf("username is too long, maximum length is 32")
-	}
-	if len(*patch.Password) < 3 {
-		return fmt.Errorf("password is too short, minimum length is 6")
-	}
-	if len(*patch.Password) > 512 {
-		return fmt.Errorf("password is too long, maximum length is 512")
-	}
-	if patch.Nickname != nil && len(*patch.Nickname) > 64 {
-		return fmt.Errorf("nickname is too long, maximum length is 64")
-	}
-	if patch.AvatarURL != nil {
-		if len(*patch.AvatarURL) > 2<<20 {
-			return fmt.Errorf("avatar is too large, maximum is 2MB")
-		}
-	}
-	if patch.Email != nil && *patch.Email != "" {
-		if len(*patch.Email) > 256 {
-			return fmt.Errorf("email is too long, maximum length is 256")
-		}
-		if !common.ValidateEmail(*patch.Email) {
-			return fmt.Errorf("invalid email format")
-		}
-	}
-
-	return nil
-}
-
-type UserFind struct {
-	ID *int `json:"id"`
-
-	// Standard fields
-	RowStatus *RowStatus `json:"rowStatus"`
-
-	// Domain specific fields
-	Username *string `json:"username"`
-	Role     *Role
-	Email    *string `json:"email"`
-	Nickname *string `json:"nickname"`
-	OpenID   *string
-}
-
-type UserDelete struct {
-	ID int
-}
--- a/api/user_setting.go
+++ b/api/user_setting.go
@@ -1,110 +0,0 @@
-package api
-
-import (
-	"encoding/json"
-	"fmt"
-
-	"golang.org/x/exp/slices"
-)
-
-type UserSettingKey string
-
-const (
-	// UserSettingLocaleKey is the key type for user locale.
-	UserSettingLocaleKey UserSettingKey = "locale"
-	// UserSettingAppearanceKey is the key type for user appearance.
-	UserSettingAppearanceKey UserSettingKey = "appearance"
-	// UserSettingMemoVisibilityKey is the key type for user preference memo default visibility.
-	UserSettingMemoVisibilityKey UserSettingKey = "memoVisibility"
-	// UserSettingResourceVisibilityKey is the key type for user preference resource default visibility.
-	UserSettingResourceVisibilityKey UserSettingKey = "resourceVisibility"
-)
-
-// String returns the string format of UserSettingKey type.
-func (key UserSettingKey) String() string {
-	switch key {
-	case UserSettingLocaleKey:
-		return "locale"
-	case UserSettingAppearanceKey:
-		return "appearance"
-	case UserSettingMemoVisibilityKey:
-		return "memoVisibility"
-	case UserSettingResourceVisibilityKey:
-		return "resourceVisibility"
-	}
-	return ""
-}
-
-var (
-	UserSettingLocaleValue             = []string{"en", "zh", "vi", "fr", "nl", "sv", "de", "es", "uk", "ru", "it", "hant", "tr", "ko"}
-	UserSettingAppearanceValue         = []string{"system", "light", "dark"}
-	UserSettingMemoVisibilityValue     = []Visibility{Private, Protected, Public}
-	UserSettingResourceVisibilityValue = []Visibility{Private, Protected, Public}
-)
-
-type UserSetting struct {
-	UserID int
-	Key    UserSettingKey `json:"key"`
-	// Value is a JSON string with basic value
-	Value string `json:"value"`
-}
-
-type UserSettingUpsert struct {
-	UserID int            `json:"-"`
-	Key    UserSettingKey `json:"key"`
-	Value  string         `json:"value"`
-}
-
-func (upsert UserSettingUpsert) Validate() error {
-	if upsert.Key == UserSettingLocaleKey {
-		localeValue := "en"
-		err := json.Unmarshal([]byte(upsert.Value), &localeValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting locale value")
-		}
-		if !slices.Contains(UserSettingLocaleValue, localeValue) {
-			return fmt.Errorf("invalid user setting locale value")
-		}
-	} else if upsert.Key == UserSettingAppearanceKey {
-		appearanceValue := "system"
-		err := json.Unmarshal([]byte(upsert.Value), &appearanceValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting appearance value")
-		}
-		if !slices.Contains(UserSettingAppearanceValue, appearanceValue) {
-			return fmt.Errorf("invalid user setting appearance value")
-		}
-	} else if upsert.Key == UserSettingMemoVisibilityKey {
-		memoVisibilityValue := Private
-		err := json.Unmarshal([]byte(upsert.Value), &memoVisibilityValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting memo visibility value")
-		}
-		if !slices.Contains(UserSettingMemoVisibilityValue, memoVisibilityValue) {
-			return fmt.Errorf("invalid user setting memo visibility value")
-		}
-	} else if upsert.Key == UserSettingResourceVisibilityKey {
-		resourceVisibilityValue := Private
-		err := json.Unmarshal([]byte(upsert.Value), &resourceVisibilityValue)
-		if err != nil {
-			return fmt.Errorf("failed to unmarshal user setting resource visibility value")
-		}
-		if !slices.Contains(UserSettingResourceVisibilityValue, resourceVisibilityValue) {
-			return fmt.Errorf("invalid user setting resource visibility value")
-		}
-	} else {
-		return fmt.Errorf("invalid user setting key")
-	}
-
-	return nil
-}
-
-type UserSettingFind struct {
-	UserID int
-
-	Key UserSettingKey `json:"key"`
-}
-
-type UserSettingDelete struct {
-	UserID int
-}
--- a/api/v1/auth.go
+++ b/api/v1/auth.go
@@ -0,0 +1,416 @@
+package v1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/idp"
+	"github.com/usememos/memos/plugin/idp/oauth2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+var (
+	usernameMatcher = regexp.MustCompile("^[a-z0-9]([a-z0-9-]{1,30}[a-z0-9])$")
+)
+
+type SignIn struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+	Remember bool   `json:"remember"`
+}
+
+type SSOSignIn struct {
+	IdentityProviderID int32  `json:"identityProviderId"`
+	Code               string `json:"code"`
+	RedirectURI        string `json:"redirectUri"`
+}
+
+type SignUp struct {
+	Username string `json:"username"`
+	Password string `json:"password"`
+}
+
+func (s *APIV1Service) registerAuthRoutes(g *echo.Group) {
+	g.POST("/auth/signin", s.SignIn)
+	g.POST("/auth/signin/sso", s.SignInSSO)
+	g.POST("/auth/signout", s.SignOut)
+	g.POST("/auth/signup", s.SignUp)
+}
+
+// SignIn godoc
+//
+//	@Summary	Sign-in to memos.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SignIn		true	"Sign-in object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signin request"
+//	@Failure	401		{object}	nil			"Password login is deactivated | Incorrect login credentials, please try again"
+//	@Failure	403		{object}	nil			"User has been archived with username %s"
+//	@Failure	500		{object}	nil			"Failed to find system setting | Failed to unmarshal system setting | Incorrect login credentials, please try again | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signin [POST]
+func (s *APIV1Service) SignIn(c echo.Context) error {
+	ctx := c.Request().Context()
+	signin := &SignIn{}
+
+	disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		Name: SystemSettingDisablePasswordLoginName.String(),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+	}
+	if disablePasswordLoginSystemSetting != nil {
+		disablePasswordLogin := false
+		err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+		}
+		if disablePasswordLogin {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Password login is deactivated")
+		}
+	}
+
+	if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &signin.Username,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
+	} else if user.RowStatus == store.Archived {
+		return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", signin.Username))
+	}
+
+	// Compare the stored hashed password, with the hashed version of the password that was received.
+	if err := bcrypt.CompareHashAndPassword([]byte(user.PasswordHash), []byte(signin.Password)); err != nil {
+		// If the two passwords don't match, return a 401 status.
+		return echo.NewHTTPError(http.StatusUnauthorized, "Incorrect login credentials, please try again")
+	}
+
+	var expireAt time.Time
+	// Set cookie expiration to 100 years to make it persistent.
+	cookieExp := time.Now().AddDate(100, 0, 0)
+	if !signin.Remember {
+		expireAt = time.Now().Add(auth.AccessTokenDuration)
+		cookieExp = time.Now().Add(auth.CookieExpDuration)
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expireAt, []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// SignInSSO godoc
+//
+//	@Summary	Sign-in to memos using SSO.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SSOSignIn	true	"SSO sign-in object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signin request"
+//	@Failure	401		{object}	nil			"Access denied, identifier does not match the filter."
+//	@Failure	403		{object}	nil			"User has been archived with username {username}"
+//	@Failure	404		{object}	nil			"Identity provider not found"
+//	@Failure	500		{object}	nil			"Failed to find identity provider | Failed to create identity provider instance | Failed to exchange token | Failed to get user info | Failed to compile identifier filter | Incorrect login credentials, please try again | Failed to generate random password | Failed to generate password hash | Failed to create user | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signin/sso [POST]
+func (s *APIV1Service) SignInSSO(c echo.Context) error {
+	ctx := c.Request().Context()
+	signin := &SSOSignIn{}
+	if err := json.NewDecoder(c.Request().Body).Decode(signin); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signin request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
+		ID: &signin.IdentityProviderID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider").SetInternal(err)
+	}
+	if identityProvider == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "Identity provider not found")
+	}
+
+	var userInfo *idp.IdentityProviderUserInfo
+	if identityProvider.Type == store.IdentityProviderOAuth2Type {
+		oauth2IdentityProvider, err := oauth2.NewIdentityProvider(identityProvider.Config.OAuth2Config)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider instance").SetInternal(err)
+		}
+		token, err := oauth2IdentityProvider.ExchangeToken(ctx, signin.RedirectURI, signin.Code)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to exchange token").SetInternal(err)
+		}
+		userInfo, err = oauth2IdentityProvider.UserInfo(token)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get user info").SetInternal(err)
+		}
+	}
+
+	identifierFilter := identityProvider.IdentifierFilter
+	if identifierFilter != "" {
+		identifierFilterRegex, err := regexp.Compile(identifierFilter)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compile identifier filter").SetInternal(err)
+		}
+		if !identifierFilterRegex.MatchString(userInfo.Identifier) {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Access denied, identifier does not match the filter.").SetInternal(err)
+		}
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &userInfo.Identifier,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Incorrect login credentials, please try again")
+	}
+	if user == nil {
+		allowSignUpSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+			Name: SystemSettingAllowSignUpName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+
+		allowSignUpSettingValue := true
+		if allowSignUpSetting != nil {
+			err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
+			}
+		}
+		if !allowSignUpSettingValue {
+			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
+		}
+
+		userCreate := &store.User{
+			Username: userInfo.Identifier,
+			// The new signup user should be normal user by default.
+			Role:     store.RoleUser,
+			Nickname: userInfo.DisplayName,
+			Email:    userInfo.Email,
+		}
+		password, err := util.RandomString(20)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate random password").SetInternal(err)
+		}
+		passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+		}
+		userCreate.PasswordHash = string(passwordHash)
+		user, err = s.Store.CreateUser(ctx, userCreate)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+		}
+	}
+	if user.RowStatus == store.Archived {
+		return echo.NewHTTPError(http.StatusForbidden, fmt.Sprintf("User has been archived with username %s", userInfo.Identifier))
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	cookieExp := time.Now().Add(auth.CookieExpDuration)
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// SignOut godoc
+//
+//	@Summary	Sign-out from memos.
+//	@Tags		auth
+//	@Produce	json
+//	@Success	200	{boolean}	true	"Sign-out success"
+//	@Router		/api/v1/auth/signout [POST]
+func (s *APIV1Service) SignOut(c echo.Context) error {
+	accessToken := findAccessToken(c)
+	userID, _ := getUserIDFromAccessToken(accessToken, s.Secret)
+
+	err := removeAccessTokenAndCookies(c, s.Store, userID, accessToken)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to remove access token, err: %s", err)).SetInternal(err)
+	}
+
+	return c.JSON(http.StatusOK, true)
+}
+
+// SignUp godoc
+//
+//	@Summary	Sign-up to memos.
+//	@Tags		auth
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		SignUp		true	"Sign-up object"
+//	@Success	200		{object}	store.User	"User information"
+//	@Failure	400		{object}	nil			"Malformatted signup request | Failed to find users"
+//	@Failure	401		{object}	nil			"signup is disabled"
+//	@Failure	403		{object}	nil			"Forbidden"
+//	@Failure	404		{object}	nil			"Not found"
+//	@Failure	500		{object}	nil			"Failed to find system setting | Failed to unmarshal system setting allow signup | Failed to generate password hash | Failed to create user | Failed to generate tokens | Failed to create activity"
+//	@Router		/api/v1/auth/signup [POST]
+func (s *APIV1Service) SignUp(c echo.Context) error {
+	ctx := c.Request().Context()
+	signup := &SignUp{}
+	if err := json.NewDecoder(c.Request().Body).Decode(signup); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted signup request").SetInternal(err)
+	}
+
+	hostUserType := store.RoleHost
+	existedHostUsers, err := s.Store.ListUsers(ctx, &store.FindUser{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Failed to find users").SetInternal(err)
+	}
+	if !usernameMatcher.MatchString(strings.ToLower(signup.Username)) {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", signup.Username)).SetInternal(err)
+	}
+
+	userCreate := &store.User{
+		Username: signup.Username,
+		// The new signup user should be normal user by default.
+		Role:     store.RoleUser,
+		Nickname: signup.Username,
+	}
+	if len(existedHostUsers) == 0 {
+		// Change the default role to host if there is no host user.
+		userCreate.Role = store.RoleHost
+	} else {
+		allowSignUpSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+			Name: SystemSettingAllowSignUpName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+
+		allowSignUpSettingValue := true
+		if allowSignUpSetting != nil {
+			err = json.Unmarshal([]byte(allowSignUpSetting.Value), &allowSignUpSettingValue)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting allow signup").SetInternal(err)
+			}
+		}
+		if !allowSignUpSettingValue {
+			return echo.NewHTTPError(http.StatusUnauthorized, "signup is disabled").SetInternal(err)
+		}
+
+		disablePasswordLoginSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+			Name: SystemSettingDisablePasswordLoginName.String(),
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting").SetInternal(err)
+		}
+		if disablePasswordLoginSystemSetting != nil {
+			disablePasswordLogin := false
+			err = json.Unmarshal([]byte(disablePasswordLoginSystemSetting.Value), &disablePasswordLogin)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting").SetInternal(err)
+			}
+			if disablePasswordLogin {
+				return echo.NewHTTPError(http.StatusUnauthorized, "password login is deactivated")
+			}
+		}
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(signup.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+	}
+
+	userCreate.PasswordHash = string(passwordHash)
+	user, err := s.Store.CreateUser(ctx, userCreate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+	}
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, time.Now().Add(auth.AccessTokenDuration), []byte(s.Secret))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to generate tokens, err: %s", err)).SetInternal(err)
+	}
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert access token, err: %s", err)).SetInternal(err)
+	}
+	cookieExp := time.Now().Add(auth.CookieExpDuration)
+	setTokenCookie(c, auth.AccessTokenCookieName, accessToken, cookieExp)
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+func (s *APIV1Service) UpsertAccessTokenToStore(ctx context.Context, user *store.User, accessToken string) error {
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return errors.Wrap(err, "failed to get user access tokens")
+	}
+	userAccessToken := storepb.AccessTokensUserSetting_AccessToken{
+		AccessToken: accessToken,
+		Description: "Account sign in",
+	}
+	userAccessTokens = append(userAccessTokens, &userAccessToken)
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: userAccessTokens,
+			},
+		},
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("failed to upsert user setting, err: %s", err)).SetInternal(err)
+	}
+	return nil
+}
+
+// removeAccessTokenAndCookies removes the jwt token from the cookies.
+func removeAccessTokenAndCookies(c echo.Context, s *store.Store, userID int32, token string) error {
+	err := s.RemoveUserAccessToken(c.Request().Context(), userID, token)
+	if err != nil {
+		return err
+	}
+
+	cookieExp := time.Now().Add(-1 * time.Hour)
+	setTokenCookie(c, auth.AccessTokenCookieName, "", cookieExp)
+	return nil
+}
+
+// setTokenCookie sets the token to the cookie.
+func setTokenCookie(c echo.Context, name, token string, expiration time.Time) {
+	cookie := new(http.Cookie)
+	cookie.Name = name
+	cookie.Value = token
+	cookie.Expires = expiration
+	cookie.Path = "/"
+	// Http-only helps mitigate the risk of client side script accessing the protected cookie.
+	cookie.HttpOnly = true
+	cookie.SameSite = http.SameSiteStrictMode
+	c.SetCookie(cookie)
+}
--- a/api/v1/common.go
+++ b/api/v1/common.go
@@ -1,7 +1,4 @@
-package api
-
-// UnknownID is the ID for unknowns.
-const UnknownID = -1
+package v1

 // RowStatus is the status for a row.
 type RowStatus string
@@ -13,12 +10,6 @@ const (
 	Archived RowStatus = "ARCHIVED"
 )

-func (e RowStatus) String() string {
-	switch e {
-	case Normal:
-		return "NORMAL"
-	case Archived:
-		return "ARCHIVED"
-	}
-	return ""
+func (r RowStatus) String() string {
+	return string(r)
 }
--- a/api/v1/docs.go
+++ b/api/v1/docs.go
--- a/api/v1/http_getter.go
+++ b/api/v1/http_getter.go
@@ -0,0 +1,49 @@
+package v1
+
+import (
+	"fmt"
+	"net/http"
+	"net/url"
+
+	"github.com/labstack/echo/v4"
+
+	getter "github.com/usememos/memos/plugin/http-getter"
+)
+
+func (*APIV1Service) registerGetterPublicRoutes(g *echo.Group) {
+	// GET /get/image?url={url} - Get image.
+	g.GET("/get/image", GetImage)
+}
+
+// GetImage godoc
+//
+//	@Summary	Get GetImage from URL
+//	@Tags		image-url
+//	@Produce	GetImage/*
+//	@Param		url	query		string	true	"Image url"
+//	@Success	200	{object}	nil		"Image"
+//	@Failure	400	{object}	nil		"Missing GetImage url | Wrong url | Failed to get GetImage url: %s"
+//	@Failure	500	{object}	nil		"Failed to write GetImage blob"
+//	@Router		/o/get/GetImage [GET]
+func GetImage(c echo.Context) error {
+	urlStr := c.QueryParam("url")
+	if urlStr == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing image url")
+	}
+	if _, err := url.Parse(urlStr); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Wrong url").SetInternal(err)
+	}
+
+	image, err := getter.GetImage(urlStr)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Failed to get image url: %s", urlStr)).SetInternal(err)
+	}
+
+	c.Response().Writer.WriteHeader(http.StatusOK)
+	c.Response().Writer.Header().Set("Content-Type", image.Mediatype)
+	c.Response().Writer.Header().Set(echo.HeaderCacheControl, "max-age=31536000, immutable")
+	if _, err := c.Response().Writer.Write(image.Blob); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to write image blob").SetInternal(err)
+	}
+	return nil
+}
--- a/api/v1/idp.go
+++ b/api/v1/idp.go
@@ -0,0 +1,349 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type IdentityProviderType string
+
+const (
+	IdentityProviderOAuth2Type IdentityProviderType = "OAUTH2"
+)
+
+func (t IdentityProviderType) String() string {
+	return string(t)
+}
+
+type IdentityProviderConfig struct {
+	OAuth2Config *IdentityProviderOAuth2Config `json:"oauth2Config"`
+}
+
+type IdentityProviderOAuth2Config struct {
+	ClientID     string        `json:"clientId"`
+	ClientSecret string        `json:"clientSecret"`
+	AuthURL      string        `json:"authUrl"`
+	TokenURL     string        `json:"tokenUrl"`
+	UserInfoURL  string        `json:"userInfoUrl"`
+	Scopes       []string      `json:"scopes"`
+	FieldMapping *FieldMapping `json:"fieldMapping"`
+}
+
+type FieldMapping struct {
+	Identifier  string `json:"identifier"`
+	DisplayName string `json:"displayName"`
+	Email       string `json:"email"`
+}
+
+type IdentityProvider struct {
+	ID               int32                   `json:"id"`
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type CreateIdentityProviderRequest struct {
+	Name             string                  `json:"name"`
+	Type             IdentityProviderType    `json:"type"`
+	IdentifierFilter string                  `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+type UpdateIdentityProviderRequest struct {
+	ID               int32                   `json:"-"`
+	Type             IdentityProviderType    `json:"type"`
+	Name             *string                 `json:"name"`
+	IdentifierFilter *string                 `json:"identifierFilter"`
+	Config           *IdentityProviderConfig `json:"config"`
+}
+
+func (s *APIV1Service) registerIdentityProviderRoutes(g *echo.Group) {
+	g.GET("/idp", s.GetIdentityProviderList)
+	g.POST("/idp", s.CreateIdentityProvider)
+	g.GET("/idp/:idpId", s.GetIdentityProvider)
+	g.PATCH("/idp/:idpId", s.UpdateIdentityProvider)
+	g.DELETE("/idp/:idpId", s.DeleteIdentityProvider)
+}
+
+// GetIdentityProviderList godoc
+//
+//	@Summary		Get a list of identity providers
+//	@Description	*clientSecret is only available for host user
+//	@Tags			idp
+//	@Produce		json
+//	@Success		200	{object}	[]IdentityProvider	"List of available identity providers"
+//	@Failure		500	{object}	nil					"Failed to find identity provider list | Failed to find user"
+//	@Router			/api/v1/idp [GET]
+func (s *APIV1Service) GetIdentityProviderList(c echo.Context) error {
+	ctx := c.Request().Context()
+	list, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProvider{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find identity provider list").SetInternal(err)
+	}
+
+	userID, ok := c.Get(userIDContextKey).(int32)
+	isHostUser := false
+	if ok {
+		user, err := s.Store.GetUser(ctx, &store.FindUser{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+		}
+		if user == nil || user.Role == store.RoleHost {
+			isHostUser = true
+		}
+	}
+
+	identityProviderList := []*IdentityProvider{}
+	for _, item := range list {
+		identityProvider := convertIdentityProviderFromStore(item)
+		// data desensitize
+		if !isHostUser {
+			identityProvider.Config.OAuth2Config.ClientSecret = ""
+		}
+		identityProviderList = append(identityProviderList, identityProvider)
+	}
+	return c.JSON(http.StatusOK, identityProviderList)
+}
+
+// CreateIdentityProvider godoc
+//
+//	@Summary	Create Identity Provider
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateIdentityProviderRequest	true	"Identity provider information"
+//	@Success	200		{object}	store.IdentityProvider			"Identity provider information"
+//	@Failure	401		{object}	nil								"Missing user in session | Unauthorized"
+//	@Failure	400		{object}	nil								"Malformatted post identity provider request"
+//	@Failure	500		{object}	nil								"Failed to find user | Failed to create identity provider"
+//	@Router		/api/v1/idp [POST]
+func (s *APIV1Service) CreateIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderCreate := &CreateIdentityProviderRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(identityProviderCreate); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post identity provider request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.CreateIdentityProvider(ctx, &store.IdentityProvider{
+		Name:             identityProviderCreate.Name,
+		Type:             store.IdentityProviderType(identityProviderCreate.Type),
+		IdentifierFilter: identityProviderCreate.IdentifierFilter,
+		Config:           convertIdentityProviderConfigToStore(identityProviderCreate.Config),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+// GetIdentityProvider godoc
+//
+//	@Summary	Get an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int						true	"Identity provider ID"
+//	@Success	200		{object}	store.IdentityProvider	"Requested identity provider"
+//	@Failure	400		{object}	nil						"ID is not a number: %s"
+//	@Failure	401		{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	404		{object}	nil						"Identity provider not found"
+//	@Failure	500		{object}	nil						"Failed to find identity provider list | Failed to find user"
+//	@Router		/api/v1/idp/{idpId} [GET]
+func (s *APIV1Service) GetIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+	identityProvider, err := s.Store.GetIdentityProvider(ctx, &store.FindIdentityProvider{
+		ID: &identityProviderID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get identity provider").SetInternal(err)
+	}
+	if identityProvider == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "Identity provider not found")
+	}
+
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+// DeleteIdentityProvider godoc
+//
+//	@Summary	Delete an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int		true	"Identity Provider ID"
+//	@Success	200		{boolean}	true	"Identity Provider deleted"
+//	@Failure	400		{object}	nil		"ID is not a number: %s | Malformatted patch identity provider request"
+//	@Failure	401		{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500		{object}	nil		"Failed to find user | Failed to patch identity provider"
+//	@Router		/api/v1/idp/{idpId} [DELETE]
+func (s *APIV1Service) DeleteIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+
+	if err = s.Store.DeleteIdentityProvider(ctx, &store.DeleteIdentityProvider{ID: identityProviderID}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateIdentityProvider godoc
+//
+//	@Summary	Update an identity provider by ID
+//	@Tags		idp
+//	@Accept		json
+//	@Produce	json
+//	@Param		idpId	path		int								true	"Identity Provider ID"
+//	@Param		body	body		UpdateIdentityProviderRequest	true	"Patched identity provider information"
+//	@Success	200		{object}	store.IdentityProvider			"Patched identity provider"
+//	@Failure	400		{object}	nil								"ID is not a number: %s | Malformatted patch identity provider request"
+//	@Failure	401		{object}	nil								"Missing user in session | Unauthorized
+//	@Failure	500		{object}	nil								"Failed to find user | Failed to patch identity provider"
+//	@Router		/api/v1/idp/{idpId} [PATCH]
+func (s *APIV1Service) UpdateIdentityProvider(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	identityProviderID, err := util.ConvertStringToInt32(c.Param("idpId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("idpId"))).SetInternal(err)
+	}
+
+	identityProviderPatch := &UpdateIdentityProviderRequest{
+		ID: identityProviderID,
+	}
+	if err := json.NewDecoder(c.Request().Body).Decode(identityProviderPatch); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch identity provider request").SetInternal(err)
+	}
+
+	identityProvider, err := s.Store.UpdateIdentityProvider(ctx, &store.UpdateIdentityProvider{
+		ID:               identityProviderPatch.ID,
+		Type:             store.IdentityProviderType(identityProviderPatch.Type),
+		Name:             identityProviderPatch.Name,
+		IdentifierFilter: identityProviderPatch.IdentifierFilter,
+		Config:           convertIdentityProviderConfigToStore(identityProviderPatch.Config),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch identity provider").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertIdentityProviderFromStore(identityProvider))
+}
+
+func convertIdentityProviderFromStore(identityProvider *store.IdentityProvider) *IdentityProvider {
+	return &IdentityProvider{
+		ID:               identityProvider.ID,
+		Name:             identityProvider.Name,
+		Type:             IdentityProviderType(identityProvider.Type),
+		IdentifierFilter: identityProvider.IdentifierFilter,
+		Config:           convertIdentityProviderConfigFromStore(identityProvider.Config),
+	}
+}
+
+func convertIdentityProviderConfigFromStore(config *store.IdentityProviderConfig) *IdentityProviderConfig {
+	return &IdentityProviderConfig{
+		OAuth2Config: &IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}
+
+func convertIdentityProviderConfigToStore(config *IdentityProviderConfig) *store.IdentityProviderConfig {
+	return &store.IdentityProviderConfig{
+		OAuth2Config: &store.IdentityProviderOAuth2Config{
+			ClientID:     config.OAuth2Config.ClientID,
+			ClientSecret: config.OAuth2Config.ClientSecret,
+			AuthURL:      config.OAuth2Config.AuthURL,
+			TokenURL:     config.OAuth2Config.TokenURL,
+			UserInfoURL:  config.OAuth2Config.UserInfoURL,
+			Scopes:       config.OAuth2Config.Scopes,
+			FieldMapping: &store.FieldMapping{
+				Identifier:  config.OAuth2Config.FieldMapping.Identifier,
+				DisplayName: config.OAuth2Config.FieldMapping.DisplayName,
+				Email:       config.OAuth2Config.FieldMapping.Email,
+			},
+		},
+	}
+}
--- a/api/v1/jwt.go
+++ b/api/v1/jwt.go
@@ -0,0 +1,156 @@
+package v1
+
+import (
+	"fmt"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// The key name used to store user id in the context
+	// user id is extracted from the jwt token subject field.
+	userIDContextKey = "user-id"
+)
+
+func extractTokenFromHeader(c echo.Context) (string, error) {
+	authHeader := c.Request().Header.Get("Authorization")
+	if authHeader == "" {
+		return "", nil
+	}
+
+	authHeaderParts := strings.Fields(authHeader)
+	if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
+		return "", errors.New("Authorization header format must be Bearer {token}")
+	}
+
+	return authHeaderParts[1], nil
+}
+
+func findAccessToken(c echo.Context) string {
+	// Check the HTTP request header first.
+	accessToken, _ := extractTokenFromHeader(c)
+	if accessToken == "" {
+		// Check the cookie.
+		cookie, _ := c.Cookie(auth.AccessTokenCookieName)
+		if cookie != nil {
+			accessToken = cookie.Value
+		}
+	}
+	return accessToken
+}
+
+// JWTMiddleware validates the access token.
+func JWTMiddleware(server *APIV1Service, next echo.HandlerFunc, secret string) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		ctx := c.Request().Context()
+		path := c.Request().URL.Path
+		method := c.Request().Method
+
+		if server.defaultAuthSkipper(c) {
+			return next(c)
+		}
+
+		// Skip validation for server status endpoints.
+		if util.HasPrefixes(path, "/api/v1/ping", "/api/v1/status") && method == http.MethodGet {
+			return next(c)
+		}
+
+		accessToken := findAccessToken(c)
+		if accessToken == "" {
+			// Allow the user to access the public endpoints.
+			if util.HasPrefixes(path, "/o") {
+				return next(c)
+			}
+			// When the request is not authenticated, we allow the user to access the memo endpoints for those public memos.
+			if util.HasPrefixes(path, "/api/v1/idp", "/api/v1/memo", "/api/v1/user") && path != "/api/v1/user" && method == http.MethodGet {
+				return next(c)
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing access token")
+		}
+
+		userID, err := getUserIDFromAccessToken(accessToken, secret)
+		if err != nil {
+			err = removeAccessTokenAndCookies(c, server.Store, userID, accessToken)
+			if err != nil {
+				log.Error("fail to remove AccessToken and Cookies", zap.Error(err))
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid or expired access token")
+		}
+
+		accessTokens, err := server.Store.GetUserAccessTokens(ctx, userID)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get user access tokens.").WithInternal(err)
+		}
+		if !validateAccessToken(accessToken, accessTokens) {
+			err = removeAccessTokenAndCookies(c, server.Store, userID, accessToken)
+			if err != nil {
+				log.Error("fail to remove AccessToken and Cookies", zap.Error(err))
+			}
+			return echo.NewHTTPError(http.StatusUnauthorized, "Invalid access token.")
+		}
+
+		// Even if there is no error, we still need to make sure the user still exists.
+		user, err := server.Store.GetUser(ctx, &store.FindUser{
+			ID: &userID,
+		})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Server error to find user ID: %d", userID)).SetInternal(err)
+		}
+		if user == nil {
+			return echo.NewHTTPError(http.StatusUnauthorized, fmt.Sprintf("Failed to find user ID: %d", userID))
+		}
+
+		// Stores userID into context.
+		c.Set(userIDContextKey, userID)
+		return next(c)
+	}
+}
+
+func getUserIDFromAccessToken(accessToken, secret string) (int32, error) {
+	claims := &auth.ClaimsMessage{}
+	_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(secret), nil
+			}
+		}
+		return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return 0, errors.Wrap(err, "Invalid or expired access token")
+	}
+	// We either have a valid access token or we will attempt to generate new access token.
+	userID, err := util.ConvertStringToInt32(claims.Subject)
+	if err != nil {
+		return 0, errors.Wrap(err, "Malformed ID in the token")
+	}
+	return userID, nil
+}
+
+func (*APIV1Service) defaultAuthSkipper(c echo.Context) bool {
+	path := c.Path()
+	return util.HasPrefixes(path, "/api/v1/auth")
+}
+
+func validateAccessToken(accessTokenString string, userAccessTokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
+	for _, userAccessToken := range userAccessTokens {
+		if accessTokenString == userAccessToken.AccessToken {
+			return true
+		}
+	}
+	return false
+}
--- a/api/v1/memo.go
+++ b/api/v1/memo.go
--- a/api/v1/memo_organizer.go
+++ b/api/v1/memo_organizer.go
@@ -0,0 +1,97 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type MemoOrganizer struct {
+	MemoID int32 `json:"memoId"`
+	UserID int32 `json:"userId"`
+	Pinned bool  `json:"pinned"`
+}
+
+type UpsertMemoOrganizerRequest struct {
+	Pinned bool `json:"pinned"`
+}
+
+func (s *APIV1Service) registerMemoOrganizerRoutes(g *echo.Group) {
+	g.POST("/memo/:memoId/organizer", s.CreateMemoOrganizer)
+}
+
+// CreateMemoOrganizer godoc
+//
+//	@Summary	Organize memo (pin/unpin)
+//	@Tags		memo-organizer
+//	@Accept		json
+//	@Produce	json
+//	@Param		memoId	path		int							true	"ID of memo to organize"
+//	@Param		body	body		UpsertMemoOrganizerRequest	true	"Memo organizer object"
+//	@Success	200		{object}	store.Memo					"Memo information"
+//	@Failure	400		{object}	nil							"ID is not a number: %s | Malformatted post memo organizer request"
+//	@Failure	401		{object}	nil							"Missing user in session | Unauthorized"
+//	@Failure	404		{object}	nil							"Memo not found: %v"
+//	@Failure	500		{object}	nil							"Failed to find memo | Failed to upsert memo organizer | Failed to find memo by ID: %v | Failed to compose memo response"
+//	@Router		/api/v1/memo/{memoId}/organizer [POST]
+func (s *APIV1Service) CreateMemoOrganizer(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo").SetInternal(err)
+	}
+	if memo == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo not found: %v", memoID))
+	}
+	if memo.CreatorID != userID {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	request := &UpsertMemoOrganizerRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo organizer request").SetInternal(err)
+	}
+
+	upsert := &store.MemoOrganizer{
+		MemoID: memoID,
+		UserID: userID,
+		Pinned: request.Pinned,
+	}
+	_, err = s.Store.UpsertMemoOrganizer(ctx, upsert)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo organizer").SetInternal(err)
+	}
+
+	memo, err = s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to find memo by ID: %v", memoID)).SetInternal(err)
+	}
+	if memo == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Memo not found: %v", memoID))
+	}
+
+	memoResponse, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to compose memo response").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoResponse)
+}
--- a/api/v1/memo_relation.go
+++ b/api/v1/memo_relation.go
@@ -0,0 +1,156 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+type MemoRelationType string
+
+const (
+	MemoRelationReference MemoRelationType = "REFERENCE"
+	MemoRelationComment   MemoRelationType = "COMMENT"
+)
+
+func (t MemoRelationType) String() string {
+	return string(t)
+}
+
+type MemoRelation struct {
+	MemoID        int32            `json:"memoId"`
+	RelatedMemoID int32            `json:"relatedMemoId"`
+	Type          MemoRelationType `json:"type"`
+}
+
+type UpsertMemoRelationRequest struct {
+	RelatedMemoID int32            `json:"relatedMemoId"`
+	Type          MemoRelationType `json:"type"`
+}
+
+func (s *APIV1Service) registerMemoRelationRoutes(g *echo.Group) {
+	g.GET("/memo/:memoId/relation", s.GetMemoRelationList)
+	g.POST("/memo/:memoId/relation", s.CreateMemoRelation)
+	g.DELETE("/memo/:memoId/relation/:relatedMemoId/type/:relationType", s.DeleteMemoRelation)
+}
+
+// GetMemoRelationList godoc
+//
+//	@Summary	Get a list of Memo Relations
+//	@Tags		memo-relation
+//	@Accept		json
+//	@Produce	json
+//	@Param		memoId	path		int						true	"ID of memo to find relations"
+//	@Success	200		{object}	[]store.MemoRelation	"Memo relation information list"
+//	@Failure	400		{object}	nil						"ID is not a number: %s"
+//	@Failure	500		{object}	nil						"Failed to list memo relations"
+//	@Router		/api/v1/memo/{memoId}/relation [GET]
+func (s *APIV1Service) GetMemoRelationList(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	memoRelationList, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		MemoID: &memoID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to list memo relations").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoRelationList)
+}
+
+// CreateMemoRelation godoc
+//
+//	@Summary		Create Memo Relation
+//	@Description	Create a relation between two memos
+//	@Tags			memo-relation
+//	@Accept			json
+//	@Produce		json
+//	@Param			memoId	path		int							true	"ID of memo to relate"
+//	@Param			body	body		UpsertMemoRelationRequest	true	"Memo relation object"
+//	@Success		200		{object}	store.MemoRelation			"Memo relation information"
+//	@Failure		400		{object}	nil							"ID is not a number: %s | Malformatted post memo relation request"
+//	@Failure		500		{object}	nil							"Failed to upsert memo relation"
+//	@Router			/api/v1/memo/{memoId}/relation [POST]
+//
+// NOTES:
+// - Currently not secured
+// - It's possible to create relations to memos that doesn't exist, which will trigger 404 errors when the frontend tries to load them.
+// - It's possible to create multiple relations, though the interface only shows first.
+func (s *APIV1Service) CreateMemoRelation(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+
+	request := &UpsertMemoRelationRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post memo relation request").SetInternal(err)
+	}
+
+	memoRelation, err := s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+		MemoID:        memoID,
+		RelatedMemoID: request.RelatedMemoID,
+		Type:          store.MemoRelationType(request.Type),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert memo relation").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, memoRelation)
+}
+
+// DeleteMemoRelation godoc
+//
+//	@Summary		Delete a Memo Relation
+//	@Description	Removes a relation between two memos
+//	@Tags			memo-relation
+//	@Accept			json
+//	@Produce		json
+//	@Param			memoId			path		int					true	"ID of memo to find relations"
+//	@Param			relatedMemoId	path		int					true	"ID of memo to remove relation to"
+//	@Param			relationType	path		MemoRelationType	true	"Type of relation to remove"
+//	@Success		200				{boolean}	true				"Memo relation deleted"
+//	@Failure		400				{object}	nil					"Memo ID is not a number: %s | Related memo ID is not a number: %s"
+//	@Failure		500				{object}	nil					"Failed to delete memo relation"
+//	@Router			/api/v1/memo/{memoId}/relation/{relatedMemoId}/type/{relationType} [DELETE]
+//
+// NOTES:
+// - Currently not secured.
+// - Will always return true, even if the relation doesn't exist.
+func (s *APIV1Service) DeleteMemoRelation(c echo.Context) error {
+	ctx := c.Request().Context()
+	memoID, err := util.ConvertStringToInt32(c.Param("memoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Memo ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
+	}
+	relatedMemoID, err := util.ConvertStringToInt32(c.Param("relatedMemoId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Related memo ID is not a number: %s", c.Param("relatedMemoId"))).SetInternal(err)
+	}
+	relationType := store.MemoRelationType(c.Param("relationType"))
+
+	if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{
+		MemoID:        &memoID,
+		RelatedMemoID: &relatedMemoID,
+		Type:          &relationType,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete memo relation").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+func convertMemoRelationFromStore(memoRelation *store.MemoRelation) *MemoRelation {
+	return &MemoRelation{
+		MemoID:        memoRelation.MemoID,
+		RelatedMemoID: memoRelation.RelatedMemoID,
+		Type:          MemoRelationType(memoRelation.Type),
+	}
+}
--- a/api/v1/resource.go
+++ b/api/v1/resource.go
@@ -0,0 +1,495 @@
+package v1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"io"
+	"net/http"
+	"net/url"
+	"os"
+	"path/filepath"
+	"regexp"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/storage/s3"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+type Resource struct {
+	ID int32 `json:"id"`
+
+	// Standard fields
+	CreatorID int32 `json:"creatorId"`
+	CreatedTs int64 `json:"createdTs"`
+	UpdatedTs int64 `json:"updatedTs"`
+
+	// Domain specific fields
+	Filename     string `json:"filename"`
+	Blob         []byte `json:"-"`
+	InternalPath string `json:"-"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+	Size         int64  `json:"size"`
+}
+
+type CreateResourceRequest struct {
+	Filename     string `json:"filename"`
+	ExternalLink string `json:"externalLink"`
+	Type         string `json:"type"`
+}
+
+type FindResourceRequest struct {
+	ID        *int32  `json:"id"`
+	CreatorID *int32  `json:"creatorId"`
+	Filename  *string `json:"filename"`
+}
+
+type UpdateResourceRequest struct {
+	Filename *string `json:"filename"`
+}
+
+const (
+	// The upload memory buffer is 32 MiB.
+	// It should be kept low, so RAM usage doesn't get out of control.
+	// This is unrelated to maximum upload size limit, which is now set through system setting.
+	maxUploadBufferSizeBytes = 32 << 20
+	MebiByte                 = 1024 * 1024
+)
+
+var fileKeyPattern = regexp.MustCompile(`\{[a-z]{1,9}\}`)
+
+func (s *APIV1Service) registerResourceRoutes(g *echo.Group) {
+	g.GET("/resource", s.GetResourceList)
+	g.POST("/resource", s.CreateResource)
+	g.POST("/resource/blob", s.UploadResource)
+	g.PATCH("/resource/:resourceId", s.UpdateResource)
+	g.DELETE("/resource/:resourceId", s.DeleteResource)
+}
+
+// GetResourceList godoc
+//
+//	@Summary	Get a list of resources
+//	@Tags		resource
+//	@Produce	json
+//	@Param		limit	query		int					false	"Limit"
+//	@Param		offset	query		int					false	"Offset"
+//	@Success	200		{object}	[]store.Resource	"Resource list"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to fetch resource list"
+//	@Router		/api/v1/resource [GET]
+func (s *APIV1Service) GetResourceList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	find := &store.FindResource{
+		CreatorID: &userID,
+	}
+	if limit, err := strconv.Atoi(c.QueryParam("limit")); err == nil {
+		find.Limit = &limit
+	}
+	if offset, err := strconv.Atoi(c.QueryParam("offset")); err == nil {
+		find.Offset = &offset
+	}
+
+	list, err := s.Store.ListResources(ctx, find)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch resource list").SetInternal(err)
+	}
+	resourceMessageList := []*Resource{}
+	for _, resource := range list {
+		resourceMessageList = append(resourceMessageList, convertResourceFromStore(resource))
+	}
+	return c.JSON(http.StatusOK, resourceMessageList)
+}
+
+// CreateResource godoc
+//
+//	@Summary	Create resource
+//	@Tags		resource
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateResourceRequest	true	"Request object."
+//	@Success	200		{object}	store.Resource			"Created resource"
+//	@Failure	400		{object}	nil						"Malformatted post resource request | Invalid external link | Invalid external link scheme | Failed to request %s | Failed to read %s | Failed to read mime from %s"
+//	@Failure	401		{object}	nil						"Missing user in session"
+//	@Failure	500		{object}	nil						"Failed to save resource | Failed to create resource | Failed to create activity"
+//	@Router		/api/v1/resource [POST]
+func (s *APIV1Service) CreateResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	request := &CreateResourceRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post resource request").SetInternal(err)
+	}
+
+	create := &store.Resource{
+		CreatorID:    userID,
+		Filename:     request.Filename,
+		ExternalLink: request.ExternalLink,
+		Type:         request.Type,
+	}
+	if request.ExternalLink != "" {
+		// Only allow those external links scheme with http/https
+		linkURL, err := url.Parse(request.ExternalLink)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link").SetInternal(err)
+		}
+		if linkURL.Scheme != "http" && linkURL.Scheme != "https" {
+			return echo.NewHTTPError(http.StatusBadRequest, "Invalid external link scheme")
+		}
+	}
+
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
+	}
+	metric.Enqueue("resource create")
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+// UploadResource godoc
+//
+//	@Summary	Upload resource
+//	@Tags		resource
+//	@Accept		multipart/form-data
+//	@Produce	json
+//	@Param		file	formData	file			true	"File to upload"
+//	@Success	200		{object}	store.Resource	"Created resource"
+//	@Failure	400		{object}	nil				"Upload file not found | File size exceeds allowed limit of %d MiB | Failed to parse upload data"
+//	@Failure	401		{object}	nil				"Missing user in session"
+//	@Failure	500		{object}	nil				"Failed to get uploading file | Failed to open file | Failed to save resource | Failed to create resource | Failed to create activity"
+//	@Router		/api/v1/resource/blob [POST]
+func (s *APIV1Service) UploadResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	// This is the backend default max upload size limit.
+	maxUploadSetting := s.Store.GetSystemSettingValueWithDefault(ctx, SystemSettingMaxUploadSizeMiBName.String(), "32")
+	var settingMaxUploadSizeBytes int
+	if settingMaxUploadSizeMiB, err := strconv.Atoi(maxUploadSetting); err == nil {
+		settingMaxUploadSizeBytes = settingMaxUploadSizeMiB * MebiByte
+	} else {
+		log.Warn("Failed to parse max upload size", zap.Error(err))
+		settingMaxUploadSizeBytes = 0
+	}
+
+	file, err := c.FormFile("file")
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get uploading file").SetInternal(err)
+	}
+	if file == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Upload file not found").SetInternal(err)
+	}
+
+	if file.Size > int64(settingMaxUploadSizeBytes) {
+		message := fmt.Sprintf("File size exceeds allowed limit of %d MiB", settingMaxUploadSizeBytes/MebiByte)
+		return echo.NewHTTPError(http.StatusBadRequest, message).SetInternal(err)
+	}
+	if err := c.Request().ParseMultipartForm(maxUploadBufferSizeBytes); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Failed to parse upload data").SetInternal(err)
+	}
+
+	sourceFile, err := file.Open()
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to open file").SetInternal(err)
+	}
+	defer sourceFile.Close()
+
+	create := &store.Resource{
+		CreatorID: userID,
+		Filename:  file.Filename,
+		Type:      file.Header.Get("Content-Type"),
+		Size:      file.Size,
+	}
+	err = SaveResourceBlob(ctx, s.Store, create, sourceFile)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to save resource").SetInternal(err)
+	}
+
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create resource").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+// DeleteResource godoc
+//
+//	@Summary	Delete a resource
+//	@Tags		resource
+//	@Produce	json
+//	@Param		resourceId	path		int		true	"Resource ID"
+//	@Success	200			{boolean}	true	"Resource deleted"
+//	@Failure	400			{object}	nil		"ID is not a number: %s"
+//	@Failure	401			{object}	nil		"Missing user in session"
+//	@Failure	404			{object}	nil		"Resource not found: %d"
+//	@Failure	500			{object}	nil		"Failed to find resource | Failed to delete resource"
+//	@Router		/api/v1/resource/{resourceId} [DELETE]
+func (s *APIV1Service) DeleteResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	resourceID, err := util.ConvertStringToInt32(c.Param("resourceId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+	}
+
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID:        &resourceID,
+		CreatorID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %d", resourceID))
+	}
+
+	if err := s.Store.DeleteResource(ctx, &store.DeleteResource{
+		ID: resourceID,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete resource").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateResource godoc
+//
+//	@Summary	Update a resource
+//	@Tags		resource
+//	@Produce	json
+//	@Param		resourceId	path		int						true	"Resource ID"
+//	@Param		patch		body		UpdateResourceRequest	true	"Patch resource request"
+//	@Success	200			{object}	store.Resource			"Updated resource"
+//	@Failure	400			{object}	nil						"ID is not a number: %s | Malformatted patch resource request"
+//	@Failure	401			{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	404			{object}	nil						"Resource not found: %d"
+//	@Failure	500			{object}	nil						"Failed to find resource | Failed to patch resource"
+//	@Router		/api/v1/resource/{resourceId} [PATCH]
+func (s *APIV1Service) UpdateResource(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	resourceID, err := util.ConvertStringToInt32(c.Param("resourceId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
+	}
+
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID: &resourceID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find resource").SetInternal(err)
+	}
+	if resource == nil {
+		return echo.NewHTTPError(http.StatusNotFound, fmt.Sprintf("Resource not found: %d", resourceID))
+	}
+	if resource.CreatorID != userID {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	request := &UpdateResourceRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch resource request").SetInternal(err)
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateResource{
+		ID:        resourceID,
+		UpdatedTs: &currentTs,
+	}
+	if request.Filename != nil && *request.Filename != "" {
+		update.Filename = request.Filename
+	}
+
+	resource, err = s.Store.UpdateResource(ctx, update)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch resource").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertResourceFromStore(resource))
+}
+
+func replacePathTemplate(path, filename string) string {
+	t := time.Now()
+	path = fileKeyPattern.ReplaceAllStringFunc(path, func(s string) string {
+		switch s {
+		case "{filename}":
+			return filename
+		case "{timestamp}":
+			return fmt.Sprintf("%d", t.Unix())
+		case "{year}":
+			return fmt.Sprintf("%d", t.Year())
+		case "{month}":
+			return fmt.Sprintf("%02d", t.Month())
+		case "{day}":
+			return fmt.Sprintf("%02d", t.Day())
+		case "{hour}":
+			return fmt.Sprintf("%02d", t.Hour())
+		case "{minute}":
+			return fmt.Sprintf("%02d", t.Minute())
+		case "{second}":
+			return fmt.Sprintf("%02d", t.Second())
+		case "{uuid}":
+			return util.GenUUID()
+		}
+		return s
+	})
+	return path
+}
+
+func convertResourceFromStore(resource *store.Resource) *Resource {
+	return &Resource{
+		ID:           resource.ID,
+		CreatorID:    resource.CreatorID,
+		CreatedTs:    resource.CreatedTs,
+		UpdatedTs:    resource.UpdatedTs,
+		Filename:     resource.Filename,
+		Blob:         resource.Blob,
+		InternalPath: resource.InternalPath,
+		ExternalLink: resource.ExternalLink,
+		Type:         resource.Type,
+		Size:         resource.Size,
+	}
+}
+
+// SaveResourceBlob save the blob of resource based on the storage config
+//
+// Depend on the storage config, some fields of *store.ResourceCreate will be changed:
+// 1. *DatabaseStorage*: `create.Blob`.
+// 2. *LocalStorage*: `create.InternalPath`.
+// 3. Others( external service): `create.ExternalLink`.
+func SaveResourceBlob(ctx context.Context, s *store.Store, create *store.Resource, r io.Reader) error {
+	systemSettingStorageServiceID, err := s.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingStorageServiceIDName.String()})
+	if err != nil {
+		return errors.Wrap(err, "Failed to find SystemSettingStorageServiceIDName")
+	}
+
+	storageServiceID := DefaultStorage
+	if systemSettingStorageServiceID != nil {
+		err = json.Unmarshal([]byte(systemSettingStorageServiceID.Value), &storageServiceID)
+		if err != nil {
+			return errors.Wrap(err, "Failed to unmarshal storage service id")
+		}
+	}
+
+	// `DatabaseStorage` means store blob into database
+	if storageServiceID == DatabaseStorage {
+		fileBytes, err := io.ReadAll(r)
+		if err != nil {
+			return errors.Wrap(err, "Failed to read file")
+		}
+		create.Blob = fileBytes
+		return nil
+	} else if storageServiceID == LocalStorage {
+		// `LocalStorage` means save blob into local disk
+		systemSettingLocalStoragePath, err := s.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingLocalStoragePathName.String()})
+		if err != nil {
+			return errors.Wrap(err, "Failed to find SystemSettingLocalStoragePathName")
+		}
+		localStoragePath := "assets/{timestamp}_{filename}"
+		if systemSettingLocalStoragePath != nil && systemSettingLocalStoragePath.Value != "" {
+			err = json.Unmarshal([]byte(systemSettingLocalStoragePath.Value), &localStoragePath)
+			if err != nil {
+				return errors.Wrap(err, "Failed to unmarshal SystemSettingLocalStoragePathName")
+			}
+		}
+
+		internalPath := localStoragePath
+		if !strings.Contains(internalPath, "{filename}") {
+			internalPath = filepath.Join(internalPath, "{filename}")
+		}
+		internalPath = replacePathTemplate(internalPath, create.Filename)
+		internalPath = filepath.ToSlash(internalPath)
+		create.InternalPath = internalPath
+
+		osPath := filepath.FromSlash(internalPath)
+		if !filepath.IsAbs(osPath) {
+			osPath = filepath.Join(s.Profile.Data, osPath)
+		}
+		dir := filepath.Dir(osPath)
+		if err = os.MkdirAll(dir, os.ModePerm); err != nil {
+			return errors.Wrap(err, "Failed to create directory")
+		}
+		dst, err := os.Create(osPath)
+		if err != nil {
+			return errors.Wrap(err, "Failed to create file")
+		}
+		defer dst.Close()
+		_, err = io.Copy(dst, r)
+		if err != nil {
+			return errors.Wrap(err, "Failed to copy file")
+		}
+
+		return nil
+	}
+
+	// Others: store blob into external service, such as S3
+	storage, err := s.GetStorage(ctx, &store.FindStorage{ID: &storageServiceID})
+	if err != nil {
+		return errors.Wrap(err, "Failed to find StorageServiceID")
+	}
+	if storage == nil {
+		return errors.Errorf("Storage %d not found", storageServiceID)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return errors.Wrap(err, "Failed to ConvertStorageFromStore")
+	}
+
+	if storageMessage.Type != StorageS3 {
+		return errors.Errorf("Unsupported storage type: %s", storageMessage.Type)
+	}
+
+	s3Config := storageMessage.Config.S3Config
+	s3Client, err := s3.NewClient(ctx, &s3.Config{
+		AccessKey: s3Config.AccessKey,
+		SecretKey: s3Config.SecretKey,
+		EndPoint:  s3Config.EndPoint,
+		Region:    s3Config.Region,
+		Bucket:    s3Config.Bucket,
+		URLPrefix: s3Config.URLPrefix,
+		URLSuffix: s3Config.URLSuffix,
+	})
+	if err != nil {
+		return errors.Wrap(err, "Failed to create s3 client")
+	}
+
+	filePath := s3Config.Path
+	if !strings.Contains(filePath, "{filename}") {
+		filePath = filepath.Join(filePath, "{filename}")
+	}
+	filePath = replacePathTemplate(filePath, create.Filename)
+
+	link, err := s3Client.UploadFile(ctx, filePath, create.Type, r)
+	if err != nil {
+		return errors.Wrap(err, "Failed to upload via s3 client")
+	}
+
+	create.ExternalLink = link
+	return nil
+}
--- a/api/v1/rss.go
+++ b/api/v1/rss.go
@@ -0,0 +1,201 @@
+package v1
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/gorilla/feeds"
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/plugin/gomark/ast"
+	"github.com/usememos/memos/plugin/gomark/parser"
+	"github.com/usememos/memos/plugin/gomark/parser/tokenizer"
+	"github.com/usememos/memos/plugin/gomark/renderer"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	maxRSSItemCount       = 100
+	maxRSSItemTitleLength = 128
+)
+
+func (s *APIV1Service) registerRSSRoutes(g *echo.Group) {
+	g.GET("/explore/rss.xml", s.GetExploreRSS)
+	g.GET("/u/:id/rss.xml", s.GetUserRSS)
+}
+
+// GetExploreRSS godoc
+//
+//	@Summary	Get RSS
+//	@Tags		rss
+//	@Produce	xml
+//	@Success	200	{object}	nil	"RSS"
+//	@Failure	500	{object}	nil	"Failed to get system customized profile | Failed to find memo list | Failed to generate rss"
+//	@Router		/explore/rss.xml [GET]
+func (s *APIV1Service) GetExploreRSS(c echo.Context) error {
+	ctx := c.Request().Context()
+	systemCustomizedProfile, err := s.getSystemCustomizedProfile(ctx)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get system customized profile").SetInternal(err)
+	}
+
+	normalStatus := store.Normal
+	memoFind := store.FindMemo{
+		RowStatus:      &normalStatus,
+		VisibilityList: []store.Visibility{store.Public},
+	}
+	memoList, err := s.Store.ListMemos(ctx, &memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	baseURL := c.Scheme() + "://" + c.Request().Host
+	rss, err := s.generateRSSFromMemoList(ctx, memoList, baseURL, systemCustomizedProfile)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+	}
+	c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+	return c.String(http.StatusOK, rss)
+}
+
+// GetUserRSS godoc
+//
+//	@Summary	Get RSS for a user
+//	@Tags		rss
+//	@Produce	xml
+//	@Param		id	path		int	true	"User ID"
+//	@Success	200	{object}	nil	"RSS"
+//	@Failure	400	{object}	nil	"User id is not a number"
+//	@Failure	500	{object}	nil	"Failed to get system customized profile | Failed to find memo list | Failed to generate rss"
+//	@Router		/u/{id}/rss.xml [GET]
+func (s *APIV1Service) GetUserRSS(c echo.Context) error {
+	ctx := c.Request().Context()
+	id, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "User id is not a number").SetInternal(err)
+	}
+
+	systemCustomizedProfile, err := s.getSystemCustomizedProfile(ctx)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to get system customized profile").SetInternal(err)
+	}
+
+	normalStatus := store.Normal
+	memoFind := store.FindMemo{
+		CreatorID:      &id,
+		RowStatus:      &normalStatus,
+		VisibilityList: []store.Visibility{store.Public},
+	}
+	memoList, err := s.Store.ListMemos(ctx, &memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	baseURL := c.Scheme() + "://" + c.Request().Host
+	rss, err := s.generateRSSFromMemoList(ctx, memoList, baseURL, systemCustomizedProfile)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate rss").SetInternal(err)
+	}
+	c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationXMLCharsetUTF8)
+	return c.String(http.StatusOK, rss)
+}
+
+func (s *APIV1Service) generateRSSFromMemoList(ctx context.Context, memoList []*store.Memo, baseURL string, profile *CustomizedProfile) (string, error) {
+	feed := &feeds.Feed{
+		Title:       profile.Name,
+		Link:        &feeds.Link{Href: baseURL},
+		Description: profile.Description,
+		Created:     time.Now(),
+	}
+
+	var itemCountLimit = util.Min(len(memoList), maxRSSItemCount)
+	feed.Items = make([]*feeds.Item, itemCountLimit)
+	for i := 0; i < itemCountLimit; i++ {
+		memoMessage, err := s.convertMemoFromStore(ctx, memoList[i])
+		if err != nil {
+			return "", err
+		}
+		description, err := getRSSItemDescription(memoMessage.Content)
+		if err != nil {
+			return "", err
+		}
+		feed.Items[i] = &feeds.Item{
+			Title:       getRSSItemTitle(memoMessage.Content),
+			Link:        &feeds.Link{Href: baseURL + "/m/" + fmt.Sprintf("%d", memoMessage.ID)},
+			Description: description,
+			Created:     time.Unix(memoMessage.CreatedTs, 0),
+			Enclosure:   &feeds.Enclosure{Url: baseURL + "/m/" + fmt.Sprintf("%d", memoMessage.ID) + "/image"},
+		}
+		if len(memoMessage.ResourceList) > 0 {
+			resource := memoMessage.ResourceList[0]
+			enclosure := feeds.Enclosure{}
+			if resource.ExternalLink != "" {
+				enclosure.Url = resource.ExternalLink
+			} else {
+				enclosure.Url = baseURL + "/o/r/" + fmt.Sprintf("%d", resource.ID)
+			}
+			enclosure.Length = strconv.Itoa(int(resource.Size))
+			enclosure.Type = resource.Type
+			feed.Items[i].Enclosure = &enclosure
+		}
+	}
+
+	rss, err := feed.ToRss()
+	if err != nil {
+		return "", err
+	}
+	return rss, nil
+}
+
+func (s *APIV1Service) getSystemCustomizedProfile(ctx context.Context) (*CustomizedProfile, error) {
+	systemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		Name: SystemSettingCustomizedProfileName.String(),
+	})
+	if err != nil {
+		return nil, err
+	}
+	customizedProfile := &CustomizedProfile{
+		Name:       "Memos",
+		Locale:     "en",
+		Appearance: "system",
+	}
+	if systemSetting != nil {
+		if err := json.Unmarshal([]byte(systemSetting.Value), customizedProfile); err != nil {
+			return nil, err
+		}
+	}
+	return customizedProfile, nil
+}
+
+func getRSSItemTitle(content string) string {
+	tokens := tokenizer.Tokenize(content)
+	nodes, _ := parser.Parse(tokens)
+	if len(nodes) > 0 {
+		firstNode := nodes[0]
+		title := renderer.NewStringRenderer().Render([]ast.Node{firstNode})
+		return title
+	}
+
+	title := strings.Split(content, "\n")[0]
+	var titleLengthLimit = util.Min(len(title), maxRSSItemTitleLength)
+	if titleLengthLimit < len(title) {
+		title = title[:titleLengthLimit] + "..."
+	}
+	return title
+}
+
+func getRSSItemDescription(content string) (string, error) {
+	tokens := tokenizer.Tokenize(content)
+	nodes, err := parser.Parse(tokens)
+	if err != nil {
+		return "", err
+	}
+	result := renderer.NewHTMLRenderer().Render(nodes)
+	return result, nil
+}
--- a/api/v1/storage.go
+++ b/api/v1/storage.go
@@ -0,0 +1,315 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	// LocalStorage means the storage service is local file system.
+	LocalStorage int32 = -1
+	// DatabaseStorage means the storage service is database.
+	DatabaseStorage int32 = 0
+	// Default storage service is database.
+	DefaultStorage int32 = DatabaseStorage
+)
+
+type StorageType string
+
+const (
+	StorageS3 StorageType = "S3"
+)
+
+func (t StorageType) String() string {
+	return string(t)
+}
+
+type StorageConfig struct {
+	S3Config *StorageS3Config `json:"s3Config"`
+}
+
+type StorageS3Config struct {
+	EndPoint  string `json:"endPoint"`
+	Path      string `json:"path"`
+	Region    string `json:"region"`
+	AccessKey string `json:"accessKey"`
+	SecretKey string `json:"secretKey"`
+	Bucket    string `json:"bucket"`
+	URLPrefix string `json:"urlPrefix"`
+	URLSuffix string `json:"urlSuffix"`
+}
+
+type Storage struct {
+	ID     int32          `json:"id"`
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type CreateStorageRequest struct {
+	Name   string         `json:"name"`
+	Type   StorageType    `json:"type"`
+	Config *StorageConfig `json:"config"`
+}
+
+type UpdateStorageRequest struct {
+	Type   StorageType    `json:"type"`
+	Name   *string        `json:"name"`
+	Config *StorageConfig `json:"config"`
+}
+
+func (s *APIV1Service) registerStorageRoutes(g *echo.Group) {
+	g.GET("/storage", s.GetStorageList)
+	g.POST("/storage", s.CreateStorage)
+	g.PATCH("/storage/:storageId", s.UpdateStorage)
+	g.DELETE("/storage/:storageId", s.DeleteStorage)
+}
+
+// GetStorageList godoc
+//
+//	@Summary	Get a list of storages
+//	@Tags		storage
+//	@Produce	json
+//	@Success	200	{object}	[]store.Storage	"List of storages"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find user | Failed to convert storage"
+//	@Router		/api/v1/storage [GET]
+func (s *APIV1Service) GetStorageList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	// We should only show storage list to host user.
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	list, err := s.Store.ListStorages(ctx, &store.FindStorage{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage list").SetInternal(err)
+	}
+
+	storageList := []*Storage{}
+	for _, storage := range list {
+		storageMessage, err := ConvertStorageFromStore(storage)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+		}
+		storageList = append(storageList, storageMessage)
+	}
+	return c.JSON(http.StatusOK, storageList)
+}
+
+// CreateStorage godoc
+//
+//	@Summary	Create storage
+//	@Tags		storage
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateStorageRequest	true	"Request object."
+//	@Success	200		{object}	store.Storage			"Created storage"
+//	@Failure	400		{object}	nil						"Malformatted post storage request"
+//	@Failure	401		{object}	nil						"Missing user in session"
+//	@Failure	500		{object}	nil						"Failed to find user | Failed to create storage | Failed to convert storage"
+//	@Router		/api/v1/storage [POST]
+func (s *APIV1Service) CreateStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	create := &CreateStorageRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(create); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+	}
+
+	configString := ""
+	if create.Type == StorageS3 && create.Config.S3Config != nil {
+		configBytes, err := json.Marshal(create.Config.S3Config)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+		}
+		configString = string(configBytes)
+	}
+
+	storage, err := s.Store.CreateStorage(ctx, &store.Storage{
+		Name:   create.Name,
+		Type:   create.Type.String(),
+		Config: configString,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create storage").SetInternal(err)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, storageMessage)
+}
+
+// DeleteStorage godoc
+//
+//	@Summary	Delete a storage
+//	@Tags		storage
+//	@Produce	json
+//	@Param		storageId	path		int		true	"Storage ID"
+//	@Success	200			{boolean}	true	"Storage deleted"
+//	@Failure	400			{object}	nil		"ID is not a number: %s | Storage service %d is using"
+//	@Failure	401			{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500			{object}	nil		"Failed to find user | Failed to find storage | Failed to unmarshal storage service id | Failed to delete storage"
+//	@Router		/api/v1/storage/{storageId} [DELETE]
+//
+// NOTES:
+// - error message "Storage service %d is using" probably should be "Storage service %d is in use".
+func (s *APIV1Service) DeleteStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	storageID, err := util.ConvertStringToInt32(c.Param("storageId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+	}
+
+	systemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{Name: SystemSettingStorageServiceIDName.String()})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find storage").SetInternal(err)
+	}
+	if systemSetting != nil {
+		storageServiceID := DefaultStorage
+		err = json.Unmarshal([]byte(systemSetting.Value), &storageServiceID)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal storage service id").SetInternal(err)
+		}
+		if storageServiceID == storageID {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Storage service %d is using", storageID))
+		}
+	}
+
+	if err = s.Store.DeleteStorage(ctx, &store.DeleteStorage{ID: storageID}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateStorage godoc
+//
+//	@Summary	Update a storage
+//	@Tags		storage
+//	@Produce	json
+//	@Param		storageId	path		int						true	"Storage ID"
+//	@Param		patch		body		UpdateStorageRequest	true	"Patch request"
+//	@Success	200			{object}	store.Storage			"Updated resource"
+//	@Failure	400			{object}	nil						"ID is not a number: %s | Malformatted patch storage request | Malformatted post storage request"
+//	@Failure	401			{object}	nil						"Missing user in session | Unauthorized"
+//	@Failure	500			{object}	nil						"Failed to find user | Failed to patch storage | Failed to convert storage"
+//	@Router		/api/v1/storage/{storageId} [PATCH]
+func (s *APIV1Service) UpdateStorage(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	storageID, err := util.ConvertStringToInt32(c.Param("storageId"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("storageId"))).SetInternal(err)
+	}
+
+	update := &UpdateStorageRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(update); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch storage request").SetInternal(err)
+	}
+	storageUpdate := &store.UpdateStorage{
+		ID: storageID,
+	}
+	if update.Name != nil {
+		storageUpdate.Name = update.Name
+	}
+	if update.Config != nil {
+		if update.Type == StorageS3 {
+			configBytes, err := json.Marshal(update.Config.S3Config)
+			if err != nil {
+				return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post storage request").SetInternal(err)
+			}
+			configString := string(configBytes)
+			storageUpdate.Config = &configString
+		}
+	}
+
+	storage, err := s.Store.UpdateStorage(ctx, storageUpdate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch storage").SetInternal(err)
+	}
+	storageMessage, err := ConvertStorageFromStore(storage)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to convert storage").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, storageMessage)
+}
+
+func ConvertStorageFromStore(storage *store.Storage) (*Storage, error) {
+	storageMessage := &Storage{
+		ID:     storage.ID,
+		Name:   storage.Name,
+		Type:   StorageType(storage.Type),
+		Config: &StorageConfig{},
+	}
+	if storageMessage.Type == StorageS3 {
+		s3Config := &StorageS3Config{}
+		if err := json.Unmarshal([]byte(storage.Config), s3Config); err != nil {
+			return nil, err
+		}
+		storageMessage.Config = &StorageConfig{
+			S3Config: s3Config,
+		}
+	}
+	return storageMessage, nil
+}
--- a/api/v1/swagger.yaml
+++ b/api/v1/swagger.yaml
--- a/api/v1/system.go
+++ b/api/v1/system.go
@@ -0,0 +1,179 @@
+package v1
+
+import (
+	"encoding/json"
+	"net/http"
+
+	"github.com/labstack/echo/v4"
+	"go.uber.org/zap"
+
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type SystemStatus struct {
+	Host    *User           `json:"host"`
+	Profile profile.Profile `json:"profile"`
+	DBSize  int64           `json:"dbSize"`
+
+	// System settings
+	// Allow sign up.
+	AllowSignUp bool `json:"allowSignUp"`
+	// Disable password login.
+	DisablePasswordLogin bool `json:"disablePasswordLogin"`
+	// Disable public memos.
+	DisablePublicMemos bool `json:"disablePublicMemos"`
+	// Max upload size.
+	MaxUploadSizeMiB int `json:"maxUploadSizeMiB"`
+	// Additional style.
+	AdditionalStyle string `json:"additionalStyle"`
+	// Additional script.
+	AdditionalScript string `json:"additionalScript"`
+	// Customized server profile, including server name and external url.
+	CustomizedProfile CustomizedProfile `json:"customizedProfile"`
+	// Storage service ID.
+	StorageServiceID int32 `json:"storageServiceId"`
+	// Local storage path.
+	LocalStoragePath string `json:"localStoragePath"`
+	// Memo display with updated timestamp.
+	MemoDisplayWithUpdatedTs bool `json:"memoDisplayWithUpdatedTs"`
+}
+
+func (s *APIV1Service) registerSystemRoutes(g *echo.Group) {
+	g.GET("/ping", s.PingSystem)
+	g.GET("/status", s.GetSystemStatus)
+	g.POST("/system/vacuum", s.ExecVacuum)
+}
+
+// PingSystem godoc
+//
+//	@Summary	Ping the system
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{boolean}	true	"If succeed to ping the system"
+//	@Router		/api/v1/ping [GET]
+func (*APIV1Service) PingSystem(c echo.Context) error {
+	return c.JSON(http.StatusOK, true)
+}
+
+// GetSystemStatus godoc
+//
+//	@Summary	Get system GetSystemStatus
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{object}	SystemStatus	"System GetSystemStatus"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find host user | Failed to find system setting list | Failed to unmarshal system setting customized profile value"
+//	@Router		/api/v1/status [GET]
+func (s *APIV1Service) GetSystemStatus(c echo.Context) error {
+	ctx := c.Request().Context()
+
+	systemStatus := SystemStatus{
+		Profile: profile.Profile{
+			Mode:    s.Profile.Mode,
+			Version: s.Profile.Version,
+		},
+		// Allow sign up by default.
+		AllowSignUp:      true,
+		MaxUploadSizeMiB: 32,
+		CustomizedProfile: CustomizedProfile{
+			Name:       "Memos",
+			Locale:     "en",
+			Appearance: "system",
+		},
+		StorageServiceID: DefaultStorage,
+		LocalStoragePath: "assets/{timestamp}_{filename}",
+	}
+
+	hostUserType := store.RoleHost
+	hostUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		Role: &hostUserType,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find host user").SetInternal(err)
+	}
+	if hostUser != nil {
+		systemStatus.Host = &User{ID: hostUser.ID}
+	}
+
+	systemSettingList, err := s.Store.ListSystemSettings(ctx, &store.FindSystemSetting{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
+	}
+	for _, systemSetting := range systemSettingList {
+		if systemSetting.Name == SystemSettingServerIDName.String() || systemSetting.Name == SystemSettingSecretSessionName.String() || systemSetting.Name == SystemSettingTelegramBotTokenName.String() || systemSetting.Name == SystemSettingInstanceURLName.String() {
+			continue
+		}
+
+		var baseValue any
+		err := json.Unmarshal([]byte(systemSetting.Value), &baseValue)
+		if err != nil {
+			// Skip invalid value.
+			continue
+		}
+
+		switch systemSetting.Name {
+		case SystemSettingAllowSignUpName.String():
+			systemStatus.AllowSignUp = baseValue.(bool)
+		case SystemSettingDisablePasswordLoginName.String():
+			systemStatus.DisablePasswordLogin = baseValue.(bool)
+		case SystemSettingDisablePublicMemosName.String():
+			systemStatus.DisablePublicMemos = baseValue.(bool)
+		case SystemSettingMaxUploadSizeMiBName.String():
+			systemStatus.MaxUploadSizeMiB = int(baseValue.(float64))
+		case SystemSettingAdditionalStyleName.String():
+			systemStatus.AdditionalStyle = baseValue.(string)
+		case SystemSettingAdditionalScriptName.String():
+			systemStatus.AdditionalScript = baseValue.(string)
+		case SystemSettingCustomizedProfileName.String():
+			customizedProfile := CustomizedProfile{}
+			if err := json.Unmarshal([]byte(systemSetting.Value), &customizedProfile); err != nil {
+				return echo.NewHTTPError(http.StatusInternalServerError, "Failed to unmarshal system setting customized profile value").SetInternal(err)
+			}
+			systemStatus.CustomizedProfile = customizedProfile
+		case SystemSettingStorageServiceIDName.String():
+			systemStatus.StorageServiceID = int32(baseValue.(float64))
+		case SystemSettingLocalStoragePathName.String():
+			systemStatus.LocalStoragePath = baseValue.(string)
+		case SystemSettingMemoDisplayWithUpdatedTsName.String():
+			systemStatus.MemoDisplayWithUpdatedTs = baseValue.(bool)
+		default:
+			log.Warn("Unknown system setting name", zap.String("setting name", systemSetting.Name))
+		}
+	}
+
+	return c.JSON(http.StatusOK, systemStatus)
+}
+
+// ExecVacuum godoc
+//
+//	@Summary	Vacuum the database
+//	@Tags		system
+//	@Produce	json
+//	@Success	200	{boolean}	true	"Database vacuumed"
+//	@Failure	401	{object}	nil		"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil		"Failed to find user | Failed to ExecVacuum database"
+//	@Router		/api/v1/system/vacuum [POST]
+func (s *APIV1Service) ExecVacuum(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	if err := s.Store.Vacuum(ctx); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to vacuum database").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
--- a/api/v1/system_setting.go
+++ b/api/v1/system_setting.go
@@ -0,0 +1,298 @@
+package v1
+
+import (
+	"encoding/json"
+	"net/http"
+	"path/filepath"
+	"strings"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+
+	"github.com/usememos/memos/store"
+)
+
+type SystemSettingName string
+
+const (
+	// SystemSettingServerIDName is the name of server id.
+	SystemSettingServerIDName SystemSettingName = "server-id"
+	// SystemSettingSecretSessionName is the name of secret session.
+	SystemSettingSecretSessionName SystemSettingName = "secret-session"
+	// SystemSettingAllowSignUpName is the name of allow signup setting.
+	SystemSettingAllowSignUpName SystemSettingName = "allow-signup"
+	// SystemSettingDisablePasswordLoginName is the name of disable password login setting.
+	SystemSettingDisablePasswordLoginName SystemSettingName = "disable-password-login"
+	// SystemSettingDisablePublicMemosName is the name of disable public memos setting.
+	SystemSettingDisablePublicMemosName SystemSettingName = "disable-public-memos"
+	// SystemSettingMaxUploadSizeMiBName is the name of max upload size setting.
+	SystemSettingMaxUploadSizeMiBName SystemSettingName = "max-upload-size-mib"
+	// SystemSettingAdditionalStyleName is the name of additional style.
+	SystemSettingAdditionalStyleName SystemSettingName = "additional-style"
+	// SystemSettingAdditionalScriptName is the name of additional script.
+	SystemSettingAdditionalScriptName SystemSettingName = "additional-script"
+	// SystemSettingCustomizedProfileName is the name of customized server profile.
+	SystemSettingCustomizedProfileName SystemSettingName = "customized-profile"
+	// SystemSettingStorageServiceIDName is the name of storage service ID.
+	SystemSettingStorageServiceIDName SystemSettingName = "storage-service-id"
+	// SystemSettingLocalStoragePathName is the name of local storage path.
+	SystemSettingLocalStoragePathName SystemSettingName = "local-storage-path"
+	// SystemSettingTelegramBotTokenName is the name of Telegram Bot Token.
+	SystemSettingTelegramBotTokenName SystemSettingName = "telegram-bot-token"
+	// SystemSettingMemoDisplayWithUpdatedTsName is the name of memo display with updated ts.
+	SystemSettingMemoDisplayWithUpdatedTsName SystemSettingName = "memo-display-with-updated-ts"
+	// SystemSettingInstanceURLName is the name of instance url setting.
+	SystemSettingInstanceURLName SystemSettingName = "instance-url"
+)
+const systemSettingUnmarshalError = `failed to unmarshal value from system setting "%v"`
+
+// CustomizedProfile is the struct definition for SystemSettingCustomizedProfileName system setting item.
+type CustomizedProfile struct {
+	// Name is the server name, default is `memos`
+	Name string `json:"name"`
+	// LogoURL is the url of logo image.
+	LogoURL string `json:"logoUrl"`
+	// Description is the server description.
+	Description string `json:"description"`
+	// Locale is the server default locale.
+	Locale string `json:"locale"`
+	// Appearance is the server default appearance.
+	Appearance string `json:"appearance"`
+	// ExternalURL is the external url of server. e.g. https://usermemos.com
+	ExternalURL string `json:"externalUrl"`
+}
+
+func (key SystemSettingName) String() string {
+	return string(key)
+}
+
+type SystemSetting struct {
+	Name SystemSettingName `json:"name"`
+	// Value is a JSON string with basic value.
+	Value       string `json:"value"`
+	Description string `json:"description"`
+}
+
+type UpsertSystemSettingRequest struct {
+	Name        SystemSettingName `json:"name"`
+	Value       string            `json:"value"`
+	Description string            `json:"description"`
+}
+
+func (s *APIV1Service) registerSystemSettingRoutes(g *echo.Group) {
+	g.GET("/system/setting", s.GetSystemSettingList)
+	g.POST("/system/setting", s.CreateSystemSetting)
+}
+
+// GetSystemSettingList godoc
+//
+//	@Summary	Get a list of system settings
+//	@Tags		system-setting
+//	@Produce	json
+//	@Success	200	{object}	[]SystemSetting	"System setting list"
+//	@Failure	401	{object}	nil				"Missing user in session | Unauthorized"
+//	@Failure	500	{object}	nil				"Failed to find user | Failed to find system setting list"
+//	@Router		/api/v1/system/setting [GET]
+func (s *APIV1Service) GetSystemSettingList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	list, err := s.Store.ListSystemSettings(ctx, &store.FindSystemSetting{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find system setting list").SetInternal(err)
+	}
+
+	systemSettingList := make([]*SystemSetting, 0, len(list))
+	for _, systemSetting := range list {
+		systemSettingList = append(systemSettingList, convertSystemSettingFromStore(systemSetting))
+	}
+	return c.JSON(http.StatusOK, systemSettingList)
+}
+
+// CreateSystemSetting godoc
+//
+//	@Summary	Create system setting
+//	@Tags		system-setting
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		UpsertSystemSettingRequest	true	"Request object."
+//	@Success	200		{object}	store.SystemSetting			"Created system setting"
+//	@Failure	400		{object}	nil							"Malformatted post system setting request | invalid system setting"
+//	@Failure	401		{object}	nil							"Missing user in session | Unauthorized"
+//	@Failure	403		{object}	nil							"Cannot disable passwords if no SSO identity provider is configured."
+//	@Failure	500		{object}	nil							"Failed to find user | Failed to upsert system setting"
+//	@Router		/api/v1/system/setting [POST]
+func (s *APIV1Service) CreateSystemSetting(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil || user.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized")
+	}
+
+	systemSettingUpsert := &UpsertSystemSettingRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(systemSettingUpsert); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post system setting request").SetInternal(err)
+	}
+	if err := systemSettingUpsert.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
+	}
+	if systemSettingUpsert.Name == SystemSettingDisablePasswordLoginName {
+		var disablePasswordLogin bool
+		if err := json.Unmarshal([]byte(systemSettingUpsert.Value), &disablePasswordLogin); err != nil {
+			return echo.NewHTTPError(http.StatusBadRequest, "invalid system setting").SetInternal(err)
+		}
+
+		identityProviderList, err := s.Store.ListIdentityProviders(ctx, &store.FindIdentityProvider{})
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+		}
+		if disablePasswordLogin && len(identityProviderList) == 0 {
+			return echo.NewHTTPError(http.StatusForbidden, "Cannot disable passwords if no SSO identity provider is configured.")
+		}
+	}
+
+	systemSetting, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+		Name:        systemSettingUpsert.Name.String(),
+		Value:       systemSettingUpsert.Value,
+		Description: systemSettingUpsert.Description,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert system setting").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, convertSystemSettingFromStore(systemSetting))
+}
+
+func (upsert UpsertSystemSettingRequest) Validate() error {
+	switch settingName := upsert.Name; settingName {
+	case SystemSettingServerIDName:
+		return errors.Errorf("updating %v is not allowed", settingName)
+	case SystemSettingAllowSignUpName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingDisablePasswordLoginName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingDisablePublicMemosName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingMaxUploadSizeMiBName:
+		var value int
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingAdditionalStyleName:
+		var value string
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingAdditionalScriptName:
+		var value string
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingCustomizedProfileName:
+		customizedProfile := CustomizedProfile{
+			Name:        "memos",
+			LogoURL:     "",
+			Description: "",
+			Locale:      "en",
+			Appearance:  "system",
+			ExternalURL: "",
+		}
+		if err := json.Unmarshal([]byte(upsert.Value), &customizedProfile); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingStorageServiceIDName:
+		// Note: 0 is the default value(database) for storage service ID.
+		value := 0
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+		return nil
+	case SystemSettingLocalStoragePathName:
+		value := ""
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+
+		trimmedValue := strings.TrimSpace(value)
+		switch {
+		case trimmedValue != value:
+			return errors.New("local storage path must not contain leading or trailing whitespace")
+		case trimmedValue == "":
+			return errors.New("local storage path can't be empty")
+		case strings.Contains(trimmedValue, "\\"):
+			return errors.New("local storage path must use forward slashes `/`")
+		case strings.Contains(trimmedValue, "../"):
+			return errors.New("local storage path is not allowed to contain `../`")
+		case strings.HasPrefix(trimmedValue, "./"):
+			return errors.New("local storage path is not allowed to start with `./`")
+		case filepath.IsAbs(trimmedValue) || trimmedValue[0] == '/':
+			return errors.New("local storage path must be a relative path")
+		case !strings.Contains(trimmedValue, "{filename}"):
+			return errors.New("local storage path must contain `{filename}`")
+		}
+	case SystemSettingTelegramBotTokenName:
+		if upsert.Value == "" {
+			return nil
+		}
+		// Bot Token with Reverse Proxy shoule like `http.../bot<token>`
+		if strings.HasPrefix(upsert.Value, "http") {
+			slashIndex := strings.LastIndexAny(upsert.Value, "/")
+			if strings.HasPrefix(upsert.Value[slashIndex:], "/bot") {
+				return nil
+			}
+			return errors.New("token start with `http` must end with `/bot<token>`")
+		}
+		fragments := strings.Split(upsert.Value, ":")
+		if len(fragments) != 2 {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingMemoDisplayWithUpdatedTsName:
+		var value bool
+		if err := json.Unmarshal([]byte(upsert.Value), &value); err != nil {
+			return errors.Errorf(systemSettingUnmarshalError, settingName)
+		}
+	case SystemSettingInstanceURLName:
+	default:
+		return errors.New("invalid system setting name")
+	}
+	return nil
+}
+
+func convertSystemSettingFromStore(systemSetting *store.SystemSetting) *SystemSetting {
+	return &SystemSetting{
+		Name:        SystemSettingName(systemSetting.Name),
+		Value:       systemSetting.Value,
+		Description: systemSetting.Description,
+	}
+}
--- a/api/v1/tag.go
+++ b/api/v1/tag.go
@@ -0,0 +1,218 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"regexp"
+	"sort"
+
+	"github.com/labstack/echo/v4"
+	"golang.org/x/exp/slices"
+
+	"github.com/usememos/memos/store"
+)
+
+type Tag struct {
+	Name      string
+	CreatorID int32
+}
+
+type UpsertTagRequest struct {
+	Name string `json:"name"`
+}
+
+type DeleteTagRequest struct {
+	Name string `json:"name"`
+}
+
+func (s *APIV1Service) registerTagRoutes(g *echo.Group) {
+	g.GET("/tag", s.GetTagList)
+	g.POST("/tag", s.CreateTag)
+	g.GET("/tag/suggestion", s.GetTagSuggestion)
+	g.POST("/tag/delete", s.DeleteTag)
+}
+
+// GetTagList godoc
+//
+//	@Summary	Get a list of tags
+//	@Tags		tag
+//	@Produce	json
+//	@Success	200	{object}	[]string	"Tag list"
+//	@Failure	400	{object}	nil			"Missing user id to find tag"
+//	@Failure	500	{object}	nil			"Failed to find tag list"
+//	@Router		/api/v1/tag [GET]
+func (s *APIV1Service) GetTagList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing user id to find tag")
+	}
+
+	list, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+	}
+
+	tagNameList := []string{}
+	for _, tag := range list {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+	return c.JSON(http.StatusOK, tagNameList)
+}
+
+// CreateTag godoc
+//
+//	@Summary	Create a tag
+//	@Tags		tag
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		UpsertTagRequest	true	"Request object."
+//	@Success	200		{object}	string				"Created tag name"
+//	@Failure	400		{object}	nil					"Malformatted post tag request | Tag name shouldn't be empty"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to upsert tag | Failed to create activity"
+//	@Router		/api/v1/tag [POST]
+func (s *APIV1Service) CreateTag(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	tagUpsert := &UpsertTagRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(tagUpsert); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+	}
+	if tagUpsert.Name == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+	}
+
+	tag, err := s.Store.UpsertTag(ctx, &store.Tag{
+		Name:      tagUpsert.Name,
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to upsert tag").SetInternal(err)
+	}
+	tagMessage := convertTagFromStore(tag)
+	return c.JSON(http.StatusOK, tagMessage.Name)
+}
+
+// DeleteTag godoc
+//
+//	@Summary	Delete a tag
+//	@Tags		tag
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		DeleteTagRequest	true	"Request object."
+//	@Success	200		{boolean}	true				"Tag deleted"
+//	@Failure	400		{object}	nil					"Malformatted post tag request | Tag name shouldn't be empty"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	500		{object}	nil					"Failed to delete tag name: %v"
+//	@Router		/api/v1/tag/delete [POST]
+func (s *APIV1Service) DeleteTag(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+
+	tagDelete := &DeleteTagRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(tagDelete); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post tag request").SetInternal(err)
+	}
+	if tagDelete.Name == "" {
+		return echo.NewHTTPError(http.StatusBadRequest, "Tag name shouldn't be empty")
+	}
+
+	err := s.Store.DeleteTag(ctx, &store.DeleteTag{
+		Name:      tagDelete.Name,
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, fmt.Sprintf("Failed to delete tag name: %v", tagDelete.Name)).SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// GetTagSuggestion godoc
+//
+//	@Summary	Get a list of tags suggested from other memos contents
+//	@Tags		tag
+//	@Produce	json
+//	@Success	200	{object}	[]string	"Tag list"
+//	@Failure	400	{object}	nil			"Missing user session"
+//	@Failure	500	{object}	nil			"Failed to find memo list | Failed to find tag list"
+//	@Router		/api/v1/tag/suggestion [GET]
+func (s *APIV1Service) GetTagSuggestion(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusBadRequest, "Missing user session")
+	}
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:     &userID,
+		ContentSearch: []string{"#"},
+		RowStatus:     &normalRowStatus,
+	}
+
+	memoMessageList, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find memo list").SetInternal(err)
+	}
+
+	list, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find tag list").SetInternal(err)
+	}
+	tagNameList := []string{}
+	for _, tag := range list {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+
+	tagMapSet := make(map[string]bool)
+	for _, memo := range memoMessageList {
+		for _, tag := range findTagListFromMemoContent(memo.Content) {
+			if !slices.Contains(tagNameList, tag) {
+				tagMapSet[tag] = true
+			}
+		}
+	}
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return c.JSON(http.StatusOK, tagList)
+}
+
+func convertTagFromStore(tag *store.Tag) *Tag {
+	return &Tag{
+		Name:      tag.Name,
+		CreatorID: tag.CreatorID,
+	}
+}
+
+var tagRegexp = regexp.MustCompile(`#([^\s#,]+)`)
+
+func findTagListFromMemoContent(memoContent string) []string {
+	tagMapSet := make(map[string]bool)
+	matches := tagRegexp.FindAllStringSubmatch(memoContent, -1)
+	for _, v := range matches {
+		tagName := v[1]
+		tagMapSet[tagName] = true
+	}
+
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return tagList
+}
--- a/api/v1/tag_test.go
+++ b/api/v1/tag_test.go
@@ -1,4 +1,4 @@
-package server
+package v1

 import (
 	"testing"
--- a/api/v1/user.go
+++ b/api/v1/user.go
@@ -0,0 +1,489 @@
+package v1
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http"
+	"strings"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+
+	"github.com/usememos/memos/internal/util"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+// Role is the type of a role.
+type Role string
+
+const (
+	// RoleHost is the HOST role.
+	RoleHost Role = "HOST"
+	// RoleAdmin is the ADMIN role.
+	RoleAdmin Role = "ADMIN"
+	// RoleUser is the USER role.
+	RoleUser Role = "USER"
+)
+
+func (role Role) String() string {
+	return string(role)
+}
+
+type User struct {
+	ID int32 `json:"id"`
+
+	// Standard fields
+	RowStatus RowStatus `json:"rowStatus"`
+	CreatedTs int64     `json:"createdTs"`
+	UpdatedTs int64     `json:"updatedTs"`
+
+	// Domain specific fields
+	Username     string `json:"username"`
+	Role         Role   `json:"role"`
+	Email        string `json:"email"`
+	Nickname     string `json:"nickname"`
+	PasswordHash string `json:"-"`
+	AvatarURL    string `json:"avatarUrl"`
+}
+
+type CreateUserRequest struct {
+	Username string `json:"username"`
+	Role     Role   `json:"role"`
+	Email    string `json:"email"`
+	Nickname string `json:"nickname"`
+	Password string `json:"password"`
+}
+
+type UpdateUserRequest struct {
+	RowStatus *RowStatus `json:"rowStatus"`
+	Username  *string    `json:"username"`
+	Email     *string    `json:"email"`
+	Nickname  *string    `json:"nickname"`
+	Password  *string    `json:"password"`
+	AvatarURL *string    `json:"avatarUrl"`
+}
+
+func (s *APIV1Service) registerUserRoutes(g *echo.Group) {
+	g.GET("/user", s.GetUserList)
+	g.POST("/user", s.CreateUser)
+	g.GET("/user/me", s.GetCurrentUser)
+	// NOTE: This should be moved to /api/v2/user/:username
+	g.GET("/user/name/:username", s.GetUserByUsername)
+	g.GET("/user/:id", s.GetUserByID)
+	g.PATCH("/user/:id", s.UpdateUser)
+	g.DELETE("/user/:id", s.DeleteUser)
+}
+
+// GetUserList godoc
+//
+//	@Summary	Get a list of users
+//	@Tags		user
+//	@Produce	json
+//	@Success	200	{object}	[]store.User	"User list"
+//	@Failure	500	{object}	nil				"Failed to fetch user list"
+//	@Router		/api/v1/user [GET]
+func (s *APIV1Service) GetUserList(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by id").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized to list users")
+	}
+
+	list, err := s.Store.ListUsers(ctx, &store.FindUser{})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch user list").SetInternal(err)
+	}
+
+	userMessageList := make([]*User, 0, len(list))
+	for _, user := range list {
+		userMessage := convertUserFromStore(user)
+		// data desensitize
+		userMessage.Email = ""
+		userMessageList = append(userMessageList, userMessage)
+	}
+	return c.JSON(http.StatusOK, userMessageList)
+}
+
+// CreateUser godoc
+//
+//	@Summary	Create a user
+//	@Tags		user
+//	@Accept		json
+//	@Produce	json
+//	@Param		body	body		CreateUserRequest	true	"Request object"
+//	@Success	200		{object}	store.User			"Created user"
+//	@Failure	400		{object}	nil					"Malformatted post user request | Invalid user create format"
+//	@Failure	401		{object}	nil					"Missing auth session | Unauthorized to create user"
+//	@Failure	403		{object}	nil					"Could not create host user"
+//	@Failure	500		{object}	nil					"Failed to find user by id | Failed to generate password hash | Failed to create user | Failed to create activity"
+//	@Router		/api/v1/user [POST]
+func (s *APIV1Service) CreateUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user by id").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+	if currentUser.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Unauthorized to create user")
+	}
+
+	userCreate := &CreateUserRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(userCreate); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post user request").SetInternal(err)
+	}
+	if err := userCreate.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Invalid user create format").SetInternal(err)
+	}
+	if !usernameMatcher.MatchString(strings.ToLower(userCreate.Username)) {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", userCreate.Username)).SetInternal(err)
+	}
+	// Disallow host user to be created.
+	if userCreate.Role == RoleHost {
+		return echo.NewHTTPError(http.StatusForbidden, "Could not create host user")
+	}
+
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(userCreate.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+	}
+
+	user, err := s.Store.CreateUser(ctx, &store.User{
+		Username:     userCreate.Username,
+		Role:         store.Role(userCreate.Role),
+		Email:        userCreate.Email,
+		Nickname:     userCreate.Nickname,
+		PasswordHash: string(passwordHash),
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to create user").SetInternal(err)
+	}
+
+	userMessage := convertUserFromStore(user)
+	metric.Enqueue("user create")
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetCurrentUser godoc
+//
+//	@Summary	Get current user
+//	@Tags		user
+//	@Produce	json
+//	@Success	200	{object}	store.User	"Current user"
+//	@Failure	401	{object}	nil			"Missing auth session"
+//	@Failure	500	{object}	nil			"Failed to find user | Failed to find userSettingList"
+//	@Router		/api/v1/user/me [GET]
+func (s *APIV1Service) GetCurrentUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{ID: &userID})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing auth session")
+	}
+
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetUserByUsername godoc
+//
+//	@Summary	Get user by username
+//	@Tags		user
+//	@Produce	json
+//	@Param		username	path		string		true	"Username"
+//	@Success	200			{object}	store.User	"Requested user"
+//	@Failure	404			{object}	nil			"User not found"
+//	@Failure	500			{object}	nil			"Failed to find user"
+//	@Router		/api/v1/user/name/{username} [GET]
+func (s *APIV1Service) GetUserByUsername(c echo.Context) error {
+	ctx := c.Request().Context()
+	username := c.Param("username")
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "User not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	// data desensitize
+	userMessage.Email = ""
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// GetUserByID godoc
+//
+//	@Summary	Get user by id
+//	@Tags		user
+//	@Produce	json
+//	@Param		id	path		int			true	"User ID"
+//	@Success	200	{object}	store.User	"Requested user"
+//	@Failure	400	{object}	nil			"Malformatted user id"
+//	@Failure	404	{object}	nil			"User not found"
+//	@Failure	500	{object}	nil			"Failed to find user"
+//	@Router		/api/v1/user/{id} [GET]
+func (s *APIV1Service) GetUserByID(c echo.Context) error {
+	ctx := c.Request().Context()
+	id, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted user id").SetInternal(err)
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{ID: &id})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if user == nil {
+		return echo.NewHTTPError(http.StatusNotFound, "User not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	userID, ok := c.Get(userIDContextKey).(int32)
+	if !ok || userID != user.ID {
+		// Data desensitize.
+		userMessage.Email = ""
+	}
+
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+// DeleteUser godoc
+//
+//	@Summary	Delete a user
+//	@Tags		user
+//	@Produce	json
+//	@Param		id	path		string	true	"User ID"
+//	@Success	200	{boolean}	true	"User deleted"
+//	@Failure	400	{object}	nil		"ID is not a number: %s | Current session user not found with ID: %d"
+//	@Failure	401	{object}	nil		"Missing user in session"
+//	@Failure	403	{object}	nil		"Unauthorized to delete user"
+//	@Failure	500	{object}	nil		"Failed to find user | Failed to delete user"
+//	@Router		/api/v1/user/{id} [DELETE]
+func (s *APIV1Service) DeleteUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	currentUserID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &currentUserID,
+	})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
+	} else if currentUser.Role != store.RoleHost {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to delete user").SetInternal(err)
+	}
+
+	userID, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
+	}
+	if currentUserID == userID {
+		return echo.NewHTTPError(http.StatusBadRequest, "Cannot delete current user")
+	}
+
+	if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
+		ID: userID,
+	}); err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to delete user").SetInternal(err)
+	}
+	return c.JSON(http.StatusOK, true)
+}
+
+// UpdateUser godoc
+//
+//	@Summary	Update a user
+//	@Tags		user
+//	@Produce	json
+//	@Param		id		path		string				true	"User ID"
+//	@Param		patch	body		UpdateUserRequest	true	"Patch request"
+//	@Success	200		{object}	store.User			"Updated user"
+//	@Failure	400		{object}	nil					"ID is not a number: %s | Current session user not found with ID: %d | Malformatted patch user request | Invalid update user request"
+//	@Failure	401		{object}	nil					"Missing user in session"
+//	@Failure	403		{object}	nil					"Unauthorized to update user"
+//	@Failure	500		{object}	nil					"Failed to find user | Failed to generate password hash | Failed to patch user | Failed to find userSettingList"
+//	@Router		/api/v1/user/{id} [PATCH]
+func (s *APIV1Service) UpdateUser(c echo.Context) error {
+	ctx := c.Request().Context()
+	userID, err := util.ConvertStringToInt32(c.Param("id"))
+	if err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
+	}
+
+	currentUserID, ok := c.Get(userIDContextKey).(int32)
+	if !ok {
+		return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+	}
+	currentUser, err := s.Store.GetUser(ctx, &store.FindUser{ID: &currentUserID})
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
+	}
+	if currentUser == nil {
+		return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Current session user not found with ID: %d", currentUserID)).SetInternal(err)
+	} else if currentUser.Role != store.RoleHost && currentUserID != userID {
+		return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to update user").SetInternal(err)
+	}
+
+	request := &UpdateUserRequest{}
+	if err := json.NewDecoder(c.Request().Body).Decode(request); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch user request").SetInternal(err)
+	}
+	if err := request.Validate(); err != nil {
+		return echo.NewHTTPError(http.StatusBadRequest, "Invalid update user request").SetInternal(err)
+	}
+
+	currentTs := time.Now().Unix()
+	userUpdate := &store.UpdateUser{
+		ID:        userID,
+		UpdatedTs: &currentTs,
+	}
+	if request.RowStatus != nil {
+		rowStatus := store.RowStatus(request.RowStatus.String())
+		userUpdate.RowStatus = &rowStatus
+		if rowStatus == store.Archived && currentUserID == userID {
+			return echo.NewHTTPError(http.StatusBadRequest, "Cannot archive current user")
+		}
+	}
+	if request.Username != nil {
+		if !usernameMatcher.MatchString(strings.ToLower(*request.Username)) {
+			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid username %s", *request.Username)).SetInternal(err)
+		}
+		userUpdate.Username = request.Username
+	}
+	if request.Email != nil {
+		userUpdate.Email = request.Email
+	}
+	if request.Nickname != nil {
+		userUpdate.Nickname = request.Nickname
+	}
+	if request.Password != nil {
+		passwordHash, err := bcrypt.GenerateFromPassword([]byte(*request.Password), bcrypt.DefaultCost)
+		if err != nil {
+			return echo.NewHTTPError(http.StatusInternalServerError, "Failed to generate password hash").SetInternal(err)
+		}
+
+		passwordHashStr := string(passwordHash)
+		userUpdate.PasswordHash = &passwordHashStr
+	}
+	if request.AvatarURL != nil {
+		userUpdate.AvatarURL = request.AvatarURL
+	}
+
+	user, err := s.Store.UpdateUser(ctx, userUpdate)
+	if err != nil {
+		return echo.NewHTTPError(http.StatusInternalServerError, "Failed to patch user").SetInternal(err)
+	}
+
+	userMessage := convertUserFromStore(user)
+	return c.JSON(http.StatusOK, userMessage)
+}
+
+func (create CreateUserRequest) Validate() error {
+	if len(create.Username) < 3 {
+		return errors.New("username is too short, minimum length is 3")
+	}
+	if len(create.Username) > 32 {
+		return errors.New("username is too long, maximum length is 32")
+	}
+	if len(create.Password) < 3 {
+		return errors.New("password is too short, minimum length is 3")
+	}
+	if len(create.Password) > 512 {
+		return errors.New("password is too long, maximum length is 512")
+	}
+	if len(create.Nickname) > 64 {
+		return errors.New("nickname is too long, maximum length is 64")
+	}
+	if create.Email != "" {
+		if len(create.Email) > 256 {
+			return errors.New("email is too long, maximum length is 256")
+		}
+		if !util.ValidateEmail(create.Email) {
+			return errors.New("invalid email format")
+		}
+	}
+
+	return nil
+}
+
+func (update UpdateUserRequest) Validate() error {
+	if update.Username != nil && len(*update.Username) < 3 {
+		return errors.New("username is too short, minimum length is 3")
+	}
+	if update.Username != nil && len(*update.Username) > 32 {
+		return errors.New("username is too long, maximum length is 32")
+	}
+	if update.Password != nil && len(*update.Password) < 3 {
+		return errors.New("password is too short, minimum length is 3")
+	}
+	if update.Password != nil && len(*update.Password) > 512 {
+		return errors.New("password is too long, maximum length is 512")
+	}
+	if update.Nickname != nil && len(*update.Nickname) > 64 {
+		return errors.New("nickname is too long, maximum length is 64")
+	}
+	if update.AvatarURL != nil {
+		if len(*update.AvatarURL) > 2<<20 {
+			return errors.New("avatar is too large, maximum is 2MB")
+		}
+	}
+	if update.Email != nil && *update.Email != "" {
+		if len(*update.Email) > 256 {
+			return errors.New("email is too long, maximum length is 256")
+		}
+		if !util.ValidateEmail(*update.Email) {
+			return errors.New("invalid email format")
+		}
+	}
+
+	return nil
+}
+
+func convertUserFromStore(user *store.User) *User {
+	return &User{
+		ID:           user.ID,
+		RowStatus:    RowStatus(user.RowStatus),
+		CreatedTs:    user.CreatedTs,
+		UpdatedTs:    user.UpdatedTs,
+		Username:     user.Username,
+		Role:         Role(user.Role),
+		Email:        user.Email,
+		Nickname:     user.Nickname,
+		PasswordHash: user.PasswordHash,
+		AvatarURL:    user.AvatarURL,
+	}
+}
--- a/api/v1/v1.go
+++ b/api/v1/v1.go
@@ -0,0 +1,94 @@
+package v1
+
+import (
+	"net/http"
+	"time"
+
+	"github.com/labstack/echo/v4"
+	"github.com/labstack/echo/v4/middleware"
+
+	"github.com/usememos/memos/api/resource"
+	"github.com/usememos/memos/plugin/telegram"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type APIV1Service struct {
+	Secret      string
+	Profile     *profile.Profile
+	Store       *store.Store
+	telegramBot *telegram.Bot
+}
+
+// @title						memos API
+// @version					1.0
+// @description				A privacy-first, lightweight note-taking service.
+//
+// @contact.name				API Support
+// @contact.url				https://github.com/orgs/usememos/discussions
+//
+// @license.name				MIT License
+// @license.url				https://github.com/usememos/memos/blob/main/LICENSE
+//
+// @BasePath					/
+//
+// @externalDocs.url			https://usememos.com/
+// @externalDocs.description	Find out more about Memos.
+func NewAPIV1Service(secret string, profile *profile.Profile, store *store.Store, telegramBot *telegram.Bot) *APIV1Service {
+	return &APIV1Service{
+		Secret:      secret,
+		Profile:     profile,
+		Store:       store,
+		telegramBot: telegramBot,
+	}
+}
+
+func (s *APIV1Service) Register(rootGroup *echo.Group) {
+	// Register RSS routes.
+	s.registerRSSRoutes(rootGroup)
+
+	// Register API v1 routes.
+	apiV1Group := rootGroup.Group("/api/v1")
+	apiV1Group.Use(middleware.RateLimiterWithConfig(middleware.RateLimiterConfig{
+		Store: middleware.NewRateLimiterMemoryStoreWithConfig(
+			middleware.RateLimiterMemoryStoreConfig{Rate: 30, Burst: 100, ExpiresIn: 3 * time.Minute},
+		),
+		IdentifierExtractor: func(ctx echo.Context) (string, error) {
+			id := ctx.RealIP()
+			return id, nil
+		},
+		ErrorHandler: func(context echo.Context, err error) error {
+			return context.JSON(http.StatusForbidden, nil)
+		},
+		DenyHandler: func(context echo.Context, identifier string, err error) error {
+			return context.JSON(http.StatusTooManyRequests, nil)
+		},
+	}))
+	apiV1Group.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return JWTMiddleware(s, next, s.Secret)
+	})
+	s.registerSystemRoutes(apiV1Group)
+	s.registerSystemSettingRoutes(apiV1Group)
+	s.registerAuthRoutes(apiV1Group)
+	s.registerIdentityProviderRoutes(apiV1Group)
+	s.registerUserRoutes(apiV1Group)
+	s.registerTagRoutes(apiV1Group)
+	s.registerStorageRoutes(apiV1Group)
+	s.registerResourceRoutes(apiV1Group)
+	s.registerMemoRoutes(apiV1Group)
+	s.registerMemoOrganizerRoutes(apiV1Group)
+	s.registerMemoRelationRoutes(apiV1Group)
+
+	// Register public routes.
+	publicGroup := rootGroup.Group("/o")
+	publicGroup.Use(func(next echo.HandlerFunc) echo.HandlerFunc {
+		return JWTMiddleware(s, next, s.Secret)
+	})
+	s.registerGetterPublicRoutes(publicGroup)
+	// Create and register resource public routes.
+	resourceService := resource.NewService(s.Profile, s.Store)
+	resourceService.RegisterResourcePublicRoutes(publicGroup)
+
+	// programmatically set API version same as the server version
+	SwaggerInfo.Version = s.Profile.Version
+}
--- a/api/v2/acl.go
+++ b/api/v2/acl.go
@@ -0,0 +1,162 @@
+package v2
+
+import (
+	"context"
+	"net/http"
+	"strings"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/usememos/memos/api/auth"
+	"github.com/usememos/memos/internal/util"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+// ContextKey is the key type of context value.
+type ContextKey int
+
+const (
+	// The key name used to store username in the context
+	// user id is extracted from the jwt token subject field.
+	usernameContextKey ContextKey = iota
+)
+
+// GRPCAuthInterceptor is the auth interceptor for gRPC server.
+type GRPCAuthInterceptor struct {
+	Store  *store.Store
+	secret string
+}
+
+// NewGRPCAuthInterceptor returns a new API auth interceptor.
+func NewGRPCAuthInterceptor(store *store.Store, secret string) *GRPCAuthInterceptor {
+	return &GRPCAuthInterceptor{
+		Store:  store,
+		secret: secret,
+	}
+}
+
+// AuthenticationInterceptor is the unary interceptor for gRPC API.
+func (in *GRPCAuthInterceptor) AuthenticationInterceptor(ctx context.Context, request any, serverInfo *grpc.UnaryServerInfo, handler grpc.UnaryHandler) (any, error) {
+	md, ok := metadata.FromIncomingContext(ctx)
+	if !ok {
+		return nil, status.Errorf(codes.Unauthenticated, "failed to parse metadata from incoming context")
+	}
+	accessToken, err := getTokenFromMetadata(md)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, err.Error())
+	}
+
+	username, err := in.authenticate(ctx, accessToken)
+	if err != nil {
+		if isUnauthorizeAllowedMethod(serverInfo.FullMethod) {
+			return handler(ctx, request)
+		}
+		return nil, err
+	}
+	user, err := in.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get user")
+	}
+	if user == nil {
+		return nil, errors.Errorf("user %q not exists", username)
+	}
+	if user.RowStatus == store.Archived {
+		return nil, errors.Errorf("user %q is archived", username)
+	}
+	if isOnlyForAdminAllowedMethod(serverInfo.FullMethod) && user.Role != store.RoleHost && user.Role != store.RoleAdmin {
+		return nil, errors.Errorf("user %q is not admin", username)
+	}
+
+	// Stores userID into context.
+	childCtx := context.WithValue(ctx, usernameContextKey, username)
+	return handler(childCtx, request)
+}
+
+func (in *GRPCAuthInterceptor) authenticate(ctx context.Context, accessToken string) (string, error) {
+	if accessToken == "" {
+		return "", status.Errorf(codes.Unauthenticated, "access token not found")
+	}
+	claims := &auth.ClaimsMessage{}
+	_, err := jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, status.Errorf(codes.Unauthenticated, "unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(in.secret), nil
+			}
+		}
+		return nil, status.Errorf(codes.Unauthenticated, "unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return "", status.Errorf(codes.Unauthenticated, "Invalid or expired access token")
+	}
+
+	// We either have a valid access token or we will attempt to generate new access token.
+	userID, err := util.ConvertStringToInt32(claims.Subject)
+	if err != nil {
+		return "", errors.Wrap(err, "malformed ID in the token")
+	}
+	user, err := in.Store.GetUser(ctx, &store.FindUser{
+		ID: &userID,
+	})
+	if err != nil {
+		return "", errors.Wrap(err, "failed to get user")
+	}
+	if user == nil {
+		return "", errors.Errorf("user %q not exists", userID)
+	}
+	if user.RowStatus == store.Archived {
+		return "", errors.Errorf("user %q is archived", userID)
+	}
+
+	accessTokens, err := in.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed to get user access tokens")
+	}
+	if !validateAccessToken(accessToken, accessTokens) {
+		return "", status.Errorf(codes.Unauthenticated, "invalid access token")
+	}
+
+	return user.Username, nil
+}
+
+func getTokenFromMetadata(md metadata.MD) (string, error) {
+	// Check the HTTP request header first.
+	authorizationHeaders := md.Get("Authorization")
+	if len(md.Get("Authorization")) > 0 {
+		authHeaderParts := strings.Fields(authorizationHeaders[0])
+		if len(authHeaderParts) != 2 || strings.ToLower(authHeaderParts[0]) != "bearer" {
+			return "", errors.New("authorization header format must be Bearer {token}")
+		}
+		return authHeaderParts[1], nil
+	}
+	// Check the cookie header.
+	var accessToken string
+	for _, t := range append(md.Get("grpcgateway-cookie"), md.Get("cookie")...) {
+		header := http.Header{}
+		header.Add("Cookie", t)
+		request := http.Request{Header: header}
+		if v, _ := request.Cookie(auth.AccessTokenCookieName); v != nil {
+			accessToken = v.Value
+		}
+	}
+	return accessToken, nil
+}
+
+func validateAccessToken(accessTokenString string, userAccessTokens []*storepb.AccessTokensUserSetting_AccessToken) bool {
+	for _, userAccessToken := range userAccessTokens {
+		if accessTokenString == userAccessToken.AccessToken {
+			return true
+		}
+	}
+	return false
+}
--- a/api/v2/acl_config.go
+++ b/api/v2/acl_config.go
@@ -0,0 +1,32 @@
+package v2
+
+import "strings"
+
+var authenticationAllowlistMethods = map[string]bool{
+	"/memos.api.v2.SystemService/GetSystemInfo":   true,
+	"/memos.api.v2.AuthService/GetAuthStatus":     true,
+	"/memos.api.v2.UserService/GetUser":           true,
+	"/memos.api.v2.MemoService/ListMemos":         true,
+	"/memos.api.v2.MemoService/GetMemo":           true,
+	"/memos.api.v2.MemoService/ListMemoResources": true,
+	"/memos.api.v2.MemoService/ListMemoRelations": true,
+	"/memos.api.v2.MemoService/ListMemoComments":  true,
+	"/memos.api.v2.MarkdownService/ParseMarkdown": true,
+}
+
+// isUnauthorizeAllowedMethod returns whether the method is exempted from authentication.
+func isUnauthorizeAllowedMethod(fullMethodName string) bool {
+	if strings.HasPrefix(fullMethodName, "/grpc.reflection") {
+		return true
+	}
+	return authenticationAllowlistMethods[fullMethodName]
+}
+
+var allowedMethodsOnlyForAdmin = map[string]bool{
+	"/memos.api.v2.UserService/CreateUser": true,
+}
+
+// isOnlyForAdminAllowedMethod returns true if the method is allowed to be called only by admin.
+func isOnlyForAdminAllowedMethod(methodName string) bool {
+	return allowedMethodsOnlyForAdmin[methodName]
+}
--- a/api/v2/activity_service.go
+++ b/api/v2/activity_service.go
@@ -0,0 +1,58 @@
+package v2
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) GetActivity(ctx context.Context, request *apiv2pb.GetActivityRequest) (*apiv2pb.GetActivityResponse, error) {
+	activity, err := s.Store.GetActivity(ctx, &store.FindActivity{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get activity: %v", err)
+	}
+
+	activityMessage, err := s.convertActivityFromStore(ctx, activity)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert activity from store: %v", err)
+	}
+	return &apiv2pb.GetActivityResponse{
+		Activity: activityMessage,
+	}, nil
+}
+
+func (*APIV2Service) convertActivityFromStore(_ context.Context, activity *store.Activity) (*apiv2pb.Activity, error) {
+	return &apiv2pb.Activity{
+		Id:         activity.ID,
+		CreatorId:  activity.CreatorID,
+		Type:       activity.Type.String(),
+		Level:      activity.Level.String(),
+		CreateTime: timestamppb.New(time.Unix(activity.CreatedTs, 0)),
+		Payload:    convertActivityPayloadFromStore(activity.Payload),
+	}, nil
+}
+
+func convertActivityPayloadFromStore(payload *storepb.ActivityPayload) *apiv2pb.ActivityPayload {
+	v2Payload := &apiv2pb.ActivityPayload{}
+	if payload.MemoComment != nil {
+		v2Payload.MemoComment = &apiv2pb.ActivityMemoCommentPayload{
+			MemoId:        payload.MemoComment.MemoId,
+			RelatedMemoId: payload.MemoComment.RelatedMemoId,
+		}
+	}
+	if payload.VersionUpdate != nil {
+		v2Payload.VersionUpdate = &apiv2pb.ActivityVersionUpdatePayload{
+			Version: payload.VersionUpdate.Version,
+		}
+	}
+	return v2Payload
+}
--- a/api/v2/auth_service.go
+++ b/api/v2/auth_service.go
@@ -0,0 +1,41 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/metadata"
+	"google.golang.org/grpc/status"
+
+	"github.com/usememos/memos/api/auth"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+)
+
+func (s *APIV2Service) GetAuthStatus(ctx context.Context, _ *apiv2pb.GetAuthStatusRequest) (*apiv2pb.GetAuthStatusResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Unauthenticated, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		// Set the cookie header to expire access token.
+		if err := clearAccessTokenCookie(ctx); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to set grpc header")
+		}
+		return nil, status.Errorf(codes.Unauthenticated, "user not found")
+	}
+	return &apiv2pb.GetAuthStatusResponse{
+		User: convertUserFromStore(user),
+	}, nil
+}
+
+func clearAccessTokenCookie(ctx context.Context) error {
+	if err := grpc.SetHeader(ctx, metadata.New(map[string]string{
+		"Set-Cookie": fmt.Sprintf("%s=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly; SameSite=Strict", auth.AccessTokenCookieName),
+	})); err != nil {
+		return errors.Wrap(err, "failed to set grpc header")
+	}
+	return nil
+}
--- a/api/v2/common.go
+++ b/api/v2/common.go
@@ -0,0 +1,44 @@
+package v2
+
+import (
+	"context"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func convertRowStatusFromStore(rowStatus store.RowStatus) apiv2pb.RowStatus {
+	switch rowStatus {
+	case store.Normal:
+		return apiv2pb.RowStatus_ACTIVE
+	case store.Archived:
+		return apiv2pb.RowStatus_ARCHIVED
+	default:
+		return apiv2pb.RowStatus_ROW_STATUS_UNSPECIFIED
+	}
+}
+
+func convertRowStatusToStore(rowStatus apiv2pb.RowStatus) store.RowStatus {
+	switch rowStatus {
+	case apiv2pb.RowStatus_ACTIVE:
+		return store.Normal
+	case apiv2pb.RowStatus_ARCHIVED:
+		return store.Archived
+	default:
+		return store.Normal
+	}
+}
+
+func getCurrentUser(ctx context.Context, s *store.Store) (*store.User, error) {
+	username, ok := ctx.Value(usernameContextKey).(string)
+	if !ok {
+		return nil, nil
+	}
+	user, err := s.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, err
+	}
+	return user, nil
+}
--- a/api/v2/inbox_service.go
+++ b/api/v2/inbox_service.go
@@ -0,0 +1,138 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"time"
+
+	"github.com/pkg/errors"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) ListInboxes(ctx context.Context, _ *apiv2pb.ListInboxesRequest) (*apiv2pb.ListInboxesResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+
+	inboxes, err := s.Store.ListInboxes(ctx, &store.FindInbox{
+		ReceiverID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list inbox: %v", err)
+	}
+
+	response := &apiv2pb.ListInboxesResponse{
+		Inboxes: []*apiv2pb.Inbox{},
+	}
+	for _, inbox := range inboxes {
+		inboxMessage, err := s.convertInboxFromStore(ctx, inbox)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to convert inbox from store: %v", err)
+		}
+		response.Inboxes = append(response.Inboxes, inboxMessage)
+	}
+
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateInbox(ctx context.Context, request *apiv2pb.UpdateInboxRequest) (*apiv2pb.UpdateInboxResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	inboxID, err := ExtractInboxIDFromName(request.Inbox.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid inbox name: %v", err)
+	}
+	update := &store.UpdateInbox{
+		ID: inboxID,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "status" {
+			if request.Inbox.Status == apiv2pb.Inbox_STATUS_UNSPECIFIED {
+				return nil, status.Errorf(codes.InvalidArgument, "status is required")
+			}
+			update.Status = convertInboxStatusToStore(request.Inbox.Status)
+		}
+	}
+
+	inbox, err := s.Store.UpdateInbox(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update inbox: %v", err)
+	}
+
+	inboxMessage, err := s.convertInboxFromStore(ctx, inbox)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert inbox from store: %v", err)
+	}
+	return &apiv2pb.UpdateInboxResponse{
+		Inbox: inboxMessage,
+	}, nil
+}
+
+func (s *APIV2Service) DeleteInbox(ctx context.Context, request *apiv2pb.DeleteInboxRequest) (*apiv2pb.DeleteInboxResponse, error) {
+	inboxID, err := ExtractInboxIDFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid inbox name: %v", err)
+	}
+
+	if err := s.Store.DeleteInbox(ctx, &store.DeleteInbox{
+		ID: inboxID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update inbox: %v", err)
+	}
+	return &apiv2pb.DeleteInboxResponse{}, nil
+}
+
+func (s *APIV2Service) convertInboxFromStore(ctx context.Context, inbox *store.Inbox) (*apiv2pb.Inbox, error) {
+	sender, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &inbox.SenderID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get sender")
+	}
+	receiver, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &inbox.ReceiverID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get receiver")
+	}
+
+	return &apiv2pb.Inbox{
+		Name:       fmt.Sprintf("inboxes/%d", inbox.ID),
+		Sender:     fmt.Sprintf("users/%s", sender.Username),
+		Receiver:   fmt.Sprintf("users/%s", receiver.Username),
+		Status:     convertInboxStatusFromStore(inbox.Status),
+		CreateTime: timestamppb.New(time.Unix(inbox.CreatedTs, 0)),
+		Type:       apiv2pb.Inbox_Type(inbox.Message.Type),
+		ActivityId: inbox.Message.ActivityId,
+	}, nil
+}
+
+func convertInboxStatusFromStore(status store.InboxStatus) apiv2pb.Inbox_Status {
+	switch status {
+	case store.UNREAD:
+		return apiv2pb.Inbox_UNREAD
+	case store.ARCHIVED:
+		return apiv2pb.Inbox_ARCHIVED
+	default:
+		return apiv2pb.Inbox_STATUS_UNSPECIFIED
+	}
+}
+
+func convertInboxStatusToStore(status apiv2pb.Inbox_Status) store.InboxStatus {
+	switch status {
+	case apiv2pb.Inbox_UNREAD:
+		return store.UNREAD
+	case apiv2pb.Inbox_ARCHIVED:
+		return store.ARCHIVED
+	default:
+		return store.UNREAD
+	}
+}
--- a/api/v2/markdown_service.go
+++ b/api/v2/markdown_service.go
@@ -0,0 +1,215 @@
+package v2
+
+import (
+	"context"
+
+	"github.com/pkg/errors"
+
+	"github.com/usememos/memos/plugin/gomark/ast"
+	"github.com/usememos/memos/plugin/gomark/parser"
+	"github.com/usememos/memos/plugin/gomark/parser/tokenizer"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+)
+
+func (*APIV2Service) ParseMarkdown(_ context.Context, request *apiv2pb.ParseMarkdownRequest) (*apiv2pb.ParseMarkdownResponse, error) {
+	rawNodes, err := parser.Parse(tokenizer.Tokenize(request.Markdown))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse memo content")
+	}
+	nodes := convertFromASTNodes(rawNodes)
+	return &apiv2pb.ParseMarkdownResponse{
+		Nodes: nodes,
+	}, nil
+}
+
+func convertFromASTNodes(rawNodes []ast.Node) []*apiv2pb.Node {
+	nodes := []*apiv2pb.Node{}
+	for _, rawNode := range rawNodes {
+		node := convertFromASTNode(rawNode)
+		nodes = append(nodes, node)
+	}
+	return nodes
+}
+
+func convertFromASTNode(rawNode ast.Node) *apiv2pb.Node {
+	node := &apiv2pb.Node{
+		Type: apiv2pb.NodeType(rawNode.Type()),
+	}
+
+	switch n := rawNode.(type) {
+	case *ast.LineBreak:
+		node.Node = &apiv2pb.Node_LineBreakNode{}
+	case *ast.Paragraph:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_ParagraphNode{ParagraphNode: &apiv2pb.ParagraphNode{Children: children}}
+	case *ast.CodeBlock:
+		node.Node = &apiv2pb.Node_CodeBlockNode{CodeBlockNode: &apiv2pb.CodeBlockNode{Language: n.Language, Content: n.Content}}
+	case *ast.Heading:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_HeadingNode{HeadingNode: &apiv2pb.HeadingNode{Level: int32(n.Level), Children: children}}
+	case *ast.HorizontalRule:
+		node.Node = &apiv2pb.Node_HorizontalRuleNode{HorizontalRuleNode: &apiv2pb.HorizontalRuleNode{Symbol: n.Symbol}}
+	case *ast.Blockquote:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_BlockquoteNode{BlockquoteNode: &apiv2pb.BlockquoteNode{Children: children}}
+	case *ast.OrderedList:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_OrderedListNode{OrderedListNode: &apiv2pb.OrderedListNode{Number: n.Number, Indent: int32(n.Indent), Children: children}}
+	case *ast.UnorderedList:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_UnorderedListNode{UnorderedListNode: &apiv2pb.UnorderedListNode{Symbol: n.Symbol, Indent: int32(n.Indent), Children: children}}
+	case *ast.TaskList:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_TaskListNode{TaskListNode: &apiv2pb.TaskListNode{Symbol: n.Symbol, Indent: int32(n.Indent), Complete: n.Complete, Children: children}}
+	case *ast.MathBlock:
+		node.Node = &apiv2pb.Node_MathBlockNode{MathBlockNode: &apiv2pb.MathBlockNode{Content: n.Content}}
+	case *ast.Table:
+		node.Node = &apiv2pb.Node_TableNode{TableNode: convertTableFromASTNode(n)}
+	case *ast.Text:
+		node.Node = &apiv2pb.Node_TextNode{TextNode: &apiv2pb.TextNode{Content: n.Content}}
+	case *ast.Bold:
+		children := convertFromASTNodes(n.Children)
+		node.Node = &apiv2pb.Node_BoldNode{BoldNode: &apiv2pb.BoldNode{Symbol: n.Symbol, Children: children}}
+	case *ast.Italic:
+		node.Node = &apiv2pb.Node_ItalicNode{ItalicNode: &apiv2pb.ItalicNode{Symbol: n.Symbol, Content: n.Content}}
+	case *ast.BoldItalic:
+		node.Node = &apiv2pb.Node_BoldItalicNode{BoldItalicNode: &apiv2pb.BoldItalicNode{Symbol: n.Symbol, Content: n.Content}}
+	case *ast.Code:
+		node.Node = &apiv2pb.Node_CodeNode{CodeNode: &apiv2pb.CodeNode{Content: n.Content}}
+	case *ast.Image:
+		node.Node = &apiv2pb.Node_ImageNode{ImageNode: &apiv2pb.ImageNode{AltText: n.AltText, Url: n.URL}}
+	case *ast.Link:
+		node.Node = &apiv2pb.Node_LinkNode{LinkNode: &apiv2pb.LinkNode{Text: n.Text, Url: n.URL}}
+	case *ast.AutoLink:
+		node.Node = &apiv2pb.Node_AutoLinkNode{AutoLinkNode: &apiv2pb.AutoLinkNode{Url: n.URL, IsRawText: n.IsRawText}}
+	case *ast.Tag:
+		node.Node = &apiv2pb.Node_TagNode{TagNode: &apiv2pb.TagNode{Content: n.Content}}
+	case *ast.Strikethrough:
+		node.Node = &apiv2pb.Node_StrikethroughNode{StrikethroughNode: &apiv2pb.StrikethroughNode{Content: n.Content}}
+	case *ast.EscapingCharacter:
+		node.Node = &apiv2pb.Node_EscapingCharacterNode{EscapingCharacterNode: &apiv2pb.EscapingCharacterNode{Symbol: n.Symbol}}
+	case *ast.Math:
+		node.Node = &apiv2pb.Node_MathNode{MathNode: &apiv2pb.MathNode{Content: n.Content}}
+	case *ast.Highlight:
+		node.Node = &apiv2pb.Node_HighlightNode{HighlightNode: &apiv2pb.HighlightNode{Content: n.Content}}
+	default:
+		node.Node = &apiv2pb.Node_TextNode{TextNode: &apiv2pb.TextNode{}}
+	}
+
+	return node
+}
+
+func convertToASTNodes(nodes []*apiv2pb.Node) []ast.Node {
+	rawNodes := []ast.Node{}
+	for _, node := range nodes {
+		rawNode := convertToASTNode(node)
+		rawNodes = append(rawNodes, rawNode)
+	}
+	return rawNodes
+}
+
+func convertToASTNode(node *apiv2pb.Node) ast.Node {
+	switch n := node.Node.(type) {
+	case *apiv2pb.Node_LineBreakNode:
+		return &ast.LineBreak{}
+	case *apiv2pb.Node_ParagraphNode:
+		children := convertToASTNodes(n.ParagraphNode.Children)
+		return &ast.Paragraph{Children: children}
+	case *apiv2pb.Node_CodeBlockNode:
+		return &ast.CodeBlock{Language: n.CodeBlockNode.Language, Content: n.CodeBlockNode.Content}
+	case *apiv2pb.Node_HeadingNode:
+		children := convertToASTNodes(n.HeadingNode.Children)
+		return &ast.Heading{Level: int(n.HeadingNode.Level), Children: children}
+	case *apiv2pb.Node_HorizontalRuleNode:
+		return &ast.HorizontalRule{Symbol: n.HorizontalRuleNode.Symbol}
+	case *apiv2pb.Node_BlockquoteNode:
+		children := convertToASTNodes(n.BlockquoteNode.Children)
+		return &ast.Blockquote{Children: children}
+	case *apiv2pb.Node_OrderedListNode:
+		children := convertToASTNodes(n.OrderedListNode.Children)
+		return &ast.OrderedList{Number: n.OrderedListNode.Number, Indent: int(n.OrderedListNode.Indent), Children: children}
+	case *apiv2pb.Node_UnorderedListNode:
+		children := convertToASTNodes(n.UnorderedListNode.Children)
+		return &ast.UnorderedList{Symbol: n.UnorderedListNode.Symbol, Indent: int(n.UnorderedListNode.Indent), Children: children}
+	case *apiv2pb.Node_TaskListNode:
+		children := convertToASTNodes(n.TaskListNode.Children)
+		return &ast.TaskList{Symbol: n.TaskListNode.Symbol, Indent: int(n.TaskListNode.Indent), Complete: n.TaskListNode.Complete, Children: children}
+	case *apiv2pb.Node_MathBlockNode:
+		return &ast.MathBlock{Content: n.MathBlockNode.Content}
+	case *apiv2pb.Node_TableNode:
+		return convertTableToASTNode(node)
+	case *apiv2pb.Node_TextNode:
+		return &ast.Text{Content: n.TextNode.Content}
+	case *apiv2pb.Node_BoldNode:
+		children := convertToASTNodes(n.BoldNode.Children)
+		return &ast.Bold{Symbol: n.BoldNode.Symbol, Children: children}
+	case *apiv2pb.Node_ItalicNode:
+		return &ast.Italic{Symbol: n.ItalicNode.Symbol, Content: n.ItalicNode.Content}
+	case *apiv2pb.Node_BoldItalicNode:
+		return &ast.BoldItalic{Symbol: n.BoldItalicNode.Symbol, Content: n.BoldItalicNode.Content}
+	case *apiv2pb.Node_CodeNode:
+		return &ast.Code{Content: n.CodeNode.Content}
+	case *apiv2pb.Node_ImageNode:
+		return &ast.Image{AltText: n.ImageNode.AltText, URL: n.ImageNode.Url}
+	case *apiv2pb.Node_LinkNode:
+		return &ast.Link{Text: n.LinkNode.Text, URL: n.LinkNode.Url}
+	case *apiv2pb.Node_AutoLinkNode:
+		return &ast.AutoLink{URL: n.AutoLinkNode.Url, IsRawText: n.AutoLinkNode.IsRawText}
+	case *apiv2pb.Node_TagNode:
+		return &ast.Tag{Content: n.TagNode.Content}
+	case *apiv2pb.Node_StrikethroughNode:
+		return &ast.Strikethrough{Content: n.StrikethroughNode.Content}
+	case *apiv2pb.Node_EscapingCharacterNode:
+		return &ast.EscapingCharacter{Symbol: n.EscapingCharacterNode.Symbol}
+	case *apiv2pb.Node_MathNode:
+		return &ast.Math{Content: n.MathNode.Content}
+	case *apiv2pb.Node_HighlightNode:
+		return &ast.Highlight{Content: n.HighlightNode.Content}
+	default:
+		return &ast.Text{}
+	}
+}
+
+func convertTableToASTNode(node *apiv2pb.Node) *ast.Table {
+	table := &ast.Table{
+		Header:    node.GetTableNode().Header,
+		Delimiter: node.GetTableNode().Delimiter,
+	}
+	for _, row := range node.GetTableNode().Rows {
+		table.Rows = append(table.Rows, row.Cells)
+	}
+	return table
+}
+
+func convertTableFromASTNode(node *ast.Table) *apiv2pb.TableNode {
+	table := &apiv2pb.TableNode{
+		Header:    node.Header,
+		Delimiter: node.Delimiter,
+	}
+	for _, row := range node.Rows {
+		table.Rows = append(table.Rows, &apiv2pb.TableNode_Row{Cells: row})
+	}
+	return table
+}
+
+func traverseASTNodes(nodes []ast.Node, fn func(ast.Node)) {
+	for _, node := range nodes {
+		fn(node)
+		switch n := node.(type) {
+		case *ast.Paragraph:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Heading:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Blockquote:
+			traverseASTNodes(n.Children, fn)
+		case *ast.OrderedList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.UnorderedList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.TaskList:
+			traverseASTNodes(n.Children, fn)
+		case *ast.Bold:
+			traverseASTNodes(n.Children, fn)
+		}
+	}
+}
--- a/api/v2/markdown_service_test.go
+++ b/api/v2/markdown_service_test.go
@@ -0,0 +1,30 @@
+package v2
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/usememos/memos/plugin/gomark/ast"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+)
+
+func TestConvertFromASTNodes(t *testing.T) {
+	tests := []struct {
+		name     string
+		rawNodes []ast.Node
+		want     []*apiv2pb.Node
+	}{
+		{
+			name: "empty",
+			want: []*apiv2pb.Node{},
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			got := convertFromASTNodes(tt.rawNodes)
+			require.Equal(t, tt.want, got)
+		})
+	}
+}
--- a/api/v2/memo_relation_service.go
+++ b/api/v2/memo_relation_service.go
@@ -0,0 +1,100 @@
+package v2
+
+import (
+	"context"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) SetMemoRelations(ctx context.Context, request *apiv2pb.SetMemoRelationsRequest) (*apiv2pb.SetMemoRelationsResponse, error) {
+	referenceType := store.MemoRelationReference
+	// Delete all reference relations first.
+	if err := s.Store.DeleteMemoRelation(ctx, &store.DeleteMemoRelation{
+		MemoID: &request.Id,
+		Type:   &referenceType,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete memo relation")
+	}
+
+	for _, relation := range request.Relations {
+		// Ignore reflexive relations.
+		if request.Id == relation.RelatedMemoId {
+			continue
+		}
+		// Ignore comment relations as there's no need to update a comment's relation.
+		// Inserting/Deleting a comment is handled elsewhere.
+		if relation.Type == apiv2pb.MemoRelation_COMMENT {
+			continue
+		}
+		if _, err := s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+			MemoID:        request.Id,
+			RelatedMemoID: relation.RelatedMemoId,
+			Type:          convertMemoRelationTypeToStore(relation.Type),
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to upsert memo relation")
+		}
+	}
+
+	return &apiv2pb.SetMemoRelationsResponse{}, nil
+}
+
+func (s *APIV2Service) ListMemoRelations(ctx context.Context, request *apiv2pb.ListMemoRelationsRequest) (*apiv2pb.ListMemoRelationsResponse, error) {
+	relationList := []*apiv2pb.MemoRelation{}
+	tempList, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, relation := range tempList {
+		relationList = append(relationList, convertMemoRelationFromStore(relation))
+	}
+	tempList, err = s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		RelatedMemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	for _, relation := range tempList {
+		relationList = append(relationList, convertMemoRelationFromStore(relation))
+	}
+
+	response := &apiv2pb.ListMemoRelationsResponse{
+		Relations: relationList,
+	}
+	return response, nil
+}
+
+func convertMemoRelationFromStore(memoRelation *store.MemoRelation) *apiv2pb.MemoRelation {
+	return &apiv2pb.MemoRelation{
+		MemoId:        memoRelation.MemoID,
+		RelatedMemoId: memoRelation.RelatedMemoID,
+		Type:          convertMemoRelationTypeFromStore(memoRelation.Type),
+	}
+}
+
+func convertMemoRelationTypeFromStore(relationType store.MemoRelationType) apiv2pb.MemoRelation_Type {
+	switch relationType {
+	case store.MemoRelationReference:
+		return apiv2pb.MemoRelation_REFERENCE
+	case store.MemoRelationComment:
+		return apiv2pb.MemoRelation_COMMENT
+	default:
+		return apiv2pb.MemoRelation_TYPE_UNSPECIFIED
+	}
+}
+
+func convertMemoRelationTypeToStore(relationType apiv2pb.MemoRelation_Type) store.MemoRelationType {
+	switch relationType {
+	case apiv2pb.MemoRelation_REFERENCE:
+		return store.MemoRelationReference
+	case apiv2pb.MemoRelation_COMMENT:
+		return store.MemoRelationComment
+	default:
+		return store.MemoRelationReference
+	}
+}
--- a/api/v2/memo_resource_service.go
+++ b/api/v2/memo_resource_service.go
@@ -0,0 +1,73 @@
+package v2
+
+import (
+	"context"
+	"slices"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) SetMemoResources(ctx context.Context, request *apiv2pb.SetMemoResourcesRequest) (*apiv2pb.SetMemoResourcesResponse, error) {
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources")
+	}
+
+	// Delete resources that are not in the request.
+	for _, resource := range resources {
+		found := false
+		for _, requestResource := range request.Resources {
+			if resource.ID == int32(requestResource.Id) {
+				found = true
+				break
+			}
+		}
+		if !found {
+			if err = s.Store.DeleteResource(ctx, &store.DeleteResource{
+				ID:     int32(resource.ID),
+				MemoID: &request.Id,
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to delete resource")
+			}
+		}
+	}
+
+	slices.Reverse(request.Resources)
+	// Update resources' memo_id in the request.
+	for index, resource := range request.Resources {
+		updatedTs := time.Now().Unix() + int64(index)
+		if _, err := s.Store.UpdateResource(ctx, &store.UpdateResource{
+			ID:        resource.Id,
+			MemoID:    &request.Id,
+			UpdatedTs: &updatedTs,
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to update resource: %v", err)
+		}
+	}
+
+	return &apiv2pb.SetMemoResourcesResponse{}, nil
+}
+
+func (s *APIV2Service) ListMemoResources(ctx context.Context, request *apiv2pb.ListMemoResourcesRequest) (*apiv2pb.ListMemoResourcesResponse, error) {
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		MemoID: &request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources")
+	}
+
+	response := &apiv2pb.ListMemoResourcesResponse{
+		Resources: []*apiv2pb.Resource{},
+	}
+	for _, resource := range resources {
+		response.Resources = append(response.Resources, s.convertResourceFromStore(ctx, resource))
+	}
+	return response, nil
+}
--- a/api/v2/memo_service.go
+++ b/api/v2/memo_service.go
@@ -0,0 +1,797 @@
+package v2
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"time"
+
+	"github.com/google/cel-go/cel"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	expr "google.golang.org/genproto/googleapis/api/expr/v1alpha1"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv1 "github.com/usememos/memos/api/v1"
+	"github.com/usememos/memos/internal/log"
+	"github.com/usememos/memos/plugin/gomark/ast"
+	"github.com/usememos/memos/plugin/gomark/parser"
+	"github.com/usememos/memos/plugin/gomark/parser/tokenizer"
+	"github.com/usememos/memos/plugin/gomark/restore"
+	"github.com/usememos/memos/plugin/webhook"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+)
+
+const (
+	MaxContentLength = 8 * 1024
+)
+
+func (s *APIV2Service) CreateMemo(ctx context.Context, request *apiv2pb.CreateMemoRequest) (*apiv2pb.CreateMemoResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if len(request.Content) > MaxContentLength {
+		return nil, status.Errorf(codes.InvalidArgument, "content too long")
+	}
+
+	nodes, err := parser.Parse(tokenizer.Tokenize(request.Content))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse memo content")
+	}
+
+	create := &store.Memo{
+		CreatorID:  user.ID,
+		Content:    request.Content,
+		Visibility: store.Visibility(request.Visibility.String()),
+	}
+	// Find disable public memos system setting.
+	disablePublicMemosSystem, err := s.getDisablePublicMemosSystemSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get system setting")
+	}
+	if disablePublicMemosSystem && create.Visibility == store.Public {
+		return nil, status.Errorf(codes.PermissionDenied, "disable public memos system setting is enabled")
+	}
+
+	memo, err := s.Store.CreateMemo(ctx, create)
+	if err != nil {
+		return nil, err
+	}
+	metric.Enqueue("memo create")
+
+	// Dynamically upsert tags from memo content.
+	traverseASTNodes(nodes, func(node ast.Node) {
+		if tag, ok := node.(*ast.Tag); ok {
+			if _, err := s.Store.UpsertTag(ctx, &store.Tag{
+				Name:      tag.Content,
+				CreatorID: user.ID,
+			}); err != nil {
+				log.Warn("Failed to create tag", zap.Error(err))
+			}
+		}
+	})
+
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	// Try to dispatch webhook when memo is created.
+	if err := s.DispatchMemoCreatedWebhook(ctx, memoMessage); err != nil {
+		log.Warn("Failed to dispatch memo created webhook", zap.Error(err))
+	}
+
+	response := &apiv2pb.CreateMemoResponse{
+		Memo: memoMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) ListMemos(ctx context.Context, request *apiv2pb.ListMemosRequest) (*apiv2pb.ListMemosResponse, error) {
+	memoFind := &store.FindMemo{
+		// Exclude comments by default.
+		ExcludeComments: true,
+	}
+	if request.Filter != "" {
+		filter, err := parseListMemosFilter(request.Filter)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
+		}
+		if len(filter.ContentSearch) > 0 {
+			memoFind.ContentSearch = filter.ContentSearch
+		}
+		if len(filter.Visibilities) > 0 {
+			memoFind.VisibilityList = filter.Visibilities
+		}
+		if filter.OrderByPinned {
+			memoFind.OrderByPinned = filter.OrderByPinned
+		}
+		if filter.DisplayTimeAfter != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsAfter = filter.DisplayTimeAfter
+			} else {
+				memoFind.CreatedTsAfter = filter.DisplayTimeAfter
+			}
+		}
+		if filter.DisplayTimeBefore != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsBefore = filter.DisplayTimeBefore
+			} else {
+				memoFind.CreatedTsBefore = filter.DisplayTimeBefore
+			}
+		}
+		if filter.Creator != nil {
+			username, err := ExtractUsernameFromName(*filter.Creator)
+			if err != nil {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid creator name")
+			}
+			user, err := s.Store.GetUser(ctx, &store.FindUser{
+				Username: &username,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get user")
+			}
+			if user == nil {
+				return nil, status.Errorf(codes.NotFound, "user not found")
+			}
+			memoFind.CreatorID = &user.ID
+		}
+		if filter.RowStatus != nil {
+			memoFind.RowStatus = filter.RowStatus
+		}
+	} else {
+		return nil, status.Errorf(codes.InvalidArgument, "filter is required")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	// If the user is not authenticated, only public memos are visible.
+	if user == nil {
+		memoFind.VisibilityList = []store.Visibility{store.Public}
+	}
+	if user != nil && memoFind.CreatorID != nil && *memoFind.CreatorID != user.ID {
+		memoFind.VisibilityList = []store.Visibility{store.Public, store.Protected}
+	}
+
+	displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+	}
+	if displayWithUpdatedTs {
+		memoFind.OrderByUpdatedTs = true
+	}
+
+	if request.Limit != 0 {
+		offset, limit := int(request.Offset), int(request.Limit)
+		memoFind.Offset = &offset
+		memoFind.Limit = &limit
+	}
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, err
+	}
+
+	memoMessages := make([]*apiv2pb.Memo, len(memos))
+	for i, memo := range memos {
+		memoMessage, err := s.convertMemoFromStore(ctx, memo)
+		if err != nil {
+			return nil, errors.Wrap(err, "failed to convert memo")
+		}
+		memoMessages[i] = memoMessage
+	}
+
+	response := &apiv2pb.ListMemosResponse{
+		Memos: memoMessages,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetMemo(ctx context.Context, request *apiv2pb.GetMemoRequest) (*apiv2pb.GetMemoResponse, error) {
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+	if memo.Visibility != store.Public {
+		user, err := getCurrentUser(ctx, s.Store)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get user")
+		}
+		if user == nil {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+		if memo.Visibility == store.Private && memo.CreatorID != user.ID {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+	}
+
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	response := &apiv2pb.GetMemoResponse{
+		Memo: memoMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateMemo(ctx context.Context, request *apiv2pb.UpdateMemoRequest) (*apiv2pb.UpdateMemoResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	if memo.CreatorID != user.ID {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateMemo{
+		ID:        request.Id,
+		UpdatedTs: &currentTs,
+	}
+	for _, path := range request.UpdateMask.Paths {
+		if path == "content" {
+			update.Content = &request.Memo.Content
+			nodes, err := parser.Parse(tokenizer.Tokenize(*update.Content))
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to parse memo content")
+			}
+
+			// Dynamically upsert tags from memo content.
+			traverseASTNodes(nodes, func(node ast.Node) {
+				if tag, ok := node.(*ast.Tag); ok {
+					if _, err := s.Store.UpsertTag(ctx, &store.Tag{
+						Name:      tag.Content,
+						CreatorID: user.ID,
+					}); err != nil {
+						log.Warn("Failed to create tag", zap.Error(err))
+					}
+				}
+			})
+		} else if path == "nodes" {
+			nodes := convertToASTNodes(request.Memo.Nodes)
+			content := restore.Restore(nodes)
+			update.Content = &content
+		} else if path == "visibility" {
+			visibility := convertVisibilityToStore(request.Memo.Visibility)
+			update.Visibility = &visibility
+		} else if path == "row_status" {
+			rowStatus := convertRowStatusToStore(request.Memo.RowStatus)
+			println("rowStatus", rowStatus)
+			update.RowStatus = &rowStatus
+		} else if path == "created_ts" {
+			createdTs := request.Memo.CreateTime.AsTime().Unix()
+			update.CreatedTs = &createdTs
+		} else if path == "pinned" {
+			if _, err := s.Store.UpsertMemoOrganizer(ctx, &store.MemoOrganizer{
+				MemoID: request.Id,
+				UserID: user.ID,
+				Pinned: request.Memo.Pinned,
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert memo organizer")
+			}
+		}
+	}
+	if update.Content != nil && len(*update.Content) > MaxContentLength {
+		return nil, status.Errorf(codes.InvalidArgument, "content too long")
+	}
+
+	if err = s.Store.UpdateMemo(ctx, update); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update memo")
+	}
+
+	memo, err = s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get memo")
+	}
+	memoMessage, err := s.convertMemoFromStore(ctx, memo)
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to convert memo")
+	}
+	// Try to dispatch webhook when memo is updated.
+	if err := s.DispatchMemoUpdatedWebhook(ctx, memoMessage); err != nil {
+		log.Warn("Failed to dispatch memo updated webhook", zap.Error(err))
+	}
+
+	return &apiv2pb.UpdateMemoResponse{
+		Memo: memoMessage,
+	}, nil
+}
+
+func (s *APIV2Service) DeleteMemo(ctx context.Context, request *apiv2pb.DeleteMemoRequest) (*apiv2pb.DeleteMemoResponse, error) {
+	memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+		ID: &request.Id,
+	})
+	if err != nil {
+		return nil, err
+	}
+	if memo == nil {
+		return nil, status.Errorf(codes.NotFound, "memo not found")
+	}
+
+	user, _ := getCurrentUser(ctx, s.Store)
+	if memo.CreatorID != user.ID {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	if err = s.Store.DeleteMemo(ctx, &store.DeleteMemo{
+		ID: request.Id,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete memo")
+	}
+
+	return &apiv2pb.DeleteMemoResponse{}, nil
+}
+
+func (s *APIV2Service) CreateMemoComment(ctx context.Context, request *apiv2pb.CreateMemoCommentRequest) (*apiv2pb.CreateMemoCommentResponse, error) {
+	relatedMemo, err := s.Store.GetMemo(ctx, &store.FindMemo{ID: &request.Id})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo")
+	}
+
+	// Create the comment memo first.
+	createMemoResponse, err := s.CreateMemo(ctx, request.Create)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create memo")
+	}
+
+	// Build the relation between the comment memo and the original memo.
+	memo := createMemoResponse.Memo
+	_, err = s.Store.UpsertMemoRelation(ctx, &store.MemoRelation{
+		MemoID:        memo.Id,
+		RelatedMemoID: request.Id,
+		Type:          store.MemoRelationComment,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create memo relation")
+	}
+	if memo.Visibility != apiv2pb.Visibility_PRIVATE && memo.CreatorId != relatedMemo.CreatorID {
+		activity, err := s.Store.CreateActivity(ctx, &store.Activity{
+			CreatorID: memo.CreatorId,
+			Type:      store.ActivityTypeMemoComment,
+			Level:     store.ActivityLevelInfo,
+			Payload: &storepb.ActivityPayload{
+				MemoComment: &storepb.ActivityMemoCommentPayload{
+					MemoId:        memo.Id,
+					RelatedMemoId: request.Id,
+				},
+			},
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to create activity")
+		}
+		if _, err := s.Store.CreateInbox(ctx, &store.Inbox{
+			SenderID:   memo.CreatorId,
+			ReceiverID: relatedMemo.CreatorID,
+			Status:     store.UNREAD,
+			Message: &storepb.InboxMessage{
+				Type:       storepb.InboxMessage_TYPE_MEMO_COMMENT,
+				ActivityId: &activity.ID,
+			},
+		}); err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to create inbox")
+		}
+	}
+	metric.Enqueue("memo comment create")
+
+	response := &apiv2pb.CreateMemoCommentResponse{
+		Memo: memo,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) ListMemoComments(ctx context.Context, request *apiv2pb.ListMemoCommentsRequest) (*apiv2pb.ListMemoCommentsResponse, error) {
+	memoRelationComment := store.MemoRelationComment
+	memoRelations, err := s.Store.ListMemoRelations(ctx, &store.FindMemoRelation{
+		RelatedMemoID: &request.Id,
+		Type:          &memoRelationComment,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memo relations")
+	}
+
+	var memos []*apiv2pb.Memo
+	for _, memoRelation := range memoRelations {
+		memo, err := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: &memoRelation.MemoID,
+		})
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get memo")
+		}
+		if memo != nil {
+			memoMessage, err := s.convertMemoFromStore(ctx, memo)
+			if err != nil {
+				return nil, errors.Wrap(err, "failed to convert memo")
+			}
+			memos = append(memos, memoMessage)
+		}
+	}
+
+	response := &apiv2pb.ListMemoCommentsResponse{
+		Memos: memos,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetUserMemosStats(ctx context.Context, request *apiv2pb.GetUserMemosStatsRequest) (*apiv2pb.GetUserMemosStatsResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username")
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:       &user.ID,
+		RowStatus:       &normalRowStatus,
+		ExcludeComments: true,
+		ExcludeContent:  true,
+	}
+	displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+	}
+	if displayWithUpdatedTs {
+		memoFind.OrderByUpdatedTs = true
+	}
+	if request.Filter != "" {
+		filter, err := parseListMemosFilter(request.Filter)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid filter: %v", err)
+		}
+		if len(filter.ContentSearch) > 0 {
+			memoFind.ContentSearch = filter.ContentSearch
+		}
+		if len(filter.Visibilities) > 0 {
+			memoFind.VisibilityList = filter.Visibilities
+		}
+		if filter.OrderByPinned {
+			memoFind.OrderByPinned = filter.OrderByPinned
+		}
+		if filter.DisplayTimeAfter != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsAfter = filter.DisplayTimeAfter
+			} else {
+				memoFind.CreatedTsAfter = filter.DisplayTimeAfter
+			}
+		}
+		if filter.DisplayTimeBefore != nil {
+			displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx)
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to get memo display with updated ts setting value")
+			}
+			if displayWithUpdatedTs {
+				memoFind.UpdatedTsBefore = filter.DisplayTimeBefore
+			} else {
+				memoFind.CreatedTsBefore = filter.DisplayTimeBefore
+			}
+		}
+		if filter.RowStatus != nil {
+			memoFind.RowStatus = filter.RowStatus
+		}
+	}
+
+	memos, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memos")
+	}
+
+	location, err := time.LoadLocation(request.Timezone)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "invalid timezone location")
+	}
+
+	stats := make(map[string]int32)
+	for _, memo := range memos {
+		displayTs := memo.CreatedTs
+		if displayWithUpdatedTs {
+			displayTs = memo.UpdatedTs
+		}
+		stats[time.Unix(displayTs, 0).In(location).Format("2006-01-02")]++
+	}
+
+	response := &apiv2pb.GetUserMemosStatsResponse{
+		Stats: stats,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) convertMemoFromStore(ctx context.Context, memo *store.Memo) (*apiv2pb.Memo, error) {
+	rawNodes, err := parser.Parse(tokenizer.Tokenize(memo.Content))
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to parse memo content")
+	}
+	displayTs := memo.CreatedTs
+	if displayWithUpdatedTs, err := s.getMemoDisplayWithUpdatedTsSettingValue(ctx); err == nil && displayWithUpdatedTs {
+		displayTs = memo.UpdatedTs
+	}
+
+	creator, err := s.Store.GetUser(ctx, &store.FindUser{ID: &memo.CreatorID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get creator")
+	}
+
+	listMemoRelationsResponse, err := s.ListMemoRelations(ctx, &apiv2pb.ListMemoRelationsRequest{Id: memo.ID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list memo relations")
+	}
+
+	listMemoResourcesResponse, err := s.ListMemoResources(ctx, &apiv2pb.ListMemoResourcesRequest{Id: memo.ID})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to list memo resources")
+	}
+
+	return &apiv2pb.Memo{
+		Id:          int32(memo.ID),
+		RowStatus:   convertRowStatusFromStore(memo.RowStatus),
+		Creator:     fmt.Sprintf("%s%s", UserNamePrefix, creator.Username),
+		CreatorId:   int32(memo.CreatorID),
+		CreateTime:  timestamppb.New(time.Unix(memo.CreatedTs, 0)),
+		UpdateTime:  timestamppb.New(time.Unix(memo.UpdatedTs, 0)),
+		DisplayTime: timestamppb.New(time.Unix(displayTs, 0)),
+		Content:     memo.Content,
+		Nodes:       convertFromASTNodes(rawNodes),
+		Visibility:  convertVisibilityFromStore(memo.Visibility),
+		Pinned:      memo.Pinned,
+		ParentId:    memo.ParentID,
+		Relations:   listMemoRelationsResponse.Relations,
+		Resources:   listMemoResourcesResponse.Resources,
+	}, nil
+}
+
+func (s *APIV2Service) getMemoDisplayWithUpdatedTsSettingValue(ctx context.Context) (bool, error) {
+	memoDisplayWithUpdatedTsSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		Name: apiv1.SystemSettingMemoDisplayWithUpdatedTsName.String(),
+	})
+	if err != nil {
+		return false, errors.Wrap(err, "failed to find system setting")
+	}
+	memoDisplayWithUpdatedTs := false
+	if memoDisplayWithUpdatedTsSetting != nil {
+		err = json.Unmarshal([]byte(memoDisplayWithUpdatedTsSetting.Value), &memoDisplayWithUpdatedTs)
+		if err != nil {
+			return false, errors.Wrap(err, "failed to unmarshal system setting value")
+		}
+	}
+	return memoDisplayWithUpdatedTs, nil
+}
+
+func (s *APIV2Service) getDisablePublicMemosSystemSettingValue(ctx context.Context) (bool, error) {
+	disablePublicMemosSystemSetting, err := s.Store.GetSystemSetting(ctx, &store.FindSystemSetting{
+		Name: apiv1.SystemSettingDisablePublicMemosName.String(),
+	})
+	if err != nil {
+		return false, errors.Wrap(err, "failed to find system setting")
+	}
+	disablePublicMemos := false
+	err = json.Unmarshal([]byte(disablePublicMemosSystemSetting.Value), &disablePublicMemos)
+	if err != nil {
+		return false, errors.Wrap(err, "failed to unmarshal system setting value")
+	}
+	return disablePublicMemos, nil
+}
+
+func convertVisibilityFromStore(visibility store.Visibility) apiv2pb.Visibility {
+	switch visibility {
+	case store.Private:
+		return apiv2pb.Visibility_PRIVATE
+	case store.Protected:
+		return apiv2pb.Visibility_PROTECTED
+	case store.Public:
+		return apiv2pb.Visibility_PUBLIC
+	default:
+		return apiv2pb.Visibility_VISIBILITY_UNSPECIFIED
+	}
+}
+
+func convertVisibilityToStore(visibility apiv2pb.Visibility) store.Visibility {
+	switch visibility {
+	case apiv2pb.Visibility_PRIVATE:
+		return store.Private
+	case apiv2pb.Visibility_PROTECTED:
+		return store.Protected
+	case apiv2pb.Visibility_PUBLIC:
+		return store.Public
+	default:
+		return store.Private
+	}
+}
+
+// ListMemosFilterCELAttributes are the CEL attributes for ListMemosFilter.
+var ListMemosFilterCELAttributes = []cel.EnvOption{
+	cel.Variable("content_search", cel.ListType(cel.StringType)),
+	cel.Variable("visibilities", cel.ListType(cel.StringType)),
+	cel.Variable("order_by_pinned", cel.BoolType),
+	cel.Variable("display_time_before", cel.IntType),
+	cel.Variable("display_time_after", cel.IntType),
+	cel.Variable("creator", cel.StringType),
+	cel.Variable("row_status", cel.StringType),
+}
+
+type ListMemosFilter struct {
+	ContentSearch     []string
+	Visibilities      []store.Visibility
+	OrderByPinned     bool
+	DisplayTimeBefore *int64
+	DisplayTimeAfter  *int64
+	Creator           *string
+	RowStatus         *store.RowStatus
+}
+
+func parseListMemosFilter(expression string) (*ListMemosFilter, error) {
+	e, err := cel.NewEnv(ListMemosFilterCELAttributes...)
+	if err != nil {
+		return nil, err
+	}
+	ast, issues := e.Compile(expression)
+	if issues != nil {
+		return nil, errors.Errorf("found issue %v", issues)
+	}
+	filter := &ListMemosFilter{}
+	expr, err := cel.AstToParsedExpr(ast)
+	if err != nil {
+		return nil, err
+	}
+	callExpr := expr.GetExpr().GetCallExpr()
+	findField(callExpr, filter)
+	return filter, nil
+}
+
+func findField(callExpr *expr.Expr_Call, filter *ListMemosFilter) {
+	if len(callExpr.Args) == 2 {
+		idExpr := callExpr.Args[0].GetIdentExpr()
+		if idExpr != nil {
+			if idExpr.Name == "content_search" {
+				contentSearch := []string{}
+				for _, expr := range callExpr.Args[1].GetListExpr().GetElements() {
+					value := expr.GetConstExpr().GetStringValue()
+					contentSearch = append(contentSearch, value)
+				}
+				filter.ContentSearch = contentSearch
+			} else if idExpr.Name == "visibilities" {
+				visibilities := []store.Visibility{}
+				for _, expr := range callExpr.Args[1].GetListExpr().GetElements() {
+					value := expr.GetConstExpr().GetStringValue()
+					visibilities = append(visibilities, store.Visibility(value))
+				}
+				filter.Visibilities = visibilities
+			} else if idExpr.Name == "order_by_pinned" {
+				value := callExpr.Args[1].GetConstExpr().GetBoolValue()
+				filter.OrderByPinned = value
+			} else if idExpr.Name == "display_time_before" {
+				displayTimeBefore := callExpr.Args[1].GetConstExpr().GetInt64Value()
+				filter.DisplayTimeBefore = &displayTimeBefore
+			} else if idExpr.Name == "display_time_after" {
+				displayTimeAfter := callExpr.Args[1].GetConstExpr().GetInt64Value()
+				filter.DisplayTimeAfter = &displayTimeAfter
+			} else if idExpr.Name == "creator" {
+				creator := callExpr.Args[1].GetConstExpr().GetStringValue()
+				filter.Creator = &creator
+			} else if idExpr.Name == "row_status" {
+				rowStatus := store.RowStatus(callExpr.Args[1].GetConstExpr().GetStringValue())
+				filter.RowStatus = &rowStatus
+			}
+			return
+		}
+	}
+	for _, arg := range callExpr.Args {
+		callExpr := arg.GetCallExpr()
+		if callExpr != nil {
+			findField(callExpr, filter)
+		}
+	}
+}
+
+// DispatchMemoCreatedWebhook dispatches webhook when memo is created.
+func (s *APIV2Service) DispatchMemoCreatedWebhook(ctx context.Context, memo *apiv2pb.Memo) error {
+	return s.dispatchMemoRelatedWebhook(ctx, memo, "memos.memo.created")
+}
+
+// DispatchMemoUpdatedWebhook dispatches webhook when memo is updated.
+func (s *APIV2Service) DispatchMemoUpdatedWebhook(ctx context.Context, memo *apiv2pb.Memo) error {
+	return s.dispatchMemoRelatedWebhook(ctx, memo, "memos.memo.updated")
+}
+
+func (s *APIV2Service) dispatchMemoRelatedWebhook(ctx context.Context, memo *apiv2pb.Memo, activityType string) error {
+	webhooks, err := s.Store.ListWebhooks(ctx, &store.FindWebhook{
+		CreatorID: &memo.CreatorId,
+	})
+	if err != nil {
+		return err
+	}
+	metric.Enqueue("webhook dispatch")
+	for _, hook := range webhooks {
+		payload := convertMemoToWebhookPayload(memo)
+		payload.ActivityType = activityType
+		payload.URL = hook.Url
+		err := webhook.Post(*payload)
+		if err != nil {
+			return errors.Wrap(err, "failed to post webhook")
+		}
+	}
+	return nil
+}
+
+func convertMemoToWebhookPayload(memo *apiv2pb.Memo) *webhook.WebhookPayload {
+	return &webhook.WebhookPayload{
+		CreatorID: memo.CreatorId,
+		CreatedTs: time.Now().Unix(),
+		Memo: &webhook.Memo{
+			ID:         memo.Id,
+			CreatorID:  memo.CreatorId,
+			CreatedTs:  memo.CreateTime.Seconds,
+			UpdatedTs:  memo.UpdateTime.Seconds,
+			Content:    memo.Content,
+			Visibility: memo.Visibility.String(),
+			Pinned:     memo.Pinned,
+			ResourceList: func() []*webhook.Resource {
+				resources := []*webhook.Resource{}
+				for _, resource := range memo.Resources {
+					resources = append(resources, &webhook.Resource{
+						ID:           resource.Id,
+						Filename:     resource.Filename,
+						ExternalLink: resource.ExternalLink,
+						Type:         resource.Type,
+						Size:         resource.Size,
+					})
+				}
+				return resources
+			}(),
+			RelationList: func() []*webhook.MemoRelation {
+				relations := []*webhook.MemoRelation{}
+				for _, relation := range memo.Relations {
+					relations = append(relations, &webhook.MemoRelation{
+						MemoID:        relation.MemoId,
+						RelatedMemoID: relation.RelatedMemoId,
+						Type:          relation.Type.String(),
+					})
+				}
+				return relations
+			}(),
+		},
+	}
+}
--- a/api/v2/resource_name.go
+++ b/api/v2/resource_name.go
@@ -0,0 +1,57 @@
+package v2
+
+import (
+	"fmt"
+	"strings"
+
+	"github.com/pkg/errors"
+
+	"github.com/usememos/memos/internal/util"
+)
+
+const (
+	UserNamePrefix  = "users/"
+	InboxNamePrefix = "inboxes/"
+)
+
+// GetNameParentTokens returns the tokens from a resource name.
+func GetNameParentTokens(name string, tokenPrefixes ...string) ([]string, error) {
+	parts := strings.Split(name, "/")
+	if len(parts) != 2*len(tokenPrefixes) {
+		return nil, errors.Errorf("invalid request %q", name)
+	}
+
+	var tokens []string
+	for i, tokenPrefix := range tokenPrefixes {
+		if fmt.Sprintf("%s/", parts[2*i]) != tokenPrefix {
+			return nil, errors.Errorf("invalid prefix %q in request %q", tokenPrefix, name)
+		}
+		if parts[2*i+1] == "" {
+			return nil, errors.Errorf("invalid request %q with empty prefix %q", name, tokenPrefix)
+		}
+		tokens = append(tokens, parts[2*i+1])
+	}
+	return tokens, nil
+}
+
+// ExtractUsernameFromName returns the username from a resource name.
+func ExtractUsernameFromName(name string) (string, error) {
+	tokens, err := GetNameParentTokens(name, UserNamePrefix)
+	if err != nil {
+		return "", err
+	}
+	return tokens[0], nil
+}
+
+// ExtractInboxIDFromName returns the inbox ID from a resource name.
+func ExtractInboxIDFromName(name string) (int32, error) {
+	tokens, err := GetNameParentTokens(name, InboxNamePrefix)
+	if err != nil {
+		return 0, err
+	}
+	id, err := util.ConvertStringToInt32(tokens[0])
+	if err != nil {
+		return 0, errors.Errorf("invalid inbox ID %q", tokens[0])
+	}
+	return id, nil
+}
--- a/api/v2/resource_service.go
+++ b/api/v2/resource_service.go
@@ -0,0 +1,140 @@
+package v2
+
+import (
+	"context"
+	"net/url"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) CreateResource(ctx context.Context, request *apiv2pb.CreateResourceRequest) (*apiv2pb.CreateResourceResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if request.ExternalLink != "" {
+		// Only allow those external links scheme with http/https
+		linkURL, err := url.Parse(request.ExternalLink)
+		if err != nil {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid external link: %v", err)
+		}
+		if linkURL.Scheme != "http" && linkURL.Scheme != "https" {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid external link scheme: %v", linkURL.Scheme)
+		}
+	}
+
+	create := &store.Resource{
+		CreatorID:    user.ID,
+		Filename:     request.Filename,
+		ExternalLink: request.ExternalLink,
+		Type:         request.Type,
+	}
+	if request.MemoId != nil {
+		create.MemoID = request.MemoId
+	}
+	resource, err := s.Store.CreateResource(ctx, create)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create resource: %v", err)
+	}
+	return &apiv2pb.CreateResourceResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) ListResources(ctx context.Context, _ *apiv2pb.ListResourcesRequest) (*apiv2pb.ListResourcesResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	resources, err := s.Store.ListResources(ctx, &store.FindResource{
+		CreatorID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list resources: %v", err)
+	}
+
+	response := &apiv2pb.ListResourcesResponse{}
+	for _, resource := range resources {
+		response.Resources = append(response.Resources, s.convertResourceFromStore(ctx, resource))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateResource(ctx context.Context, request *apiv2pb.UpdateResourceRequest) (*apiv2pb.UpdateResourceResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateResource{
+		ID:        request.Resource.Id,
+		UpdatedTs: &currentTs,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "filename" {
+			update.Filename = &request.Resource.Filename
+		} else if field == "memo_id" {
+			update.MemoID = request.Resource.MemoId
+		}
+	}
+
+	resource, err := s.Store.UpdateResource(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update resource: %v", err)
+	}
+	return &apiv2pb.UpdateResourceResponse{
+		Resource: s.convertResourceFromStore(ctx, resource),
+	}, nil
+}
+
+func (s *APIV2Service) DeleteResource(ctx context.Context, request *apiv2pb.DeleteResourceRequest) (*apiv2pb.DeleteResourceResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	resource, err := s.Store.GetResource(ctx, &store.FindResource{
+		ID:        &request.Id,
+		CreatorID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to find resource: %v", err)
+	}
+	if resource == nil {
+		return nil, status.Errorf(codes.NotFound, "resource not found")
+	}
+	// Delete the resource from the database.
+	if err := s.Store.DeleteResource(ctx, &store.DeleteResource{
+		ID: resource.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete resource: %v", err)
+	}
+	return &apiv2pb.DeleteResourceResponse{}, nil
+}
+
+func (s *APIV2Service) convertResourceFromStore(ctx context.Context, resource *store.Resource) *apiv2pb.Resource {
+	var memoID *int32
+	if resource.MemoID != nil {
+		memo, _ := s.Store.GetMemo(ctx, &store.FindMemo{
+			ID: resource.MemoID,
+		})
+		if memo != nil {
+			memoID = &memo.ID
+		}
+	}
+
+	return &apiv2pb.Resource{
+		Id:           resource.ID,
+		CreateTime:   timestamppb.New(time.Unix(resource.CreatedTs, 0)),
+		Filename:     resource.Filename,
+		ExternalLink: resource.ExternalLink,
+		Type:         resource.Type,
+		Size:         resource.Size,
+		MemoId:       memoID,
+	}
+}
--- a/api/v2/system_service.go
+++ b/api/v2/system_service.go
@@ -0,0 +1,92 @@
+package v2
+
+import (
+	"context"
+	"strconv"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) GetSystemInfo(ctx context.Context, _ *apiv2pb.GetSystemInfoRequest) (*apiv2pb.GetSystemInfoResponse, error) {
+	defaultSystemInfo := &apiv2pb.SystemInfo{}
+
+	// Get the database size if the user is a host.
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if currentUser != nil && currentUser.Role == store.RoleHost {
+		size, err := s.Store.GetCurrentDBSize(ctx)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to get db size: %v", err)
+		}
+		defaultSystemInfo.DbSize = size
+	}
+
+	response := &apiv2pb.GetSystemInfoResponse{
+		SystemInfo: defaultSystemInfo,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateSystemInfo(ctx context.Context, request *apiv2pb.UpdateSystemInfoRequest) (*apiv2pb.UpdateSystemInfoResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is required")
+	}
+
+	// Update system settings.
+	for _, field := range request.UpdateMask.Paths {
+		if field == "allow_registration" {
+			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+				Name:  "allow-signup",
+				Value: strconv.FormatBool(request.SystemInfo.AllowRegistration),
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update allow_registration system setting: %v", err)
+			}
+		} else if field == "disable_password_login" {
+			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+				Name:  "disable-password-login",
+				Value: strconv.FormatBool(request.SystemInfo.DisablePasswordLogin),
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update disable_password_login system setting: %v", err)
+			}
+		} else if field == "additional_script" {
+			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+				Name:  "additional-script",
+				Value: request.SystemInfo.AdditionalScript,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update additional_script system setting: %v", err)
+			}
+		} else if field == "additional_style" {
+			_, err := s.Store.UpsertSystemSetting(ctx, &store.SystemSetting{
+				Name:  "additional-style",
+				Value: request.SystemInfo.AdditionalStyle,
+			})
+			if err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to update additional_style system setting: %v", err)
+			}
+		}
+	}
+
+	systemInfo, err := s.GetSystemInfo(ctx, &apiv2pb.GetSystemInfoRequest{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get system info: %v", err)
+	}
+	return &apiv2pb.UpdateSystemInfoResponse{
+		SystemInfo: systemInfo.SystemInfo,
+	}, nil
+}
--- a/api/v2/tag_service.go
+++ b/api/v2/tag_service.go
@@ -0,0 +1,181 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"regexp"
+	"sort"
+
+	"github.com/pkg/errors"
+	"golang.org/x/exp/slices"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) UpsertTag(ctx context.Context, request *apiv2pb.UpsertTagRequest) (*apiv2pb.UpsertTagResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user")
+	}
+
+	tag, err := s.Store.UpsertTag(ctx, &store.Tag{
+		Name:      request.Name,
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert tag: %v", err)
+	}
+
+	t, err := s.convertTagFromStore(ctx, tag)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to convert tag: %v", err)
+	}
+	return &apiv2pb.UpsertTagResponse{
+		Tag: t,
+	}, nil
+}
+
+func (s *APIV2Service) ListTags(ctx context.Context, request *apiv2pb.ListTagsRequest) (*apiv2pb.ListTagsResponse, error) {
+	username, err := ExtractUsernameFromName(request.User)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	tags, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list tags: %v", err)
+	}
+
+	response := &apiv2pb.ListTagsResponse{}
+	for _, tag := range tags {
+		t, err := s.convertTagFromStore(ctx, tag)
+		if err != nil {
+			return nil, status.Errorf(codes.Internal, "failed to convert tag: %v", err)
+		}
+		response.Tags = append(response.Tags, t)
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) DeleteTag(ctx context.Context, request *apiv2pb.DeleteTagRequest) (*apiv2pb.DeleteTagResponse, error) {
+	username, err := ExtractUsernameFromName(request.Tag.Creator)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	if err := s.Store.DeleteTag(ctx, &store.DeleteTag{
+		Name:      request.Tag.Name,
+		CreatorID: user.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete tag: %v", err)
+	}
+
+	return &apiv2pb.DeleteTagResponse{}, nil
+}
+
+func (s *APIV2Service) GetTagSuggestions(ctx context.Context, request *apiv2pb.GetTagSuggestionsRequest) (*apiv2pb.GetTagSuggestionsResponse, error) {
+	username, err := ExtractUsernameFromName(request.User)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %v", err)
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+	normalRowStatus := store.Normal
+	memoFind := &store.FindMemo{
+		CreatorID:     &user.ID,
+		ContentSearch: []string{"#"},
+		RowStatus:     &normalRowStatus,
+	}
+	memoList, err := s.Store.ListMemos(ctx, memoFind)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list memos: %v", err)
+	}
+
+	tagList, err := s.Store.ListTags(ctx, &store.FindTag{
+		CreatorID: user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list tags: %v", err)
+	}
+
+	tagNameList := []string{}
+	for _, tag := range tagList {
+		tagNameList = append(tagNameList, tag.Name)
+	}
+	tagMapSet := make(map[string]bool)
+	for _, memo := range memoList {
+		for _, tag := range findTagListFromMemoContent(memo.Content) {
+			if !slices.Contains(tagNameList, tag) {
+				tagMapSet[tag] = true
+			}
+		}
+	}
+	suggestions := []string{}
+	for tag := range tagMapSet {
+		suggestions = append(suggestions, tag)
+	}
+	sort.Strings(suggestions)
+
+	return &apiv2pb.GetTagSuggestionsResponse{
+		Tags: suggestions,
+	}, nil
+}
+
+func (s *APIV2Service) convertTagFromStore(ctx context.Context, tag *store.Tag) (*apiv2pb.Tag, error) {
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		ID: &tag.CreatorID,
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to get user")
+	}
+	return &apiv2pb.Tag{
+		Name:    tag.Name,
+		Creator: fmt.Sprintf("%s%s", UserNamePrefix, user.Username),
+	}, nil
+}
+
+var tagRegexp = regexp.MustCompile(`#([^\s#,]+)`)
+
+func findTagListFromMemoContent(memoContent string) []string {
+	tagMapSet := make(map[string]bool)
+	matches := tagRegexp.FindAllStringSubmatch(memoContent, -1)
+	for _, v := range matches {
+		tagName := v[1]
+		tagMapSet[tagName] = true
+	}
+
+	tagList := []string{}
+	for tag := range tagMapSet {
+		tagList = append(tagList, tag)
+	}
+	sort.Strings(tagList)
+	return tagList
+}
--- a/api/v2/user_service.go
+++ b/api/v2/user_service.go
@@ -0,0 +1,535 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+	"regexp"
+	"strings"
+	"time"
+
+	"github.com/golang-jwt/jwt/v4"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"golang.org/x/crypto/bcrypt"
+	"golang.org/x/exp/slices"
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	"github.com/usememos/memos/api/auth"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+var (
+	usernameMatcher = regexp.MustCompile("^[a-z0-9]([a-z0-9-]{1,30}[a-z0-9])$")
+)
+
+func (s *APIV2Service) ListUsers(ctx context.Context, _ *apiv2pb.ListUsersRequest) (*apiv2pb.ListUsersResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	users, err := s.Store.ListUsers(ctx, &store.FindUser{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list users: %v", err)
+	}
+
+	response := &apiv2pb.ListUsersResponse{
+		Users: []*apiv2pb.User{},
+	}
+	for _, user := range users {
+		response.Users = append(response.Users, convertUserFromStore(user))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetUser(ctx context.Context, request *apiv2pb.GetUserRequest) (*apiv2pb.GetUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	user, err := s.Store.GetUser(ctx, &store.FindUser{
+		Username: &username,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	userMessage := convertUserFromStore(user)
+	response := &apiv2pb.GetUserResponse{
+		User: userMessage,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) CreateUser(ctx context.Context, request *apiv2pb.CreateUserRequest) (*apiv2pb.CreateUserResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	username, err := ExtractUsernameFromName(request.User.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	if !usernameMatcher.MatchString(strings.ToLower(username)) {
+		return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", username)
+	}
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
+	}
+
+	user, err := s.Store.CreateUser(ctx, &store.User{
+		Username:     username,
+		Role:         convertUserRoleToStore(request.User.Role),
+		Email:        request.User.Email,
+		Nickname:     request.User.Nickname,
+		PasswordHash: string(passwordHash),
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create user: %v", err)
+	}
+
+	response := &apiv2pb.CreateUserResponse{
+		User: convertUserFromStore(user),
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) UpdateUser(ctx context.Context, request *apiv2pb.UpdateUserRequest) (*apiv2pb.UpdateUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.User.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	currentTs := time.Now().Unix()
+	update := &store.UpdateUser{
+		ID:        user.ID,
+		UpdatedTs: &currentTs,
+	}
+	for _, field := range request.UpdateMask.Paths {
+		if field == "username" {
+			if !usernameMatcher.MatchString(strings.ToLower(request.User.Username)) {
+				return nil, status.Errorf(codes.InvalidArgument, "invalid username: %s", request.User.Username)
+			}
+			update.Username = &request.User.Username
+		} else if field == "nickname" {
+			update.Nickname = &request.User.Nickname
+		} else if field == "email" {
+			update.Email = &request.User.Email
+		} else if field == "avatar_url" {
+			update.AvatarURL = &request.User.AvatarUrl
+		} else if field == "role" {
+			role := convertUserRoleToStore(request.User.Role)
+			update.Role = &role
+		} else if field == "password" {
+			passwordHash, err := bcrypt.GenerateFromPassword([]byte(request.User.Password), bcrypt.DefaultCost)
+			if err != nil {
+				return nil, echo.NewHTTPError(http.StatusInternalServerError, "failed to generate password hash").SetInternal(err)
+			}
+			passwordHashStr := string(passwordHash)
+			update.PasswordHash = &passwordHashStr
+		} else if field == "row_status" {
+			rowStatus := convertRowStatusToStore(request.User.RowStatus)
+			update.RowStatus = &rowStatus
+		} else {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
+		}
+	}
+
+	updatedUser, err := s.Store.UpdateUser(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update user: %v", err)
+	}
+
+	response := &apiv2pb.UpdateUserResponse{
+		User: convertUserFromStore(updatedUser),
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) DeleteUser(ctx context.Context, request *apiv2pb.DeleteUserRequest) (*apiv2pb.DeleteUserResponse, error) {
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if currentUser.Username != username && currentUser.Role != store.RoleAdmin && currentUser.Role != store.RoleHost {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	user, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.NotFound, "user not found")
+	}
+
+	if err := s.Store.DeleteUser(ctx, &store.DeleteUser{
+		ID: user.ID,
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete user: %v", err)
+	}
+
+	return &apiv2pb.DeleteUserResponse{}, nil
+}
+
+func getDefaultUserSetting() *apiv2pb.UserSetting {
+	return &apiv2pb.UserSetting{
+		Locale:         "en",
+		Appearance:     "system",
+		MemoVisibility: "PRIVATE",
+	}
+}
+
+func (s *APIV2Service) GetUserSetting(ctx context.Context, _ *apiv2pb.GetUserSettingRequest) (*apiv2pb.GetUserSettingResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	userSettings, err := s.Store.ListUserSettings(ctx, &store.FindUserSetting{
+		UserID: &user.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list user settings: %v", err)
+	}
+	userSettingMessage := getDefaultUserSetting()
+	for _, setting := range userSettings {
+		if setting.Key == storepb.UserSettingKey_USER_SETTING_LOCALE {
+			userSettingMessage.Locale = setting.GetLocale()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_APPEARANCE {
+			userSettingMessage.Appearance = setting.GetAppearance()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY {
+			userSettingMessage.MemoVisibility = setting.GetMemoVisibility()
+		} else if setting.Key == storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID {
+			userSettingMessage.TelegramUserId = setting.GetTelegramUserId()
+		}
+	}
+	return &apiv2pb.GetUserSettingResponse{
+		Setting: userSettingMessage,
+	}, nil
+}
+
+func (s *APIV2Service) UpdateUserSetting(ctx context.Context, request *apiv2pb.UpdateUserSettingRequest) (*apiv2pb.UpdateUserSettingResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update mask is empty")
+	}
+
+	for _, field := range request.UpdateMask.Paths {
+		if field == "locale" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_LOCALE,
+				Value: &storepb.UserSetting_Locale{
+					Locale: request.Setting.Locale,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "appearance" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_APPEARANCE,
+				Value: &storepb.UserSetting_Appearance{
+					Appearance: request.Setting.Appearance,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "memo_visibility" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_MEMO_VISIBILITY,
+				Value: &storepb.UserSetting_MemoVisibility{
+					MemoVisibility: request.Setting.MemoVisibility,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else if field == "telegram_user_id" {
+			if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+				UserId: user.ID,
+				Key:    storepb.UserSettingKey_USER_SETTING_TELEGRAM_USER_ID,
+				Value: &storepb.UserSetting_TelegramUserId{
+					TelegramUserId: request.Setting.TelegramUserId,
+				},
+			}); err != nil {
+				return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+			}
+		} else {
+			return nil, status.Errorf(codes.InvalidArgument, "invalid update path: %s", field)
+		}
+	}
+
+	userSettingResponse, err := s.GetUserSetting(ctx, &apiv2pb.GetUserSettingRequest{})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user setting: %v", err)
+	}
+	return &apiv2pb.UpdateUserSettingResponse{
+		Setting: userSettingResponse.Setting,
+	}, nil
+}
+
+func (s *APIV2Service) ListUserAccessTokens(ctx context.Context, request *apiv2pb.ListUserAccessTokensRequest) (*apiv2pb.ListUserAccessTokensResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+	if user == nil {
+		return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+	}
+
+	userID := user.ID
+	username, err := ExtractUsernameFromName(request.Name)
+	if err != nil {
+		return nil, status.Errorf(codes.InvalidArgument, "name is required")
+	}
+	// List access token for other users need to be verified.
+	if user.Username != username {
+		// Normal users can only list their access tokens.
+		if user.Role == store.RoleUser {
+			return nil, status.Errorf(codes.PermissionDenied, "permission denied")
+		}
+
+		// The request user must be exist.
+		requestUser, err := s.Store.GetUser(ctx, &store.FindUser{Username: &username})
+		if requestUser == nil || err != nil {
+			return nil, status.Errorf(codes.NotFound, "fail to find user %s", username)
+		}
+		userID = requestUser.ID
+	}
+
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, userID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
+	}
+
+	accessTokens := []*apiv2pb.UserAccessToken{}
+	for _, userAccessToken := range userAccessTokens {
+		claims := &auth.ClaimsMessage{}
+		_, err := jwt.ParseWithClaims(userAccessToken.AccessToken, claims, func(t *jwt.Token) (any, error) {
+			if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+				return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+			}
+			if kid, ok := t.Header["kid"].(string); ok {
+				if kid == "v1" {
+					return []byte(s.Secret), nil
+				}
+			}
+			return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+		})
+		if err != nil {
+			// If the access token is invalid or expired, just ignore it.
+			continue
+		}
+
+		userAccessToken := &apiv2pb.UserAccessToken{
+			AccessToken: userAccessToken.AccessToken,
+			Description: userAccessToken.Description,
+			IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
+		}
+		if claims.ExpiresAt != nil {
+			userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+		}
+		accessTokens = append(accessTokens, userAccessToken)
+	}
+
+	// Sort by issued time in descending order.
+	slices.SortFunc(accessTokens, func(i, j *apiv2pb.UserAccessToken) int {
+		return int(i.IssuedAt.Seconds - j.IssuedAt.Seconds)
+	})
+	response := &apiv2pb.ListUserAccessTokensResponse{
+		AccessTokens: accessTokens,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) CreateUserAccessToken(ctx context.Context, request *apiv2pb.CreateUserAccessTokenRequest) (*apiv2pb.CreateUserAccessTokenResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	expiresAt := time.Time{}
+	if request.ExpiresAt != nil {
+		expiresAt = request.ExpiresAt.AsTime()
+	}
+
+	accessToken, err := auth.GenerateAccessToken(user.Username, user.ID, expiresAt, []byte(s.Secret))
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to generate access token: %v", err)
+	}
+
+	claims := &auth.ClaimsMessage{}
+	_, err = jwt.ParseWithClaims(accessToken, claims, func(t *jwt.Token) (any, error) {
+		if t.Method.Alg() != jwt.SigningMethodHS256.Name {
+			return nil, errors.Errorf("unexpected access token signing method=%v, expect %v", t.Header["alg"], jwt.SigningMethodHS256)
+		}
+		if kid, ok := t.Header["kid"].(string); ok {
+			if kid == "v1" {
+				return []byte(s.Secret), nil
+			}
+		}
+		return nil, errors.Errorf("unexpected access token kid=%v", t.Header["kid"])
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to parse access token: %v", err)
+	}
+
+	// Upsert the access token to user setting store.
+	if err := s.UpsertAccessTokenToStore(ctx, user, accessToken, request.Description); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert access token to store: %v", err)
+	}
+
+	userAccessToken := &apiv2pb.UserAccessToken{
+		AccessToken: accessToken,
+		Description: request.Description,
+		IssuedAt:    timestamppb.New(claims.IssuedAt.Time),
+	}
+	if claims.ExpiresAt != nil {
+		userAccessToken.ExpiresAt = timestamppb.New(claims.ExpiresAt.Time)
+	}
+	response := &apiv2pb.CreateUserAccessTokenResponse{
+		AccessToken: userAccessToken,
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) DeleteUserAccessToken(ctx context.Context, request *apiv2pb.DeleteUserAccessTokenRequest) (*apiv2pb.DeleteUserAccessTokenResponse, error) {
+	user, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
+	}
+
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list access tokens: %v", err)
+	}
+	updatedUserAccessTokens := []*storepb.AccessTokensUserSetting_AccessToken{}
+	for _, userAccessToken := range userAccessTokens {
+		if userAccessToken.AccessToken == request.AccessToken {
+			continue
+		}
+		updatedUserAccessTokens = append(updatedUserAccessTokens, userAccessToken)
+	}
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: updatedUserAccessTokens,
+			},
+		},
+	}); err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to upsert user setting: %v", err)
+	}
+
+	return &apiv2pb.DeleteUserAccessTokenResponse{}, nil
+}
+
+func (s *APIV2Service) UpsertAccessTokenToStore(ctx context.Context, user *store.User, accessToken, description string) error {
+	userAccessTokens, err := s.Store.GetUserAccessTokens(ctx, user.ID)
+	if err != nil {
+		return errors.Wrap(err, "failed to get user access tokens")
+	}
+	userAccessToken := storepb.AccessTokensUserSetting_AccessToken{
+		AccessToken: accessToken,
+		Description: description,
+	}
+	userAccessTokens = append(userAccessTokens, &userAccessToken)
+	if _, err := s.Store.UpsertUserSetting(ctx, &storepb.UserSetting{
+		UserId: user.ID,
+		Key:    storepb.UserSettingKey_USER_SETTING_ACCESS_TOKENS,
+		Value: &storepb.UserSetting_AccessTokens{
+			AccessTokens: &storepb.AccessTokensUserSetting{
+				AccessTokens: userAccessTokens,
+			},
+		},
+	}); err != nil {
+		return errors.Wrap(err, "failed to upsert user setting")
+	}
+	return nil
+}
+
+func convertUserFromStore(user *store.User) *apiv2pb.User {
+	return &apiv2pb.User{
+		Name:       fmt.Sprintf("%s%s", UserNamePrefix, user.Username),
+		Id:         user.ID,
+		RowStatus:  convertRowStatusFromStore(user.RowStatus),
+		CreateTime: timestamppb.New(time.Unix(user.CreatedTs, 0)),
+		UpdateTime: timestamppb.New(time.Unix(user.UpdatedTs, 0)),
+		Role:       convertUserRoleFromStore(user.Role),
+		Username:   user.Username,
+		Email:      user.Email,
+		Nickname:   user.Nickname,
+		AvatarUrl:  user.AvatarURL,
+	}
+}
+
+func convertUserRoleFromStore(role store.Role) apiv2pb.User_Role {
+	switch role {
+	case store.RoleHost:
+		return apiv2pb.User_HOST
+	case store.RoleAdmin:
+		return apiv2pb.User_ADMIN
+	case store.RoleUser:
+		return apiv2pb.User_USER
+	default:
+		return apiv2pb.User_ROLE_UNSPECIFIED
+	}
+}
+
+func convertUserRoleToStore(role apiv2pb.User_Role) store.Role {
+	switch role {
+	case apiv2pb.User_HOST:
+		return store.RoleHost
+	case apiv2pb.User_ADMIN:
+		return store.RoleAdmin
+	case apiv2pb.User_USER:
+		return store.RoleUser
+	default:
+		return store.RoleUser
+	}
+}
--- a/api/v2/v2.go
+++ b/api/v2/v2.go
@@ -0,0 +1,146 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net"
+
+	"github.com/grpc-ecosystem/grpc-gateway/v2/runtime"
+	"github.com/improbable-eng/grpc-web/go/grpcweb"
+	"github.com/labstack/echo/v4"
+	"github.com/pkg/errors"
+	"go.uber.org/zap"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/credentials/insecure"
+	"google.golang.org/grpc/reflection"
+
+	"github.com/usememos/memos/internal/log"
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	"github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/store"
+)
+
+type APIV2Service struct {
+	apiv2pb.UnimplementedSystemServiceServer
+	apiv2pb.UnimplementedAuthServiceServer
+	apiv2pb.UnimplementedUserServiceServer
+	apiv2pb.UnimplementedMemoServiceServer
+	apiv2pb.UnimplementedResourceServiceServer
+	apiv2pb.UnimplementedTagServiceServer
+	apiv2pb.UnimplementedInboxServiceServer
+	apiv2pb.UnimplementedActivityServiceServer
+	apiv2pb.UnimplementedWebhookServiceServer
+	apiv2pb.UnimplementedMarkdownServiceServer
+
+	Secret  string
+	Profile *profile.Profile
+	Store   *store.Store
+
+	grpcServer     *grpc.Server
+	grpcServerPort int
+}
+
+func NewAPIV2Service(secret string, profile *profile.Profile, store *store.Store, grpcServerPort int) *APIV2Service {
+	grpc.EnableTracing = true
+	authProvider := NewGRPCAuthInterceptor(store, secret)
+	grpcServer := grpc.NewServer(
+		grpc.ChainUnaryInterceptor(
+			authProvider.AuthenticationInterceptor,
+		),
+	)
+	apiv2Service := &APIV2Service{
+		Secret:         secret,
+		Profile:        profile,
+		Store:          store,
+		grpcServer:     grpcServer,
+		grpcServerPort: grpcServerPort,
+	}
+
+	apiv2pb.RegisterSystemServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterAuthServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterUserServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterMemoServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterTagServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterResourceServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterInboxServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterActivityServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterWebhookServiceServer(grpcServer, apiv2Service)
+	apiv2pb.RegisterMarkdownServiceServer(grpcServer, apiv2Service)
+	reflection.Register(grpcServer)
+
+	return apiv2Service
+}
+
+func (s *APIV2Service) GetGRPCServer() *grpc.Server {
+	return s.grpcServer
+}
+
+// RegisterGateway registers the gRPC-Gateway with the given Echo instance.
+func (s *APIV2Service) RegisterGateway(ctx context.Context, e *echo.Echo) error {
+	// Create a client connection to the gRPC Server we just started.
+	// This is where the gRPC-Gateway proxies the requests.
+	conn, err := grpc.DialContext(
+		ctx,
+		fmt.Sprintf(":%d", s.grpcServerPort),
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+	)
+	if err != nil {
+		return err
+	}
+
+	gwMux := runtime.NewServeMux()
+	if err := apiv2pb.RegisterSystemServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterAuthServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterUserServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterMemoServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterTagServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterResourceServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterInboxServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterActivityServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterWebhookServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	if err := apiv2pb.RegisterMarkdownServiceHandler(context.Background(), gwMux, conn); err != nil {
+		return err
+	}
+	e.Any("/api/v2/*", echo.WrapHandler(gwMux))
+
+	// GRPC web proxy.
+	options := []grpcweb.Option{
+		grpcweb.WithCorsForRegisteredEndpointsOnly(false),
+		grpcweb.WithOriginFunc(func(origin string) bool {
+			return true
+		}),
+	}
+	wrappedGrpc := grpcweb.WrapServer(s.grpcServer, options...)
+	e.Any("/memos.api.v2.*", echo.WrapHandler(wrappedGrpc))
+
+	// Start gRPC server.
+	listen, err := net.Listen("tcp", fmt.Sprintf("%s:%d", s.Profile.Addr, s.grpcServerPort))
+	if err != nil {
+		return errors.Wrap(err, "failed to start gRPC server")
+	}
+	go func() {
+		if err := s.grpcServer.Serve(listen); err != nil {
+			log.Error("grpc server listen error", zap.Error(err))
+		}
+	}()
+
+	return nil
+}
--- a/api/v2/webhook_service.go
+++ b/api/v2/webhook_service.go
@@ -0,0 +1,120 @@
+package v2
+
+import (
+	"context"
+	"time"
+
+	"google.golang.org/grpc/codes"
+	"google.golang.org/grpc/status"
+	"google.golang.org/protobuf/types/known/timestamppb"
+
+	apiv2pb "github.com/usememos/memos/proto/gen/api/v2"
+	storepb "github.com/usememos/memos/proto/gen/store"
+	"github.com/usememos/memos/store"
+)
+
+func (s *APIV2Service) CreateWebhook(ctx context.Context, request *apiv2pb.CreateWebhookRequest) (*apiv2pb.CreateWebhookResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+
+	webhook, err := s.Store.CreateWebhook(ctx, &storepb.Webhook{
+		CreatorId: currentUser.ID,
+		Name:      request.Name,
+		Url:       request.Url,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to create webhook, error: %+v", err)
+	}
+	return &apiv2pb.CreateWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) ListWebhooks(ctx context.Context, request *apiv2pb.ListWebhooksRequest) (*apiv2pb.ListWebhooksResponse, error) {
+	webhooks, err := s.Store.ListWebhooks(ctx, &store.FindWebhook{
+		CreatorID: &request.CreatorId,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to list webhooks, error: %+v", err)
+	}
+
+	response := &apiv2pb.ListWebhooksResponse{
+		Webhooks: []*apiv2pb.Webhook{},
+	}
+	for _, webhook := range webhooks {
+		response.Webhooks = append(response.Webhooks, convertWebhookFromStore(webhook))
+	}
+	return response, nil
+}
+
+func (s *APIV2Service) GetWebhook(ctx context.Context, request *apiv2pb.GetWebhookRequest) (*apiv2pb.GetWebhookResponse, error) {
+	currentUser, err := getCurrentUser(ctx, s.Store)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
+	}
+
+	webhook, err := s.Store.GetWebhooks(ctx, &store.FindWebhook{
+		ID:        &request.Id,
+		CreatorID: &currentUser.ID,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to get webhook, error: %+v", err)
+	}
+	if webhook == nil {
+		return nil, status.Errorf(codes.NotFound, "webhook not found")
+	}
+	return &apiv2pb.GetWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) UpdateWebhook(ctx context.Context, request *apiv2pb.UpdateWebhookRequest) (*apiv2pb.UpdateWebhookResponse, error) {
+	if request.UpdateMask == nil || len(request.UpdateMask.Paths) == 0 {
+		return nil, status.Errorf(codes.InvalidArgument, "update_mask is required")
+	}
+
+	update := &store.UpdateWebhook{}
+	for _, field := range request.UpdateMask.Paths {
+		switch field {
+		case "row_status":
+			rowStatus := storepb.RowStatus(storepb.RowStatus_value[request.Webhook.RowStatus.String()])
+			update.RowStatus = &rowStatus
+		case "name":
+			update.Name = &request.Webhook.Name
+		case "url":
+			update.URL = &request.Webhook.Url
+		}
+	}
+
+	webhook, err := s.Store.UpdateWebhook(ctx, update)
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to update webhook, error: %+v", err)
+	}
+	return &apiv2pb.UpdateWebhookResponse{
+		Webhook: convertWebhookFromStore(webhook),
+	}, nil
+}
+
+func (s *APIV2Service) DeleteWebhook(ctx context.Context, request *apiv2pb.DeleteWebhookRequest) (*apiv2pb.DeleteWebhookResponse, error) {
+	err := s.Store.DeleteWebhook(ctx, &store.DeleteWebhook{
+		ID: request.Id,
+	})
+	if err != nil {
+		return nil, status.Errorf(codes.Internal, "failed to delete webhook, error: %+v", err)
+	}
+	return &apiv2pb.DeleteWebhookResponse{}, nil
+}
+
+func convertWebhookFromStore(webhook *storepb.Webhook) *apiv2pb.Webhook {
+	return &apiv2pb.Webhook{
+		Id:          webhook.Id,
+		CreatedTime: timestamppb.New(time.Unix(webhook.CreatedTs, 0)),
+		UpdatedTime: timestamppb.New(time.Unix(webhook.UpdatedTs, 0)),
+		RowStatus:   apiv2pb.RowStatus(webhook.RowStatus),
+		CreatorId:   webhook.CreatorId,
+		Name:        webhook.Name,
+		Url:         webhook.Url,
+	}
+}
--- a/bin/memos/main.go
+++ b/bin/memos/main.go
@@ -1,4 +1,4 @@
-package cmd
+package main

 import (
 	"context"
@@ -10,9 +10,14 @@ import (

 	"github.com/spf13/cobra"
 	"github.com/spf13/viper"
+	"go.uber.org/zap"

+	"github.com/usememos/memos/internal/log"
 	"github.com/usememos/memos/server"
 	_profile "github.com/usememos/memos/server/profile"
+	"github.com/usememos/memos/server/service/metric"
+	"github.com/usememos/memos/store"
+	"github.com/usememos/memos/store/db"
 )

 const (
@@ -27,22 +32,53 @@ const (
 )

 var (
-	profile *_profile.Profile
-	mode    string
-	port    int
-	data    string
+	profile      *_profile.Profile
+	mode         string
+	addr         string
+	port         int
+	data         string
+	driver       string
+	dsn          string
+	enableMetric bool

 	rootCmd = &cobra.Command{
 		Use:   "memos",
 		Short: `An open-source, self-hosted memo hub with knowledge management and social networking.`,
 		Run: func(_cmd *cobra.Command, _args []string) {
 			ctx, cancel := context.WithCancel(context.Background())
-			s, err := server.NewServer(ctx, profile)
+			dbDriver, err := db.NewDBDriver(profile)
 			if err != nil {
 				cancel()
-				fmt.Printf("failed to create server, error: %+v\n", err)
+				log.Error("failed to create db driver", zap.Error(err))
 				return
 			}
+			if err := dbDriver.Migrate(ctx); err != nil {
+				cancel()
+				log.Error("failed to migrate db", zap.Error(err))
+				return
+			}
+
+			store := store.New(dbDriver, profile)
+
+			go func() {
+				if err := store.MigrateResourceInternalPath(ctx); err != nil {
+					cancel()
+					log.Error("failed to migrate resource internal path", zap.Error(err))
+					return
+				}
+			}()
+
+			s, err := server.NewServer(ctx, profile, store)
+			if err != nil {
+				cancel()
+				log.Error("failed to create server", zap.Error(err))
+				return
+			}
+
+			if profile.Metric {
+				// nolint
+				metric.NewMetricClient(s.ID, *profile)
+			}

 			c := make(chan os.Signal, 1)
 			// Trigger graceful shutdown on SIGINT or SIGTERM.
@@ -51,16 +87,16 @@ var (
 			signal.Notify(c, os.Interrupt, syscall.SIGTERM)
 			go func() {
 				sig := <-c
-				fmt.Printf("%s received.\n", sig.String())
+				log.Info(fmt.Sprintf("%s received.\n", sig.String()))
 				s.Shutdown(ctx)
 				cancel()
 			}()

-			println(greetingBanner)
-			fmt.Printf("Version %s has started at :%d\n", profile.Version, profile.Port)
+			printGreetings()
+
 			if err := s.Start(ctx); err != nil {
 				if err != http.ErrServerClosed {
-					fmt.Printf("failed to start server, error: %+v\n", err)
+					log.Error("failed to start server", zap.Error(err))
 					cancel()
 				}
 			}
@@ -72,6 +108,7 @@ var (
 )

 func Execute() error {
+	defer log.Sync()
 	return rootCmd.Execute()
 }

@@ -79,13 +116,21 @@ func init() {
 	cobra.OnInitialize(initConfig)

 	rootCmd.PersistentFlags().StringVarP(&mode, "mode", "m", "demo", `mode of server, can be "prod" or "dev" or "demo"`)
+	rootCmd.PersistentFlags().StringVarP(&addr, "addr", "a", "", "address of server")
 	rootCmd.PersistentFlags().IntVarP(&port, "port", "p", 8081, "port of server")
 	rootCmd.PersistentFlags().StringVarP(&data, "data", "d", "", "data directory")
+	rootCmd.PersistentFlags().StringVarP(&driver, "driver", "", "", "database driver")
+	rootCmd.PersistentFlags().StringVarP(&dsn, "dsn", "", "", "database source name(aka. DSN)")
+	rootCmd.PersistentFlags().BoolVarP(&enableMetric, "metric", "", true, "allow metric collection")

 	err := viper.BindPFlag("mode", rootCmd.PersistentFlags().Lookup("mode"))
 	if err != nil {
 		panic(err)
 	}
+	err = viper.BindPFlag("addr", rootCmd.PersistentFlags().Lookup("addr"))
+	if err != nil {
+		panic(err)
+	}
 	err = viper.BindPFlag("port", rootCmd.PersistentFlags().Lookup("port"))
 	if err != nil {
 		panic(err)
@@ -94,9 +139,24 @@ func init() {
 	if err != nil {
 		panic(err)
 	}
+	err = viper.BindPFlag("driver", rootCmd.PersistentFlags().Lookup("driver"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("dsn", rootCmd.PersistentFlags().Lookup("dsn"))
+	if err != nil {
+		panic(err)
+	}
+	err = viper.BindPFlag("metric", rootCmd.PersistentFlags().Lookup("metric"))
+	if err != nil {
+		panic(err)
+	}

 	viper.SetDefault("mode", "demo")
+	viper.SetDefault("driver", "sqlite")
+	viper.SetDefault("addr", "")
 	viper.SetDefault("port", 8081)
+	viper.SetDefault("metric", true)
 	viper.SetEnvPrefix("memos")
 }

@@ -111,9 +171,34 @@ func initConfig() {

 	println("---")
 	println("Server profile")
+	println("data:", profile.Data)
 	println("dsn:", profile.DSN)
+	println("addr:", profile.Addr)
 	println("port:", profile.Port)
 	println("mode:", profile.Mode)
+	println("driver:", profile.Driver)
 	println("version:", profile.Version)
+	println("metric:", profile.Metric)
 	println("---")
 }
+
+func printGreetings() {
+	print(greetingBanner)
+	if len(profile.Addr) == 0 {
+		fmt.Printf("Version %s has been started on port %d\n", profile.Version, profile.Port)
+	} else {
+		fmt.Printf("Version %s has been started on address '%s' and port %d\n", profile.Version, profile.Addr, profile.Port)
+	}
+	println("---")
+	println("See more in:")
+	fmt.Printf("👉Website: %s\n", "https://usememos.com")
+	fmt.Printf("👉GitHub: %s\n", "https://github.com/usememos/memos")
+	println("---")
+}
+
+func main() {
+	err := Execute()
+	if err != nil {
+		panic(err)
+	}
+}
--- a/common/error.go
+++ b/common/error.go
@@ -1,72 +0,0 @@
-package common
-
-import (
-	"errors"
-)
-
-// Code is the error code.
-type Code int
-
-// Application error codes.
-const (
-	// 0 ~ 99 general error.
-	Ok             Code = 0
-	Internal       Code = 1
-	NotAuthorized  Code = 2
-	Invalid        Code = 3
-	NotFound       Code = 4
-	Conflict       Code = 5
-	NotImplemented Code = 6
-)
-
-// Error represents an application-specific error. Application errors can be
-// unwrapped by the caller to extract out the code & message.
-//
-// Any non-application error (such as a disk error) should be reported as an
-// Internal error and the human user should only see "Internal error" as the
-// message. These low-level internal error details should only be logged and
-// reported to the operator of the application (not the end user).
-type Error struct {
-	// Machine-readable error code.
-	Code Code
-
-	// Embedded error.
-	Err error
-}
-
-// Error implements the error interface. Not used by the application otherwise.
-func (e *Error) Error() string {
-	return e.Err.Error()
-}
-
-// ErrorCode unwraps an application error and returns its code.
-// Non-application errors always return EINTERNAL.
-func ErrorCode(err error) Code {
-	var e *Error
-	if err == nil {
-		return Ok
-	} else if errors.As(err, &e) {
-		return e.Code
-	}
-	return Internal
-}
-
-// ErrorMessage unwraps an application error and returns its message.
-// Non-application errors always return "Internal error".
-func ErrorMessage(err error) string {
-	var e *Error
-	if err == nil {
-		return ""
-	} else if errors.As(err, &e) {
-		return e.Err.Error()
-	}
-	return "Internal error."
-}
-
-// Errorf is a helper function to return an Error with a given code and error.
-func Errorf(code Code, err error) *Error {
-	return &Error{
-		Code: code,
-		Err:  err,
-	}
-}
--- a/doc/CustomThemes.md
+++ b/doc/CustomThemes.md
@@ -1,14 +0,0 @@
-# Adding A Custom Theme
-
-1. Open the Settings Dialog
-2. Navigate to the System Tab
-3. In the "Additional Styles" box add these lines of code:
-
-```css
-.memo-list-container {background-color: #INSERT COLOR HERE;}
-.page-container {background-color: #INSERT COLOR HERE;}
-```
-
-  It is recommended that you choose the same color for both options
-
-4. Refresh the page and the background color of your memos app will successfully update to reflect your changes
--- a/docker-compose.uffizzi.yml
+++ b/docker-compose.uffizzi.yml
@@ -1,17 +0,0 @@
-version: "3.0"
-
-# uffizzi integration
-x-uffizzi:
-  ingress:
-    service: memos
-    port: 5230
-
-services:
-  memos:
-    image: "${MEMOS_IMAGE}"
-    volumes:
-      - memos_volume:/var/opt/memos
-    command: ["--mode", "demo"]
-
-volumes:
-  memos_volume:
--- a/docs/api/v1.md
+++ b/docs/api/v1.md
--- a/docs/deploy-with-render.md
+++ b/docs/deploy-with-render.md
@@ -1,133 +0,0 @@
-# A Beginner's Guide to Deploying Memos on Render.com
-
-written by [AJ](https://memos.ajstephens.website/) (also a noob)
-
-<img height="64px" src="https://raw.githubusercontent.com/usememos/memos/main/resources/logo-full.webp" alt="✍️ memos" />
-
-[Live Demo](https://demo.usememos.com) • [Official Website](https://usememos.com) • [Source Code](https://github.com/usememos/memos)
-
-## Who is this guide for?
-
-Someone who...
-
- doesn't have much experience with self hosting
- has a minimal understanding of docker
-
-Someone who wants...
-
- to use memos
- to support the memos project
- a cost effective and simple way to host it on the cloud with reliablity and persistance
- to share memos with friends
-
-## Requirements
-
- Can follow instructions
- Have 7ish USD a month on a debit/credit card
-
-## Guide
-
-Create an account at [Render](https://dashboard.render.com/register)
-![ss1](https://i.imgur.com/l3K7aqC.png)
-
-1. Go to your dashboard
-
-[https://dashboard.render.com/](https://dashboard.render.com/)
-
-2. Select New Web Service
-
-   ![ss2](https://i.imgur.com/IIDdK2y.png)
-
-3. Scroll down to "Public Git repository"
-
-4. Paste in the link for the public git repository for memos (https://github.com/usememos/memos) and press continue
-
-   ![ss3](https://i.imgur.com/OXoCWoJ.png)
-
-5. Render will pre-fill most of the fields but you will need to create a unique name for your web service
-
-6. Adjust region if you want to
-
-7. Don't touch the "branch", "root directory", and "environment" fields
-
-   ![ss4](https://i.imgur.com/v7Sw3fp.png)
-
-8. Click "enter your payment information" and do so
-
-   ![ss5](https://i.imgur.com/paKcQFl.png)
-
-   ![ss6](https://i.imgur.com/JdcO1HC.png)
-
-9. Select the starter plan ($7 a month - a requirement for persistant data - render's free instances spin down when inactive and lose all data)
-
-10. Click "Create Web Service"
-
-![ss7](https://i.imgur.com/MHe45J4.png)
-
-11. Wait patiently while the _magic_ happens 🤷‍♂️
-
-![ss8](https://i.imgur.com/h1PXHHJ.png)
-
-12. After some time (~ 6 min for me) the build will finish and you will see the web service is live
-
-![ss9](https://i.imgur.com/msapkRw.png)
-
-13. Now it's time to add the disk so your data won't dissappear when the webservice redeploys (redeploys happen automatically when the public repo is updated)
-
-14. Select the "Disks" tab on the left menu and then click "Add Disk"
-
-![ss10](https://i.imgur.com/rGeI0bv.png)
-
-15. Name your disk (can be whatever)
-
-16. Set the "Mount Path" to `/var/opt/memos`
-
-17. Set the disk size (default is 10GB but 1GB is plenty and can be increased at any time)
-
-18. Click "Save"
-
-    ![ss11](https://i.imgur.com/Jbg7O6q.png)
-
-19. Wait...again...while the webservice redeploys with the persistant disk
-
-    ![ss12](https://i.imgur.com/pTzpE34.png)
-
-20. aaaand....we're back online!
-
-    ![ss13](https://i.imgur.com/qdsFfSa.png)
-
-21. Time to test! We're going to make sure everything is working correctly.
-
-22. Click the link in the top left, it should look like `https://the-name-you-chose.onrender.com` - this is your self hosted memos link!
-
-    ![ss14](https://i.imgur.com/cgzFSIn.png)
-
-23. Create a Username and Password (remember these) then click "Sign up as Host"
-
-    ![ss15](https://i.imgur.com/kuRStAj.png)
-
-24. Create a test memo then click save
-
-    ![ss16](https://i.imgur.com/Eh2AB44.png)
-
-25. Sign out of your self-hosted memos
-
-    ![ss17](https://i.imgur.com/0mMb88G.png)
-
-26. Return to your Render dashboard, click the "Manual Deploy" dropdown button and click "Deploy latest commit" and wait until the webservice is live again (This is to test that your data is persistant)
-
-    ![ss18](https://i.imgur.com/w1N7VTb.png)
-
-27. Once the webservice is live go back to your self-hosted memos page and sign in! (If your memos screen looks different then something went wrong)
-
-28. Once you're logged in, verify your test memo is still there after the redeploy
-
-    ![ss19](https://i.imgur.com/dTcEQZS.png)
-
-    ![ss20](https://i.imgur.com/VE2lu8H.png)
-
-## 🎉Celebrate!🎉
-
-You did it! Enjoy using memos!
-
-Want to learn more or need more guidance? Join the community on [telegram](https://t.me/+-_tNF1k70UU4ZTc9) and [discord](https://discord.gg/tfPJa4UmAv).
--- a/docs/development-windows.md
+++ b/docs/development-windows.md
@@ -0,0 +1,90 @@
+# Development in Windows
+
+Memos is built with a curated tech stack. It is optimized for developer experience and is very easy to start working on the code:
+
+1. It has no external dependency.
+2. It requires zero config.
+3. 1 command to start backend and 1 command to start frontend, both with live reload support.
+
+## Tech Stack
+
+| Frontend                                 | Backend                           |
+| ---------------------------------------- | --------------------------------- |
+| [React](https://react.dev/)              | [Go](https://go.dev/)             |
+| [Tailwind CSS](https://tailwindcss.com/) | [SQLite](https://www.sqlite.org/) |
+| [Vite](https://vitejs.dev/)              |                                   |
+| [pnpm](https://pnpm.io/)                 |                                   |
+
+## Prerequisites
+
+- [Go](https://golang.org/doc/install)
+- [Air](https://github.com/cosmtrek/air#installation) for backend live reload
+- [Node.js](https://nodejs.org/)
+- [pnpm](https://pnpm.io/installation)
+
+## Steps
+
+(Using PowerShell)
+
+1. pull source code
+
+   ```powershell
+   git clone https://github.com/usememos/memos
+   # or
+   gh repo clone usememos/memos
+   ```
+
+2. cd into the project root directory
+
+   ```powershell
+   cd memos
+   ```
+
+3. start backend using air (with live reload)
+
+   ```powershell
+   air -c .\scripts\.air-windows.toml
+   ```
+
+4. start frontend dev server
+
+   ```powershell
+   cd web; pnpm i; pnpm dev
+   ```
+
+Memos should now be running at [http://localhost:3001](http://localhost:3001) and changing either frontend or backend code would trigger live reload.
+
+## Building
+
+Frontend must be built before backend. The built frontend must be placed in the backend ./server/frontend/dist directory. Otherwise, you will get a "No frontend embeded" error.
+
+### Frontend
+
+```powershell
+Move-Item "./server/frontend/dist" "./server/frontend/dist.bak"
+cd web; pnpm i --frozen-lockfile; pnpm build; cd ..;
+Move-Item "./web/dist" "./server/" -Force
+```
+
+### Backend
+
+```powershell
+go build -o ./build/memos.exe ./bin/memos/main.go
+```
+
+## ❕ Notes
+
+- Start development servers easier by running the provided `start.ps1` script.
+  This will start both backend and frontend in detached PowerShell windows:
+
+  ```powershell
+  .\scripts\start.ps1
+  ```
+
+- Produce a local build easier using the provided `build.ps1` script to build both frontend and backend:
+
+  ```powershell
+  .\scripts\build.ps1
+  ```
+
+  This will produce a memos.exe file in the ./build directory.
--- a/docs/development.md
+++ b/docs/development.md
@@ -6,35 +6,37 @@ Memos is built with a curated tech stack. It is optimized for developer experien
 2. It requires zero config.
 3. 1 command to start backend and 1 command to start frontend, both with live reload support.

-## Tech Stack
-
-![tech-stack](https://raw.githubusercontent.com/usememos/memos/main/resources/tech-stack.png)
-
 ## Prerequisites

 - [Go](https://golang.org/doc/install)
 - [Air](https://github.com/cosmtrek/air#installation) for backend live reload
 - [Node.js](https://nodejs.org/)
- [yarn](https://yarnpkg.com/getting-started/install)
+- [pnpm](https://pnpm.io/installation)

 ## Steps

-1. pull source code
+1. Pull the source code

   ```bash
   git clone https://github.com/usememos/memos
   ```

-2. start backend using air(with live reload)
+2. Start backend server with [`air`](https://github.com/cosmtrek/air) (with live reload)

   ```bash
   air -c scripts/.air.toml
   ```

-3. start frontend dev server
+3. Install frontend dependencies and generate TypeScript code from protobuf
+
+   ```
+   cd web && pnpm i && pnpm type-gen
+   ```
+
+4. Start the dev server of frontend

   ```bash
-   cd web && yarn && yarn dev
+   cd web && pnpm dev
   ```

 Memos should now be running at [http://localhost:3001](http://localhost:3001) and change either frontend or backend code would trigger live reload.
--- a/go.mod
+++ b/go.mod
@@ -1,82 +1,120 @@
 module github.com/usememos/memos

-go 1.19
+go 1.21

 require (
-	github.com/aws/aws-sdk-go-v2 v1.17.4
-	github.com/aws/aws-sdk-go-v2/config v1.18.12
-	github.com/aws/aws-sdk-go-v2/credentials v1.13.12
-	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.11.51
-	github.com/aws/aws-sdk-go-v2/service/s3 v1.30.3
-	github.com/google/uuid v1.3.0
-	github.com/gorilla/feeds v1.1.1
-	github.com/gorilla/sessions v1.2.1
-	github.com/labstack/echo-contrib v0.13.0
-	github.com/labstack/echo/v4 v4.9.0
-	github.com/mattn/go-sqlite3 v1.14.9
+	github.com/aws/aws-sdk-go-v2 v1.24.1
+	github.com/aws/aws-sdk-go-v2/config v1.26.3
+	github.com/aws/aws-sdk-go-v2/credentials v1.16.14
+	github.com/aws/aws-sdk-go-v2/feature/s3/manager v1.15.11
+	github.com/aws/aws-sdk-go-v2/service/s3 v1.48.0
+	github.com/disintegration/imaging v1.6.2
+	github.com/go-sql-driver/mysql v1.7.1
+	github.com/google/cel-go v0.18.2
+	github.com/google/uuid v1.5.0
+	github.com/gorilla/feeds v1.1.2
+	github.com/grpc-ecosystem/grpc-gateway/v2 v2.19.0
+	github.com/improbable-eng/grpc-web v0.15.0
+	github.com/joho/godotenv v1.5.1
+	github.com/labstack/echo/v4 v4.11.4
+	github.com/lib/pq v1.10.9
+	github.com/microcosm-cc/bluemonday v1.0.26
 	github.com/pkg/errors v0.9.1
-	github.com/segmentio/analytics-go v3.1.0+incompatible
-	github.com/spf13/cobra v1.6.1
-	github.com/spf13/viper v1.15.0
-	github.com/stretchr/testify v1.8.1
-	go.uber.org/zap v1.24.0
-	golang.org/x/crypto v0.1.0
-	golang.org/x/exp v0.0.0-20230111222715-75897c7a292a
-	golang.org/x/mod v0.6.0
-	golang.org/x/net v0.6.0
-	golang.org/x/oauth2 v0.5.0
+	github.com/spf13/cobra v1.8.0
+	github.com/spf13/viper v1.18.2
+	github.com/stretchr/testify v1.8.4
+	github.com/swaggo/swag v1.16.2
+	go.uber.org/zap v1.26.0
+	golang.org/x/crypto v0.18.0
+	golang.org/x/exp v0.0.0-20240112132812-db7319d0e0e3
+	golang.org/x/mod v0.14.0
+	golang.org/x/net v0.20.0
+	golang.org/x/oauth2 v0.16.0
+	google.golang.org/genproto/googleapis/api v0.0.0-20240108191215-35c7eff3a6b1
+	google.golang.org/grpc v1.60.1
+	modernc.org/sqlite v1.28.0
 )

 require (
-	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.4.10 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.12.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.28 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.22 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.3.29 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/v4a v1.0.20 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.9.11 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.1.23 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.13.22 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.12.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.14.1 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.18.3 // indirect
-	github.com/aws/smithy-go v1.13.5 // indirect
-	github.com/bmizerany/assert v0.0.0-20160611221934-b7ed37b82869 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
-	github.com/fsnotify/fsnotify v1.6.0 // indirect
+	github.com/KyleBanks/depth v1.2.1 // indirect
+	github.com/antlr4-go/antlr/v4 v4.13.0 // indirect
+	github.com/aymerick/douceur v0.2.0 // indirect
+	github.com/cenkalti/backoff/v4 v4.2.1 // indirect
+	github.com/desertbit/timer v0.0.0-20180107155436-c41aec40b27f // indirect
+	github.com/dustin/go-humanize v1.0.1 // indirect
+	github.com/go-openapi/jsonpointer v0.20.2 // indirect
+	github.com/go-openapi/jsonreference v0.20.4 // indirect
+	github.com/go-openapi/spec v0.20.14 // indirect
+	github.com/go-openapi/swag v0.22.7 // indirect
+	github.com/gorilla/css v1.0.1 // indirect
+	github.com/josharian/intern v1.0.0 // indirect
+	github.com/kballard/go-shellquote v0.0.0-20180428030007-95032a82bc51 // indirect
+	github.com/mailru/easyjson v0.7.7 // indirect
+	github.com/remyoudompheng/bigfft v0.0.0-20230129092748-24d4a6f8daec // indirect
+	github.com/rs/cors v1.10.1 // indirect
+	github.com/sagikazarmark/locafero v0.4.0 // indirect
+	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
+	github.com/sourcegraph/conc v0.3.0 // indirect
+	github.com/stoewer/go-strcase v1.3.0 // indirect
+	golang.org/x/image v0.15.0 // indirect
+	golang.org/x/tools v0.17.0 // indirect
+	google.golang.org/genproto v0.0.0-20240108191215-35c7eff3a6b1 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20240108191215-35c7eff3a6b1 // indirect
+	lukechampine.com/uint128 v1.3.0 // indirect
+	modernc.org/cc/v3 v3.41.0 // indirect
+	modernc.org/ccgo/v3 v3.16.15 // indirect
+	modernc.org/libc v1.40.1 // indirect
+	modernc.org/mathutil v1.6.0 // indirect
+	modernc.org/memory v1.7.2 // indirect
+	modernc.org/opt v0.1.3 // indirect
+	modernc.org/strutil v1.2.0 // indirect
+	modernc.org/token v1.1.0 // indirect
+	nhooyr.io/websocket v1.8.10 // indirect
+)
+
+require (
+	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.5.4 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.14.11 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/configsources v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.5.10 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.7.2 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/v4a v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.10.4 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.2.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.10.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.16.10 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.18.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.21.6 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.26.7 // indirect
+	github.com/aws/smithy-go v1.19.0 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
+	github.com/fsnotify/fsnotify v1.7.0 // indirect
 	github.com/golang-jwt/jwt v3.2.2+incompatible // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
-	github.com/gorilla/context v1.1.1 // indirect
-	github.com/gorilla/securecookie v1.1.1 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/hashicorp/hcl v1.0.0 // indirect
-	github.com/inconshreveable/mousetrap v1.0.1 // indirect
+	github.com/inconshreveable/mousetrap v1.1.0 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
-	github.com/kr/pretty v0.3.1 // indirect
-	github.com/labstack/gommon v0.3.1 // indirect
+	github.com/labstack/gommon v0.4.2 // indirect
 	github.com/magiconair/properties v1.8.7 // indirect
-	github.com/mattn/go-colorable v0.1.12 // indirect
-	github.com/mattn/go-isatty v0.0.14 // indirect
+	github.com/mattn/go-colorable v0.1.13 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/mapstructure v1.5.0 // indirect
-	github.com/pelletier/go-toml/v2 v2.0.6 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
-	github.com/segmentio/backo-go v1.0.1 // indirect
-	github.com/spf13/afero v1.9.3 // indirect
-	github.com/spf13/cast v1.5.0 // indirect
-	github.com/spf13/jwalterweatherman v1.1.0 // indirect
+	github.com/pelletier/go-toml/v2 v2.1.1 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
+	github.com/posthog/posthog-go v0.0.0-20240110105835-f2ee529330e9
+	github.com/spf13/afero v1.11.0 // indirect
+	github.com/spf13/cast v1.6.0 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
-	github.com/subosito/gotenv v1.4.2 // indirect
+	github.com/subosito/gotenv v1.6.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	github.com/valyala/fasttemplate v1.2.1 // indirect
-	github.com/xtgo/uuid v0.0.0-20140804021211-a0b114877d4c // indirect
-	go.uber.org/atomic v1.9.0 // indirect
-	go.uber.org/multierr v1.8.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
-	golang.org/x/time v0.1.0 // indirect
-	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
-	gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c // indirect
+	github.com/valyala/fasttemplate v1.2.2 // indirect
+	go.uber.org/multierr v1.11.0 // indirect
+	golang.org/x/sys v0.16.0 // indirect
+	golang.org/x/text v0.14.0 // indirect
+	golang.org/x/time v0.5.0 // indirect
+	google.golang.org/appengine v1.6.8 // indirect
+	google.golang.org/protobuf v1.32.0
 	gopkg.in/ini.v1 v1.67.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
--- a/internal/cron/cron.go
+++ b/internal/cron/cron.go
@@ -0,0 +1,179 @@
+// Package cron implements a crontab-like service to execute and schedule repeative tasks/jobs.
+package cron
+
+// Example:
+//
+//	c := cron.New()
+//	c.MustAdd("dailyReport", "0 0 * * *", func() { ... })
+//	c.Start()
+
+import (
+	"sync"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+type job struct {
+	schedule *Schedule
+	run      func()
+}
+
+// Cron is a crontab-like struct for tasks/jobs scheduling.
+type Cron struct {
+	sync.RWMutex
+
+	interval time.Duration
+	timezone *time.Location
+	ticker   *time.Ticker
+	jobs     map[string]*job
+}
+
+// New create a new Cron struct with default tick interval of 1 minute
+// and timezone in UTC.
+//
+// You can change the default tick interval with Cron.SetInterval().
+// You can change the default timezone with Cron.SetTimezone().
+func New() *Cron {
+	return &Cron{
+		interval: 1 * time.Minute,
+		timezone: time.UTC,
+		jobs:     map[string]*job{},
+	}
+}
+
+// SetInterval changes the current cron tick interval
+// (it usually should be >= 1 minute).
+func (c *Cron) SetInterval(d time.Duration) {
+	// update interval
+	c.Lock()
+	wasStarted := c.ticker != nil
+	c.interval = d
+	c.Unlock()
+
+	// restart the ticker
+	if wasStarted {
+		c.Start()
+	}
+}
+
+// SetTimezone changes the current cron tick timezone.
+func (c *Cron) SetTimezone(l *time.Location) {
+	c.Lock()
+	defer c.Unlock()
+
+	c.timezone = l
+}
+
+// MustAdd is similar to Add() but panic on failure.
+func (c *Cron) MustAdd(jobID string, cronExpr string, run func()) {
+	if err := c.Add(jobID, cronExpr, run); err != nil {
+		panic(err)
+	}
+}
+
+// Add registers a single cron job.
+//
+// If there is already a job with the provided id, then the old job
+// will be replaced with the new one.
+//
+// cronExpr is a regular cron expression, eg. "0 */3 * * *" (aka. at minute 0 past every 3rd hour).
+// Check cron.NewSchedule() for the supported tokens.
+func (c *Cron) Add(jobID string, cronExpr string, run func()) error {
+	if run == nil {
+		return errors.New("failed to add new cron job: run must be non-nil function")
+	}
+
+	c.Lock()
+	defer c.Unlock()
+
+	schedule, err := NewSchedule(cronExpr)
+	if err != nil {
+		return errors.Wrap(err, "failed to add new cron job")
+	}
+
+	c.jobs[jobID] = &job{
+		schedule: schedule,
+		run:      run,
+	}
+
+	return nil
+}
+
+// Remove removes a single cron job by its id.
+func (c *Cron) Remove(jobID string) {
+	c.Lock()
+	defer c.Unlock()
+
+	delete(c.jobs, jobID)
+}
+
+// RemoveAll removes all registered cron jobs.
+func (c *Cron) RemoveAll() {
+	c.Lock()
+	defer c.Unlock()
+
+	c.jobs = map[string]*job{}
+}
+
+// Total returns the current total number of registered cron jobs.
+func (c *Cron) Total() int {
+	c.RLock()
+	defer c.RUnlock()
+
+	return len(c.jobs)
+}
+
+// Stop stops the current cron ticker (if not already).
+//
+// You can resume the ticker by calling Start().
+func (c *Cron) Stop() {
+	c.Lock()
+	defer c.Unlock()
+
+	if c.ticker == nil {
+		return // already stopped
+	}
+
+	c.ticker.Stop()
+	c.ticker = nil
+}
+
+// Start starts the cron ticker.
+//
+// Calling Start() on already started cron will restart the ticker.
+func (c *Cron) Start() {
+	c.Stop()
+
+	c.Lock()
+	c.ticker = time.NewTicker(c.interval)
+	c.Unlock()
+
+	go func() {
+		for t := range c.ticker.C {
+			c.runDue(t)
+		}
+	}()
+}
+
+// HasStarted checks whether the current Cron ticker has been started.
+func (c *Cron) HasStarted() bool {
+	c.RLock()
+	defer c.RUnlock()
+
+	return c.ticker != nil
+}
+
+// runDue runs all registered jobs that are scheduled for the provided time.
+func (c *Cron) runDue(t time.Time) {
+	c.RLock()
+	defer c.RUnlock()
+
+	moment := NewMoment(t.In(c.timezone))
+
+	for _, j := range c.jobs {
+		if j.schedule.IsDue(moment) {
+			go j.run()
+		}
+	}
+}
--- a/internal/cron/cron_test.go
+++ b/internal/cron/cron_test.go
@@ -0,0 +1,249 @@
+package cron
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestCronNew(t *testing.T) {
+	c := New()
+
+	expectedInterval := 1 * time.Minute
+	if c.interval != expectedInterval {
+		t.Fatalf("Expected default interval %v, got %v", expectedInterval, c.interval)
+	}
+
+	expectedTimezone := time.UTC
+	if c.timezone.String() != expectedTimezone.String() {
+		t.Fatalf("Expected default timezone %v, got %v", expectedTimezone, c.timezone)
+	}
+
+	if len(c.jobs) != 0 {
+		t.Fatalf("Expected no jobs by default, got \n%v", c.jobs)
+	}
+
+	if c.ticker != nil {
+		t.Fatal("Expected the ticker NOT to be initialized")
+	}
+}
+
+func TestCronSetInterval(t *testing.T) {
+	c := New()
+
+	interval := 2 * time.Minute
+
+	c.SetInterval(interval)
+
+	if c.interval != interval {
+		t.Fatalf("Expected interval %v, got %v", interval, c.interval)
+	}
+}
+
+func TestCronSetTimezone(t *testing.T) {
+	c := New()
+
+	timezone, _ := time.LoadLocation("Asia/Tokyo")
+
+	c.SetTimezone(timezone)
+
+	if c.timezone.String() != timezone.String() {
+		t.Fatalf("Expected timezone %v, got %v", timezone, c.timezone)
+	}
+}
+
+func TestCronAddAndRemove(t *testing.T) {
+	c := New()
+
+	if err := c.Add("test0", "* * * * *", nil); err == nil {
+		t.Fatal("Expected nil function error")
+	}
+
+	if err := c.Add("test1", "invalid", func() {}); err == nil {
+		t.Fatal("Expected invalid cron expression error")
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test3", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test4", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// overwrite test2
+	if err := c.Add("test2", "1 2 3 4 5", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test5", "1 2 3 4 5", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// mock job deletion
+	c.Remove("test4")
+
+	// try to remove non-existing (should be no-op)
+	c.Remove("missing")
+
+	// check job keys
+	{
+		expectedKeys := []string{"test3", "test2", "test5"}
+
+		if v := len(c.jobs); v != len(expectedKeys) {
+			t.Fatalf("Expected %d jobs, got %d", len(expectedKeys), v)
+		}
+
+		for _, k := range expectedKeys {
+			if c.jobs[k] == nil {
+				t.Fatalf("Expected job with key %s, got nil", k)
+			}
+		}
+	}
+
+	// check the jobs schedule
+	{
+		expectedSchedules := map[string]string{
+			"test2": `{"minutes":{"1":{}},"hours":{"2":{}},"days":{"3":{}},"months":{"4":{}},"daysOfWeek":{"5":{}}}`,
+			"test3": `{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+			"test5": `{"minutes":{"1":{}},"hours":{"2":{}},"days":{"3":{}},"months":{"4":{}},"daysOfWeek":{"5":{}}}`,
+		}
+		for k, v := range expectedSchedules {
+			raw, err := json.Marshal(c.jobs[k].schedule)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			if string(raw) != v {
+				t.Fatalf("Expected %q schedule \n%s, \ngot \n%s", k, v, raw)
+			}
+		}
+	}
+}
+
+func TestCronMustAdd(t *testing.T) {
+	c := New()
+
+	defer func() {
+		if r := recover(); r == nil {
+			t.Errorf("test1 didn't panic")
+		}
+	}()
+
+	c.MustAdd("test1", "* * * * *", nil)
+
+	c.MustAdd("test2", "* * * * *", func() {})
+
+	if _, ok := c.jobs["test2"]; !ok {
+		t.Fatal("Couldn't find job test2")
+	}
+}
+
+func TestCronRemoveAll(t *testing.T) {
+	c := New()
+
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test3", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if v := len(c.jobs); v != 3 {
+		t.Fatalf("Expected %d jobs, got %d", 3, v)
+	}
+
+	c.RemoveAll()
+
+	if v := len(c.jobs); v != 0 {
+		t.Fatalf("Expected %d jobs, got %d", 0, v)
+	}
+}
+
+func TestCronTotal(t *testing.T) {
+	c := New()
+
+	if v := c.Total(); v != 0 {
+		t.Fatalf("Expected 0 jobs, got %v", v)
+	}
+
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if err := c.Add("test2", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	// overwrite
+	if err := c.Add("test1", "* * * * *", func() {}); err != nil {
+		t.Fatal(err)
+	}
+
+	if v := c.Total(); v != 2 {
+		t.Fatalf("Expected 2 jobs, got %v", v)
+	}
+}
+
+func TestCronStartStop(t *testing.T) {
+	c := New()
+
+	c.SetInterval(1 * time.Second)
+
+	test1 := 0
+	test2 := 0
+
+	err := c.Add("test1", "* * * * *", func() {
+		test1++
+	})
+	require.NoError(t, err)
+
+	err = c.Add("test2", "* * * * *", func() {
+		test2++
+	})
+	require.NoError(t, err)
+
+	expectedCalls := 3
+
+	// call twice Start to check if the previous ticker will be reseted
+	c.Start()
+	c.Start()
+
+	time.Sleep(3250 * time.Millisecond)
+
+	// call twice Stop to ensure that the second stop is no-op
+	c.Stop()
+	c.Stop()
+
+	if test1 != expectedCalls {
+		t.Fatalf("Expected %d test1, got %d", expectedCalls, test1)
+	}
+	if test2 != expectedCalls {
+		t.Fatalf("Expected %d test2, got %d", expectedCalls, test2)
+	}
+
+	// resume for ~5 seconds
+	c.Start()
+	time.Sleep(5250 * time.Millisecond)
+	c.Stop()
+
+	expectedCalls += 5
+
+	if test1 != expectedCalls {
+		t.Fatalf("Expected %d test1, got %d", expectedCalls, test1)
+	}
+	if test2 != expectedCalls {
+		t.Fatalf("Expected %d test2, got %d", expectedCalls, test2)
+	}
+}
--- a/internal/cron/schedule.go
+++ b/internal/cron/schedule.go
@@ -0,0 +1,194 @@
+package cron
+
+import (
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/pkg/errors"
+)
+
+// Moment represents a parsed single time moment.
+type Moment struct {
+	Minute    int `json:"minute"`
+	Hour      int `json:"hour"`
+	Day       int `json:"day"`
+	Month     int `json:"month"`
+	DayOfWeek int `json:"dayOfWeek"`
+}
+
+// NewMoment creates a new Moment from the specified time.
+func NewMoment(t time.Time) *Moment {
+	return &Moment{
+		Minute:    t.Minute(),
+		Hour:      t.Hour(),
+		Day:       t.Day(),
+		Month:     int(t.Month()),
+		DayOfWeek: int(t.Weekday()),
+	}
+}
+
+// Schedule stores parsed information for each time component when a cron job should run.
+type Schedule struct {
+	Minutes    map[int]struct{} `json:"minutes"`
+	Hours      map[int]struct{} `json:"hours"`
+	Days       map[int]struct{} `json:"days"`
+	Months     map[int]struct{} `json:"months"`
+	DaysOfWeek map[int]struct{} `json:"daysOfWeek"`
+}
+
+// IsDue checks whether the provided Moment satisfies the current Schedule.
+func (s *Schedule) IsDue(m *Moment) bool {
+	if _, ok := s.Minutes[m.Minute]; !ok {
+		return false
+	}
+
+	if _, ok := s.Hours[m.Hour]; !ok {
+		return false
+	}
+
+	if _, ok := s.Days[m.Day]; !ok {
+		return false
+	}
+
+	if _, ok := s.DaysOfWeek[m.DayOfWeek]; !ok {
+		return false
+	}
+
+	if _, ok := s.Months[m.Month]; !ok {
+		return false
+	}
+
+	return true
+}
+
+// NewSchedule creates a new Schedule from a cron expression.
+//
+// A cron expression is consisted of 5 segments separated by space,
+// representing: minute, hour, day of the month, month and day of the week.
+//
+// Each segment could be in the following formats:
+//   - wildcard: *
+//   - range:    1-30
+//   - step:     */n or 1-30/n
+//   - list:     1,2,3,10-20/n
+func NewSchedule(cronExpr string) (*Schedule, error) {
+	segments := strings.Split(cronExpr, " ")
+	if len(segments) != 5 {
+		return nil, errors.New("invalid cron expression - must have exactly 5 space separated segments")
+	}
+
+	minutes, err := parseCronSegment(segments[0], 0, 59)
+	if err != nil {
+		return nil, err
+	}
+
+	hours, err := parseCronSegment(segments[1], 0, 23)
+	if err != nil {
+		return nil, err
+	}
+
+	days, err := parseCronSegment(segments[2], 1, 31)
+	if err != nil {
+		return nil, err
+	}
+
+	months, err := parseCronSegment(segments[3], 1, 12)
+	if err != nil {
+		return nil, err
+	}
+
+	daysOfWeek, err := parseCronSegment(segments[4], 0, 6)
+	if err != nil {
+		return nil, err
+	}
+
+	return &Schedule{
+		Minutes:    minutes,
+		Hours:      hours,
+		Days:       days,
+		Months:     months,
+		DaysOfWeek: daysOfWeek,
+	}, nil
+}
+
+// parseCronSegment parses a single cron expression segment and
+// returns its time schedule slots.
+func parseCronSegment(segment string, min int, max int) (map[int]struct{}, error) {
+	slots := map[int]struct{}{}
+
+	list := strings.Split(segment, ",")
+	for _, p := range list {
+		stepParts := strings.Split(p, "/")
+
+		// step (*/n, 1-30/n)
+		var step int
+		switch len(stepParts) {
+		case 1:
+			step = 1
+		case 2:
+			parsedStep, err := strconv.Atoi(stepParts[1])
+			if err != nil {
+				return nil, err
+			}
+			if parsedStep < 1 || parsedStep > max {
+				return nil, errors.Errorf("invalid segment step boundary - the step must be between 1 and the %d", max)
+			}
+			step = parsedStep
+		default:
+			return nil, errors.New("invalid segment step format - must be in the format */n or 1-30/n")
+		}
+
+		// find the min and max range of the segment part
+		var rangeMin, rangeMax int
+		if stepParts[0] == "*" {
+			rangeMin = min
+			rangeMax = max
+		} else {
+			// single digit (1) or range (1-30)
+			rangeParts := strings.Split(stepParts[0], "-")
+			switch len(rangeParts) {
+			case 1:
+				if step != 1 {
+					return nil, errors.New("invalid segement step - step > 1 could be used only with the wildcard or range format")
+				}
+				parsed, err := strconv.Atoi(rangeParts[0])
+				if err != nil {
+					return nil, err
+				}
+				if parsed < min || parsed > max {
+					return nil, errors.New("invalid segment value - must be between the min and max of the segment")
+				}
+				rangeMin = parsed
+				rangeMax = rangeMin
+			case 2:
+				parsedMin, err := strconv.Atoi(rangeParts[0])
+				if err != nil {
+					return nil, err
+				}
+				if parsedMin < min || parsedMin > max {
+					return nil, errors.Errorf("invalid segment range minimum - must be between %d and %d", min, max)
+				}
+				rangeMin = parsedMin
+
+				parsedMax, err := strconv.Atoi(rangeParts[1])
+				if err != nil {
+					return nil, err
+				}
+				if parsedMax < parsedMin || parsedMax > max {
+					return nil, errors.Errorf("invalid segment range maximum - must be between %d and %d", rangeMin, max)
+				}
+				rangeMax = parsedMax
+			default:
+				return nil, errors.New("invalid segment range format - the range must have 1 or 2 parts")
+			}
+		}
+
+		// fill the slots
+		for i := rangeMin; i <= rangeMax; i += step {
+			slots[i] = struct{}{}
+		}
+	}
+
+	return slots, nil
+}
--- a/internal/cron/schedule_test.go
+++ b/internal/cron/schedule_test.go
@@ -0,0 +1,361 @@
+package cron_test
+
+import (
+	"encoding/json"
+	"testing"
+	"time"
+
+	"github.com/usememos/memos/internal/cron"
+)
+
+func TestNewMoment(t *testing.T) {
+	date, err := time.Parse("2006-01-02 15:04", "2023-05-09 15:20")
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	m := cron.NewMoment(date)
+
+	if m.Minute != 20 {
+		t.Fatalf("Expected m.Minute %d, got %d", 20, m.Minute)
+	}
+
+	if m.Hour != 15 {
+		t.Fatalf("Expected m.Hour %d, got %d", 15, m.Hour)
+	}
+
+	if m.Day != 9 {
+		t.Fatalf("Expected m.Day %d, got %d", 9, m.Day)
+	}
+
+	if m.Month != 5 {
+		t.Fatalf("Expected m.Month %d, got %d", 5, m.Month)
+	}
+
+	if m.DayOfWeek != 2 {
+		t.Fatalf("Expected m.DayOfWeek %d, got %d", 2, m.DayOfWeek)
+	}
+}
+
+func TestNewSchedule(t *testing.T) {
+	scenarios := []struct {
+		cronExpr       string
+		expectError    bool
+		expectSchedule string
+	}{
+		{
+			"invalid",
+			true,
+			"",
+		},
+		{
+			"* * * *",
+			true,
+			"",
+		},
+		{
+			"* * * * * *",
+			true,
+			"",
+		},
+		{
+			"2/3 * * * *",
+			true,
+			"",
+		},
+		{
+			"* * * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"*/2 */3 */5 */4 */2",
+			false,
+			`{"minutes":{"0":{},"10":{},"12":{},"14":{},"16":{},"18":{},"2":{},"20":{},"22":{},"24":{},"26":{},"28":{},"30":{},"32":{},"34":{},"36":{},"38":{},"4":{},"40":{},"42":{},"44":{},"46":{},"48":{},"50":{},"52":{},"54":{},"56":{},"58":{},"6":{},"8":{}},"hours":{"0":{},"12":{},"15":{},"18":{},"21":{},"3":{},"6":{},"9":{}},"days":{"1":{},"11":{},"16":{},"21":{},"26":{},"31":{},"6":{}},"months":{"1":{},"5":{},"9":{}},"daysOfWeek":{"0":{},"2":{},"4":{},"6":{}}}`,
+		},
+
+		// minute segment
+		{
+			"-1 * * * *",
+			true,
+			"",
+		},
+		{
+			"60 * * * *",
+			true,
+			"",
+		},
+		{
+			"0 * * * *",
+			false,
+			`{"minutes":{"0":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"59 * * * *",
+			false,
+			`{"minutes":{"59":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"1,2,5,7,40-50/2 * * * *",
+			false,
+			`{"minutes":{"1":{},"2":{},"40":{},"42":{},"44":{},"46":{},"48":{},"5":{},"50":{},"7":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// hour segment
+		{
+			"* -1 * * *",
+			true,
+			"",
+		},
+		{
+			"* 24 * * *",
+			true,
+			"",
+		},
+		{
+			"* 0 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* 23 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"23":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* 3,4,8-16/3,7 * * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"11":{},"14":{},"3":{},"4":{},"7":{},"8":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// day segment
+		{
+			"* * 0 * *",
+			true,
+			"",
+		},
+		{
+			"* * 32 * *",
+			true,
+			"",
+		},
+		{
+			"* * 1 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * 31 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"31":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * 5,6,20-30/3,1 * *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"20":{},"23":{},"26":{},"29":{},"5":{},"6":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// month segment
+		{
+			"* * * 0 *",
+			true,
+			"",
+		},
+		{
+			"* * * 13 *",
+			true,
+			"",
+		},
+		{
+			"* * * 1 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * * 12 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"12":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+		{
+			"* * * 1,4,5-10/2 *",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"4":{},"5":{},"7":{},"9":{}},"daysOfWeek":{"0":{},"1":{},"2":{},"3":{},"4":{},"5":{},"6":{}}}`,
+		},
+
+		// day of week segment
+		{
+			"* * * * -1",
+			true,
+			"",
+		},
+		{
+			"* * * * 7",
+			true,
+			"",
+		},
+		{
+			"* * * * 0",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"0":{}}}`,
+		},
+		{
+			"* * * * 6",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"6":{}}}`,
+		},
+		{
+			"* * * * 1,2-5/2",
+			false,
+			`{"minutes":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"32":{},"33":{},"34":{},"35":{},"36":{},"37":{},"38":{},"39":{},"4":{},"40":{},"41":{},"42":{},"43":{},"44":{},"45":{},"46":{},"47":{},"48":{},"49":{},"5":{},"50":{},"51":{},"52":{},"53":{},"54":{},"55":{},"56":{},"57":{},"58":{},"59":{},"6":{},"7":{},"8":{},"9":{}},"hours":{"0":{},"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"days":{"1":{},"10":{},"11":{},"12":{},"13":{},"14":{},"15":{},"16":{},"17":{},"18":{},"19":{},"2":{},"20":{},"21":{},"22":{},"23":{},"24":{},"25":{},"26":{},"27":{},"28":{},"29":{},"3":{},"30":{},"31":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"months":{"1":{},"10":{},"11":{},"12":{},"2":{},"3":{},"4":{},"5":{},"6":{},"7":{},"8":{},"9":{}},"daysOfWeek":{"1":{},"2":{},"4":{}}}`,
+		},
+	}
+
+	for _, s := range scenarios {
+		schedule, err := cron.NewSchedule(s.cronExpr)
+
+		hasErr := err != nil
+		if hasErr != s.expectError {
+			t.Fatalf("[%s] Expected hasErr to be %v, got %v (%v)", s.cronExpr, s.expectError, hasErr, err)
+		}
+
+		if hasErr {
+			continue
+		}
+
+		encoded, err := json.Marshal(schedule)
+		if err != nil {
+			t.Fatalf("[%s] Failed to marshalize the result schedule: %v", s.cronExpr, err)
+		}
+		encodedStr := string(encoded)
+
+		if encodedStr != s.expectSchedule {
+			t.Fatalf("[%s] Expected \n%s, \ngot \n%s", s.cronExpr, s.expectSchedule, encodedStr)
+		}
+	}
+}
+
+func TestScheduleIsDue(t *testing.T) {
+	scenarios := []struct {
+		cronExpr string
+		moment   *cron.Moment
+		expected bool
+	}{
+		{
+			"* * * * *",
+			&cron.Moment{},
+			false,
+		},
+		{
+			"* * * * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"5 * * * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"5 * * * *",
+			&cron.Moment{
+				Minute:    5,
+				Hour:      1,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"* 2-6 * * 2,3",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      2,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* 2-6 * * 2,3",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      2,
+				Day:       1,
+				Month:     1,
+				DayOfWeek: 3,
+			},
+			true,
+		},
+		{
+			"* * 1,2,5,15-18 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       6,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       2,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       18,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			false,
+		},
+		{
+			"* * 1,2,5,15-18/2 * *",
+			&cron.Moment{
+				Minute:    1,
+				Hour:      1,
+				Day:       17,
+				Month:     1,
+				DayOfWeek: 1,
+			},
+			true,
+		},
+	}
+
+	for i, s := range scenarios {
+		schedule, err := cron.NewSchedule(s.cronExpr)
+		if err != nil {
+			t.Fatalf("[%d-%s] Unexpected cron error: %v", i, s.cronExpr, err)
+		}
+
+		result := schedule.IsDue(s.moment)
+
+		if result != s.expected {
+			t.Fatalf("[%d-%s] Expected %v, got %v", i, s.cronExpr, s.expected, result)
+		}
+	}
+}
--- a/internal/log/logger.go
+++ b/internal/log/logger.go
@@ -1,4 +1,3 @@
-// Package log implements a simple logging package.
 package log

 import (
--- a/internal/util/util.go
+++ b/internal/util/util.go
@@ -1,14 +1,24 @@
-package common
+package util

 import (
 	"crypto/rand"
 	"math/big"
 	"net/mail"
+	"strconv"
 	"strings"

 	"github.com/google/uuid"
 )

+// ConvertStringToInt32 converts a string to int32.
+func ConvertStringToInt32(src string) (int32, error) {
+	parsed, err := strconv.ParseInt(src, 10, 32)
+	if err != nil {
+		return 0, err
+	}
+	return int32(parsed), nil
+}
+
 // HasPrefixes returns true if the string s has any of the given prefixes.
 func HasPrefixes(src string, prefixes ...string) bool {
 	for _, prefix := range prefixes {
--- a/internal/util/util_test.go
+++ b/internal/util/util_test.go
@@ -1,4 +1,4 @@
-package common
+package util

 import (
 	"testing"
--- a/main.go
+++ b/main.go
@@ -1,14 +0,0 @@
-package main
-
-import (
-	_ "github.com/mattn/go-sqlite3"
-
-	"github.com/usememos/memos/cmd"
-)
-
-func main() {
-	err := cmd.Execute()
-	if err != nil {
-		panic(err)
-	}
-}
--- a/plugin/gomark/README.md
+++ b/plugin/gomark/README.md
@@ -0,0 +1,3 @@
+# gomark
+
+A markdown parser for memos. WIP
--- a/plugin/gomark/ast/ast.go
+++ b/plugin/gomark/ast/ast.go
@@ -0,0 +1,84 @@
+package ast
+
+type NodeType uint32
+
+const (
+	UnknownNode NodeType = iota
+	// Block nodes.
+	LineBreakNode
+	ParagraphNode
+	CodeBlockNode
+	HeadingNode
+	HorizontalRuleNode
+	BlockquoteNode
+	OrderedListNode
+	UnorderedListNode
+	TaskListNode
+	MathBlockNode
+	TableNode
+	// Inline nodes.
+	TextNode
+	BoldNode
+	ItalicNode
+	BoldItalicNode
+	CodeNode
+	ImageNode
+	LinkNode
+	AutoLinkNode
+	TagNode
+	StrikethroughNode
+	EscapingCharacterNode
+	MathNode
+	HighlightNode
+)
+
+type Node interface {
+	// Type returns a node type.
+	Type() NodeType
+
+	// Restore returns a string representation of this node.
+	Restore() string
+
+	// PrevSibling returns a previous sibling node of this node.
+	PrevSibling() Node
+
+	// NextSibling returns a next sibling node of this node.
+	NextSibling() Node
+
+	// SetPrevSibling sets a previous sibling node to this node.
+	SetPrevSibling(Node)
+
+	// SetNextSibling sets a next sibling node to this node.
+	SetNextSibling(Node)
+}
+
+type BaseNode struct {
+	prevSibling Node
+
+	nextSibling Node
+}
+
+func (n *BaseNode) PrevSibling() Node {
+	return n.prevSibling
+}
+
+func (n *BaseNode) NextSibling() Node {
+	return n.nextSibling
+}
+
+func (n *BaseNode) SetPrevSibling(node Node) {
+	n.prevSibling = node
+}
+
+func (n *BaseNode) SetNextSibling(node Node) {
+	n.nextSibling = node
+}
+
+func IsBlockNode(node Node) bool {
+	switch node.Type() {
+	case ParagraphNode, CodeBlockNode, HeadingNode, HorizontalRuleNode, BlockquoteNode, OrderedListNode, UnorderedListNode, TaskListNode, MathBlockNode:
+		return true
+	default:
+		return false
+	}
+}
--- a/plugin/gomark/ast/block.go
+++ b/plugin/gomark/ast/block.go
@@ -0,0 +1,230 @@
+package ast
+
+import (
+	"fmt"
+	"strings"
+)
+
+type BaseBlock struct {
+	BaseNode
+}
+
+type LineBreak struct {
+	BaseBlock
+}
+
+func (*LineBreak) Type() NodeType {
+	return LineBreakNode
+}
+
+func (*LineBreak) Restore() string {
+	return "\n"
+}
+
+type Paragraph struct {
+	BaseBlock
+
+	Children []Node
+}
+
+func (*Paragraph) Type() NodeType {
+	return ParagraphNode
+}
+
+func (n *Paragraph) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	return result
+}
+
+type CodeBlock struct {
+	BaseBlock
+
+	Language string
+	Content  string
+}
+
+func (*CodeBlock) Type() NodeType {
+	return CodeBlockNode
+}
+
+func (n *CodeBlock) Restore() string {
+	return fmt.Sprintf("```%s\n%s\n```", n.Language, n.Content)
+}
+
+type Heading struct {
+	BaseBlock
+
+	Level    int
+	Children []Node
+}
+
+func (*Heading) Type() NodeType {
+	return HeadingNode
+}
+
+func (n *Heading) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	symbol := ""
+	for i := 0; i < n.Level; i++ {
+		symbol += "#"
+	}
+	return fmt.Sprintf("%s %s", symbol, result)
+}
+
+type HorizontalRule struct {
+	BaseBlock
+
+	// Symbol is "*" or "-" or "_".
+	Symbol string
+}
+
+func (*HorizontalRule) Type() NodeType {
+	return HorizontalRuleNode
+}
+
+func (n *HorizontalRule) Restore() string {
+	return n.Symbol + n.Symbol + n.Symbol
+}
+
+type Blockquote struct {
+	BaseBlock
+
+	Children []Node
+}
+
+func (*Blockquote) Type() NodeType {
+	return BlockquoteNode
+}
+
+func (n *Blockquote) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	return fmt.Sprintf("> %s", result)
+}
+
+type OrderedList struct {
+	BaseBlock
+
+	// Number is the number of the list.
+	Number string
+	// Indent is the number of spaces.
+	Indent   int
+	Children []Node
+}
+
+func (*OrderedList) Type() NodeType {
+	return OrderedListNode
+}
+
+func (n *OrderedList) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	return fmt.Sprintf("%s%s. %s", strings.Repeat(" ", n.Indent), n.Number, result)
+}
+
+type UnorderedList struct {
+	BaseBlock
+
+	// Symbol is "*" or "-" or "+".
+	Symbol string
+	// Indent is the number of spaces.
+	Indent   int
+	Children []Node
+}
+
+func (*UnorderedList) Type() NodeType {
+	return UnorderedListNode
+}
+
+func (n *UnorderedList) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	return fmt.Sprintf("%s%s %s", strings.Repeat(" ", n.Indent), n.Symbol, result)
+}
+
+type TaskList struct {
+	BaseBlock
+
+	// Symbol is "*" or "-" or "+".
+	Symbol string
+	// Indent is the number of spaces.
+	Indent   int
+	Complete bool
+	Children []Node
+}
+
+func (*TaskList) Type() NodeType {
+	return TaskListNode
+}
+
+func (n *TaskList) Restore() string {
+	var result string
+	for _, child := range n.Children {
+		result += child.Restore()
+	}
+	complete := " "
+	if n.Complete {
+		complete = "x"
+	}
+	return fmt.Sprintf("%s%s [%s] %s", strings.Repeat(" ", n.Indent), n.Symbol, complete, result)
+}
+
+type MathBlock struct {
+	BaseBlock
+
+	Content string
+}
+
+func (*MathBlock) Type() NodeType {
+	return MathBlockNode
+}
+
+func (n *MathBlock) Restore() string {
+	return fmt.Sprintf("$$\n%s\n$$", n.Content)
+}
+
+type Table struct {
+	BaseBlock
+
+	Header    []string
+	Delimiter []string
+	Rows      [][]string
+}
+
+func (*Table) Type() NodeType {
+	return TableNode
+}
+
+func (n *Table) Restore() string {
+	var result string
+	for _, header := range n.Header {
+		result += fmt.Sprintf("| %s ", header)
+	}
+	result += "|\n"
+	for _, d := range n.Delimiter {
+		result += fmt.Sprintf("| %s ", d)
+	}
+	result += "|\n"
+	for index, row := range n.Rows {
+		for _, cell := range row {
+			result += fmt.Sprintf("| %s ", cell)
+		}
+		result += "|"
+		if index != len(n.Rows)-1 {
+			result += "\n"
+		}
+	}
+	return result
+}
--- a/plugin/gomark/ast/inline.go
+++ b/plugin/gomark/ast/inline.go
@@ -0,0 +1,207 @@
+package ast
+
+import "fmt"
+
+type BaseInline struct {
+	BaseNode
+}
+
+type Text struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Text) Type() NodeType {
+	return TextNode
+}
+
+func (n *Text) Restore() string {
+	return n.Content
+}
+
+type Bold struct {
+	BaseInline
+
+	// Symbol is "*" or "_".
+	Symbol   string
+	Children []Node
+}
+
+func (*Bold) Type() NodeType {
+	return BoldNode
+}
+
+func (n *Bold) Restore() string {
+	symbol := n.Symbol + n.Symbol
+	children := ""
+	for _, child := range n.Children {
+		children += child.Restore()
+	}
+	return fmt.Sprintf("%s%s%s", symbol, children, symbol)
+}
+
+type Italic struct {
+	BaseInline
+
+	// Symbol is "*" or "_".
+	Symbol  string
+	Content string
+}
+
+func (*Italic) Type() NodeType {
+	return ItalicNode
+}
+
+func (n *Italic) Restore() string {
+	return fmt.Sprintf("%s%s%s", n.Symbol, n.Content, n.Symbol)
+}
+
+type BoldItalic struct {
+	BaseInline
+
+	// Symbol is "*" or "_".
+	Symbol  string
+	Content string
+}
+
+func (*BoldItalic) Type() NodeType {
+	return BoldItalicNode
+}
+
+func (n *BoldItalic) Restore() string {
+	symbol := n.Symbol + n.Symbol + n.Symbol
+	return fmt.Sprintf("%s%s%s", symbol, n.Content, symbol)
+}
+
+type Code struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Code) Type() NodeType {
+	return CodeNode
+}
+
+func (n *Code) Restore() string {
+	return fmt.Sprintf("`%s`", n.Content)
+}
+
+type Image struct {
+	BaseInline
+
+	AltText string
+	URL     string
+}
+
+func (*Image) Type() NodeType {
+	return ImageNode
+}
+
+func (n *Image) Restore() string {
+	return fmt.Sprintf("![%s](%s)", n.AltText, n.URL)
+}
+
+type Link struct {
+	BaseInline
+
+	Text string
+	URL  string
+}
+
+func (*Link) Type() NodeType {
+	return LinkNode
+}
+
+func (n *Link) Restore() string {
+	return fmt.Sprintf("[%s](%s)", n.Text, n.URL)
+}
+
+type AutoLink struct {
+	BaseInline
+
+	URL       string
+	IsRawText bool
+}
+
+func (*AutoLink) Type() NodeType {
+	return AutoLinkNode
+}
+
+func (n *AutoLink) Restore() string {
+	if n.IsRawText {
+		return n.URL
+	}
+	return fmt.Sprintf("<%s>", n.URL)
+}
+
+type Tag struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Tag) Type() NodeType {
+	return TagNode
+}
+
+func (n *Tag) Restore() string {
+	return fmt.Sprintf("#%s", n.Content)
+}
+
+type Strikethrough struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Strikethrough) Type() NodeType {
+	return StrikethroughNode
+}
+
+func (n *Strikethrough) Restore() string {
+	return fmt.Sprintf("~~%s~~", n.Content)
+}
+
+type EscapingCharacter struct {
+	BaseInline
+
+	Symbol string
+}
+
+func (*EscapingCharacter) Type() NodeType {
+	return EscapingCharacterNode
+}
+
+func (n *EscapingCharacter) Restore() string {
+	return fmt.Sprintf("\\%s", n.Symbol)
+}
+
+type Math struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Math) Type() NodeType {
+	return MathNode
+}
+
+func (n *Math) Restore() string {
+	return fmt.Sprintf("$%s$", n.Content)
+}
+
+type Highlight struct {
+	BaseInline
+
+	Content string
+}
+
+func (*Highlight) Type() NodeType {
+	return HighlightNode
+}
+
+func (n *Highlight) Restore() string {
+	return fmt.Sprintf("==%s==", n.Content)
+}
--- a/plugin/gomark/ast/utils.go
+++ b/plugin/gomark/ast/utils.go
@@ -0,0 +1,23 @@
+package ast
+
+func FindPrevSiblingExceptLineBreak(node Node) Node {
+	if node == nil {
+		return nil
+	}
+	prev := node.PrevSibling()
+	if prev != nil && prev.Type() == LineBreakNode && prev.PrevSibling() != nil && prev.PrevSibling().Type() != LineBreakNode {
+		return FindPrevSiblingExceptLineBreak(prev)
+	}
+	return prev
+}
+
+func FindNextSiblingExceptLineBreak(node Node) Node {
+	if node == nil {
+		return nil
+	}
+	next := node.NextSibling()
+	if next != nil && next.Type() == LineBreakNode && next.NextSibling() != nil && next.NextSibling().Type() != LineBreakNode {
+		return FindNextSiblingExceptLineBreak(next)
+	}
+	return next
+}
--- a/plugin/gomark/gomark.go
+++ b/plugin/gomark/gomark.go
@@ -0,0 +1 @@
+package gomark
--- a/plugin/gomark/parser/auto_link.go
+++ b/plugin/gomark/parser/auto_link.go
@@ -0,0 +1,69 @@
+package parser
+
+import (
+	"errors"
+	"net/url"
+
+	"github.com/usememos/memos/plugin/gomark/ast"
+	"github.com/usememos/memos/plugin/gomark/parser/tokenizer"
+)
+
+type AutoLinkParser struct{}
+
+func NewAutoLinkParser() *AutoLinkParser {
+	return &AutoLinkParser{}
+}
+
+func (*AutoLinkParser) Match(tokens []*tokenizer.Token) (int, bool) {
+	if len(tokens) < 3 {
+		return 0, false
+	}
+
+	hasAngleBrackets := false
+	if tokens[0].Type == tokenizer.LessThan {
+		hasAngleBrackets = true
+	}
+
+	contentTokens := []*tokenizer.Token{}
+	for _, token := range tokens {
+		if token.Type == tokenizer.Newline || token.Type == tokenizer.Space {
+			break
+		}
+		contentTokens = append(contentTokens, token)
+		if hasAngleBrackets && token.Type == tokenizer.GreaterThan {
+			break
+		}
+	}
+
+	if hasAngleBrackets && contentTokens[len(contentTokens)-1].Type != tokenizer.GreaterThan {
+		return 0, false
+	}
+
+	content := tokenizer.Stringify(contentTokens)
+	if !hasAngleBrackets {
+		u, err := url.Parse(content)
+		if err != nil || u.Scheme == "" || u.Host == "" {
+			return 0, false
+		}
+	}
+
+	return len(contentTokens), true
+}
+
+func (p *AutoLinkParser) Parse(tokens []*tokenizer.Token) (ast.Node, error) {
+	size, ok := p.Match(tokens)
+	if size == 0 || !ok {
+		return nil, errors.New("not matched")
+	}
+
+	url := tokenizer.Stringify(tokens[:size])
+	isRawText := true
+	if tokens[0].Type == tokenizer.LessThan && tokens[size-1].Type == tokenizer.GreaterThan {
+		isRawText = false
+		url = tokenizer.Stringify(tokens[1 : size-1])
+	}
+	return &ast.AutoLink{
+		URL:       url,
+		IsRawText: isRawText,
+	}, nil
+}
--- a/plugin/gomark/parser/auto_link_test.go
+++ b/plugin/gomark/parser/auto_link_test.go
@@ -0,0 +1,42 @@
+package parser
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/usememos/memos/plugin/gomark/ast"
+	"github.com/usememos/memos/plugin/gomark/parser/tokenizer"
+	"github.com/usememos/memos/plugin/gomark/restore"
+)
+
+func TestAutoLinkParser(t *testing.T) {
+	tests := []struct {
+		text string
+		link ast.Node
+	}{
+		{
+			text: "<https://example.com)",
+			link: nil,
+		},
+		{
+			text: "<https://example.com>",
+			link: &ast.AutoLink{
+				URL: "https://example.com",
+			},
+		},
+		{
+			text: "https://example.com",
+			link: &ast.AutoLink{
+				URL:       "https://example.com",
+				IsRawText: true,
+			},
+		},
+	}
+
+	for _, test := range tests {
+		tokens := tokenizer.Tokenize(test.text)
+		node, _ := NewAutoLinkParser().Parse(tokens)
+		require.Equal(t, restore.Restore([]ast.Node{test.link}), restore.Restore([]ast.Node{node}))
+	}
+}
--- a/Show More
+++ b/Show More