Account Recovery
A user has lost their authenticator app, their hardware key, or their phone — and they cannot log in. Because HitKeep stores all data locally and has no external identity provider, recovery is performed by an administrator with shell access to the server running HitKeep.
The --db flag defaults to hitkeep.db in the working directory. Pass it explicitly if your database lives elsewhere (e.g. /var/lib/hitkeep/data/hitkeep.db).
Recovery Steps
Section titled “Recovery Steps”sudo systemctl stop hitkeepThen run the recovery command and restart:
hitkeep recover disable-2fa \ --email locked-user@example.com \ --db /var/lib/hitkeep/data/hitkeep.db
sudo systemctl start hitkeepStop the running container, then spin up a temporary container with the same image and data volume to run the recovery command, then restart normally:
# 1. Stop the running containerdocker stop hitkeep
# 2. Run recovery in a temporary container against the same volumedocker run --rm \ -v hitkeep-data:/var/lib/hitkeep/data \ ghcr.io/pascalebeier/hitkeep:latest \ recover disable-2fa \ --email locked-user@example.com \ --db /var/lib/hitkeep/data/hitkeep.db
# 3. Start the container againdocker start hitkeepWith Docker Compose:
docker compose stop hitkeep
docker compose run --rm hitkeep \ recover disable-2fa \ --email locked-user@example.com \ --db /var/lib/hitkeep/data/hitkeep.db
docker compose start hitkeeppkill hitkeep
hitkeep recover disable-2fa \ --email locked-user@example.com \ --db /path/to/hitkeep.db
hitkeep -db /path/to/hitkeep.dbAfter Recovery
Section titled “After Recovery”Advise the user to:
- Log in with their existing password.
- Immediately re-enroll a second factor under Settings → Security.
- If their password may also be compromised, change it under Settings → Security → Change Password.
Related
Section titled “Related”Need a self-service account recovery flow with identity verification? HitKeep Cloud → includes automated, audited recovery workflows.