diff --git a/src/httpd.app.c b/src/httpd.app.c
new file mode 100644
index 000000000..61358249b
--- /dev/null
+++ b/src/httpd.app.c
@@ -0,0 +1,212 @@
+#include "httpd.js.h"
+
+#include "http.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+#include "picohttpparser.h"
+
+#include <stdlib.h>
+
+#if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32)
+#include <alloca.h>
+#endif
+
+typedef struct _app_blob_t
+{
+	tf_http_request_t* request;
+	bool found;
+	bool not_modified;
+	bool use_handler;
+	bool use_static;
+	void* data;
+	size_t size;
+	char app_blob_id[k_blob_id_len];
+	const char* file;
+	tf_httpd_user_app_t* user_app;
+	char etag[256];
+} app_blob_t;
+
+static void _httpd_endpoint_app_blob_work(tf_ssb_t* ssb, void* user_data)
+{
+	app_blob_t* data = user_data;
+	tf_http_request_t* request = data->request;
+	if (request->path[0] == '/' && request->path[1] == '~')
+	{
+		const char* last_slash = strchr(request->path + 1, '/');
+		if (last_slash)
+		{
+			last_slash = strchr(last_slash + 1, '/');
+		}
+		data->user_app = last_slash ? tf_httpd_parse_user_app_from_path(request->path, last_slash) : NULL;
+		if (data->user_app)
+		{
+			size_t path_length = strlen("path:") + strlen(data->user_app->app) + 1;
+			char* app_path = tf_malloc(path_length);
+			snprintf(app_path, path_length, "path:%s", data->user_app->app);
+			const char* value = tf_ssb_db_get_property(ssb, data->user_app->user, app_path);
+			tf_string_set(data->app_blob_id, sizeof(data->app_blob_id), value);
+			tf_free(app_path);
+			tf_free((void*)value);
+			data->file = last_slash + 1;
+		}
+	}
+	else if (request->path[0] == '/' && request->path[1] == '&')
+	{
+		const char* end = strstr(request->path, ".sha256/");
+		if (end)
+		{
+			snprintf(data->app_blob_id, sizeof(data->app_blob_id), "%.*s", (int)(end + strlen(".sha256") - request->path - 1), request->path + 1);
+			data->file = end + strlen(".sha256/");
+		}
+	}
+
+	char* app_blob = NULL;
+	size_t app_blob_size = 0;
+	if (*data->app_blob_id && tf_ssb_db_blob_get(ssb, data->app_blob_id, (uint8_t**)&app_blob, &app_blob_size))
+	{
+		JSMallocFunctions funcs = { 0 };
+		tf_get_js_malloc_functions(&funcs);
+		JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+		JSContext* context = JS_NewContext(runtime);
+
+		JSValue app_object = JS_ParseJSON(context, app_blob, app_blob_size, NULL);
+		JSValue files = JS_GetPropertyStr(context, app_object, "files");
+		JSValue blob_id = JS_GetPropertyStr(context, files, data->file);
+		if (JS_IsUndefined(blob_id))
+		{
+			blob_id = JS_GetPropertyStr(context, files, "handler.js");
+			if (!JS_IsUndefined(blob_id))
+			{
+				data->use_handler = true;
+			}
+		}
+		else
+		{
+			const char* blob_id_str = JS_ToCString(context, blob_id);
+			if (blob_id_str)
+			{
+				snprintf(data->etag, sizeof(data->etag), "\"%s\"", blob_id_str);
+				const char* match = tf_http_request_get_header(data->request, "if-none-match");
+				if (match && strcmp(match, data->etag) == 0)
+				{
+					data->not_modified = true;
+				}
+				else
+				{
+					data->found = tf_ssb_db_blob_get(ssb, blob_id_str, (uint8_t**)&data->data, &data->size);
+				}
+			}
+			JS_FreeCString(context, blob_id_str);
+		}
+		JS_FreeValue(context, blob_id);
+		JS_FreeValue(context, files);
+		JS_FreeValue(context, app_object);
+
+		JS_FreeContext(context);
+		JS_FreeRuntime(runtime);
+		tf_free(app_blob);
+	}
+}
+
+static void _httpd_call_app_handler(tf_ssb_t* ssb, tf_http_request_t* request, const char* app_blob_id, const char* path, const char* package_owner, const char* app)
+{
+	JSContext* context = tf_ssb_get_context(ssb);
+	JSValue global = JS_GetGlobalObject(context);
+	JSValue exports = JS_GetPropertyStr(context, global, "exports");
+	JSValue call_app_handler = JS_GetPropertyStr(context, exports, "callAppHandler");
+
+	JSValue response = tf_httpd_make_response_object(context, request);
+	tf_http_request_ref(request);
+	JSValue handler_blob_id = JS_NewString(context, app_blob_id);
+	JSValue path_value = JS_NewString(context, path);
+	JSValue package_owner_value = JS_NewString(context, package_owner);
+	JSValue app_value = JS_NewString(context, app);
+	JSValue query_value = request->query ? JS_NewString(context, request->query) : JS_UNDEFINED;
+
+	JSValue headers = JS_NewObject(context);
+	for (int i = 0; i < request->headers_count; i++)
+	{
+		char name[256] = "";
+		snprintf(name, sizeof(name), "%.*s", (int)request->headers[i].name_len, request->headers[i].name);
+		JS_SetPropertyStr(context, headers, name, JS_NewStringLen(context, request->headers[i].value, request->headers[i].value_len));
+	}
+
+	JSValue args[] = {
+		response,
+		handler_blob_id,
+		path_value,
+		query_value,
+		headers,
+		package_owner_value,
+		app_value,
+	};
+
+	JSValue result = JS_Call(context, call_app_handler, JS_NULL, tf_countof(args), args);
+	tf_util_report_error(context, result);
+	JS_FreeValue(context, result);
+
+	JS_FreeValue(context, headers);
+	JS_FreeValue(context, query_value);
+	JS_FreeValue(context, app_value);
+	JS_FreeValue(context, package_owner_value);
+	JS_FreeValue(context, handler_blob_id);
+	JS_FreeValue(context, path_value);
+	JS_FreeValue(context, response);
+	JS_FreeValue(context, call_app_handler);
+	JS_FreeValue(context, exports);
+	JS_FreeValue(context, global);
+}
+
+static void _httpd_endpoint_app_blob_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	app_blob_t* data = user_data;
+	if (data->not_modified)
+	{
+		tf_http_respond(data->request, 304, NULL, 0, NULL, 0);
+	}
+	else if (data->use_static)
+	{
+		tf_httpd_endpoint_static(data->request);
+	}
+	else if (data->use_handler)
+	{
+		_httpd_call_app_handler(ssb, data->request, data->app_blob_id, data->file, data->user_app->user, data->user_app->app);
+	}
+	else if (data->found)
+	{
+		const char* mime_type = tf_httpd_ext_to_content_type(strrchr(data->request->path, '.'), false);
+		if (!mime_type)
+		{
+			mime_type = tf_httpd_magic_bytes_to_content_type(data->data, data->size);
+		}
+		const char* headers[] = {
+			"Access-Control-Allow-Origin",
+			"*",
+			"Content-Security-Policy",
+			"sandbox allow-downloads allow-top-navigation-by-user-activation",
+			"Content-Type",
+			mime_type ? mime_type : "application/binary",
+			"etag",
+			data->etag,
+		};
+		tf_http_respond(data->request, 200, headers, tf_countof(headers) / 2, data->data, data->size);
+	}
+	tf_free(data->user_app);
+	tf_free(data->data);
+	tf_http_request_unref(data->request);
+	tf_free(data);
+}
+
+void tf_httpd_endpoint_app(tf_http_request_t* request)
+{
+	tf_http_request_ref(request);
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	app_blob_t* data = tf_malloc(sizeof(app_blob_t));
+	*data = (app_blob_t) { .request = request };
+	tf_ssb_run_work(ssb, _httpd_endpoint_app_blob_work, _httpd_endpoint_app_blob_after_work, data);
+}
diff --git a/src/httpd.delete.c b/src/httpd.delete.c
new file mode 100644
index 000000000..c2a4e3a6e
--- /dev/null
+++ b/src/httpd.delete.c
@@ -0,0 +1,91 @@
+#include "httpd.js.h"
+
+#include "http.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+typedef struct _delete_t
+{
+	tf_http_request_t* request;
+	const char* session;
+	int response;
+} delete_t;
+
+static void _httpd_endpoint_delete_work(tf_ssb_t* ssb, void* user_data)
+{
+	delete_t* delete = user_data;
+	tf_http_request_t* request = delete->request;
+
+	JSMallocFunctions funcs = { 0 };
+	tf_get_js_malloc_functions(&funcs);
+	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+	JSContext* context = JS_NewContext(runtime);
+
+	JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, delete->session);
+	JSValue user = JS_GetPropertyStr(context, jwt, "name");
+	const char* user_string = JS_ToCString(context, user);
+	if (user_string && tf_httpd_is_name_valid(user_string))
+	{
+		tf_httpd_user_app_t* user_app = tf_httpd_parse_user_app_from_path(request->path, "/delete");
+		if (user_app)
+		{
+			if (strcmp(user_string, user_app->user) == 0 || (strcmp(user_app->user, "core") == 0 && tf_ssb_db_user_has_permission(ssb, NULL, user_string, "administration")))
+			{
+				size_t path_length = strlen("path:") + strlen(user_app->app) + 1;
+				char* app_path = tf_malloc(path_length);
+				snprintf(app_path, path_length, "path:%s", user_app->app);
+
+				bool changed = false;
+				changed = tf_ssb_db_remove_value_from_array_property(ssb, user_string, "apps", user_app->app) || changed;
+				changed = tf_ssb_db_remove_property(ssb, user_string, app_path) || changed;
+				delete->response = changed ? 200 : 404;
+				tf_free(app_path);
+			}
+			else
+			{
+				delete->response = 401;
+			}
+		}
+		else
+		{
+			delete->response = 404;
+		}
+		tf_free(user_app);
+	}
+	else
+	{
+		delete->response = 401;
+	}
+
+	JS_FreeCString(context, user_string);
+	JS_FreeValue(context, user);
+	JS_FreeValue(context, jwt);
+	JS_FreeContext(context);
+	JS_FreeRuntime(runtime);
+}
+
+static void _httpd_endpoint_delete_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	delete_t* delete = user_data;
+	const char* k_payload = tf_http_status_text(delete->response ? delete->response : 404);
+	tf_http_respond(delete->request, delete->response ? delete->response : 404, NULL, 0, k_payload, strlen(k_payload));
+	tf_http_request_unref(delete->request);
+	tf_free((void*)delete->session);
+	tf_free(delete);
+}
+
+void tf_httpd_endpoint_delete(tf_http_request_t* request)
+{
+	tf_http_request_ref(request);
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	delete_t* delete = tf_malloc(sizeof(delete_t));
+	*delete = (delete_t) {
+		.request = request,
+		.session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"),
+	};
+	tf_ssb_run_work(ssb, _httpd_endpoint_delete_work, _httpd_endpoint_delete_after_work, delete);
+}
diff --git a/src/httpd.index.c b/src/httpd.index.c
new file mode 100644
index 000000000..b776ac942
--- /dev/null
+++ b/src/httpd.index.c
@@ -0,0 +1,233 @@
+#include "httpd.js.h"
+
+#include "file.js.h"
+#include "http.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+#include <stdlib.h>
+
+#if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32)
+#include <alloca.h>
+#endif
+
+typedef struct _index_t
+{
+	tf_http_request_t* request;
+	bool found;
+	bool not_modified;
+	bool use_handler;
+	bool use_static;
+	void* data;
+	size_t size;
+	char app_blob_id[k_blob_id_len];
+	const char* file;
+	tf_httpd_user_app_t* user_app;
+	char etag[256];
+} index_t;
+
+static bool _has_property(JSContext* context, JSValue object, const char* name)
+{
+	JSAtom atom = JS_NewAtom(context, name);
+	bool result = JS_HasProperty(context, object, atom) > 0;
+	JS_FreeAtom(context, atom);
+	return result;
+}
+
+static void _httpd_endpoint_app_index_work(tf_ssb_t* ssb, void* user_data)
+{
+	index_t* data = user_data;
+	data->use_static = true;
+	tf_httpd_user_app_t* user_app = data->user_app;
+
+	size_t app_path_length = strlen("path:") + strlen(user_app->app) + 1;
+	char* app_path = tf_malloc(app_path_length);
+	snprintf(app_path, app_path_length, "path:%s", user_app->app);
+	const char* app_blob_id = tf_ssb_db_get_property(ssb, user_app->user, app_path);
+	tf_free(app_path);
+
+	uint8_t* app_blob = NULL;
+	size_t app_blob_size = 0;
+
+	if (tf_ssb_db_blob_get(ssb, app_blob_id, &app_blob, &app_blob_size))
+	{
+		JSMallocFunctions funcs = { 0 };
+		tf_get_js_malloc_functions(&funcs);
+		JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+		JSContext* context = JS_NewContext(runtime);
+
+		JSValue app = JS_ParseJSON(context, (const char*)app_blob, app_blob_size, NULL);
+		JSValue files = JS_GetPropertyStr(context, app, "files");
+
+		if (!_has_property(context, files, "app.js"))
+		{
+			JSValue index = JS_GetPropertyStr(context, files, "index.html");
+			if (JS_IsString(index))
+			{
+				const char* index_string = JS_ToCString(context, index);
+				tf_ssb_db_blob_get(ssb, index_string, (uint8_t**)&data->data, &data->size);
+				JS_FreeCString(context, index_string);
+			}
+			JS_FreeValue(context, index);
+		}
+
+		JS_FreeValue(context, files);
+		JS_FreeValue(context, app);
+
+		JS_FreeContext(context);
+		JS_FreeRuntime(runtime);
+
+		tf_free(app_blob);
+	}
+	tf_free((void*)app_blob_id);
+}
+
+static char* _replace(const char* original, size_t size, const char* find, const char* replace, size_t* out_size)
+{
+	char* pos = strstr(original, find);
+	if (!pos)
+	{
+		return tf_strdup(original);
+	}
+
+	size_t replace_length = strlen(replace);
+	size_t find_length = strlen(find);
+	size_t new_size = size + replace_length - find_length;
+	char* buffer = tf_malloc(new_size);
+	memcpy(buffer, original, pos - original);
+	memcpy(buffer + (pos - original), replace, replace_length);
+	memcpy(buffer + (pos - original) + replace_length, pos + find_length, size - (pos - original) - find_length);
+	*out_size = new_size;
+	return buffer;
+}
+
+static char* _append_raw(char* document, size_t* current_size, const char* data, size_t size)
+{
+	document = tf_resize_vec(document, *current_size + size);
+	memcpy(document + *current_size, data, size);
+	document[*current_size + size] = '\0';
+	*current_size += size;
+	return document;
+}
+
+static char* _append_encoded(char* document, const char* data, size_t size, size_t* out_size)
+{
+	size_t current_size = strlen(document);
+	int accum = 0;
+	for (int i = 0; (size_t)i < size; i++)
+	{
+		switch (data[i])
+		{
+		case '"':
+			if (i > accum)
+			{
+				document = _append_raw(document, &current_size, data + accum, i - accum);
+			}
+			document = _append_raw(document, &current_size, "&quot;", strlen("&quot;"));
+			accum = i + 1;
+			break;
+		case '\'':
+			if (i > accum)
+			{
+				document = _append_raw(document, &current_size, data + accum, i - accum);
+			}
+			document = _append_raw(document, &current_size, "&#x27;", strlen("&#x27;"));
+			accum = i + 1;
+			break;
+		case '<':
+			if (i > accum)
+			{
+				document = _append_raw(document, &current_size, data + accum, i - accum);
+			}
+			document = _append_raw(document, &current_size, "&lt;", strlen("&lt;"));
+			accum = i + 1;
+			break;
+		case '>':
+			if (i > accum)
+			{
+				document = _append_raw(document, &current_size, data + accum, i - accum);
+			}
+			document = _append_raw(document, &current_size, "&gt;", strlen("&gt;"));
+			accum = i + 1;
+			break;
+		case '&':
+			if (i > accum)
+			{
+				document = _append_raw(document, &current_size, data + accum, i - accum);
+			}
+			document = _append_raw(document, &current_size, "&amp;", strlen("&amp;"));
+			accum = i + 1;
+			break;
+		default:
+			break;
+		}
+	}
+	*out_size = current_size;
+	return document;
+}
+
+static void _httpd_endpoint_app_index_file_read(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
+{
+	index_t* state = user_data;
+	if (result > 0)
+	{
+		char* replacement = tf_strdup("<iframe srcdoc=\"");
+		size_t replacement_size = 0;
+		replacement = _append_encoded(replacement, state->data, state->size, &replacement_size);
+		_append_raw(replacement, &replacement_size, "\"", 1);
+
+		size_t size = 0;
+		char* document = _replace(data, result, "<iframe", replacement, &size);
+		const char* headers[] = {
+			"Content-Type",
+			"text/html; charset=utf-8",
+		};
+		tf_http_respond(state->request, 200, headers, tf_countof(headers) / 2, document, size);
+		tf_free(replacement);
+		tf_free(document);
+	}
+	tf_free(state->data);
+	tf_free(state->user_app);
+	tf_http_request_unref(state->request);
+	tf_free(state);
+}
+
+static void _httpd_endpoint_app_index_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	index_t* data = user_data;
+	if (data->data)
+	{
+		tf_task_t* task = data->request->user_data;
+		const char* root_path = tf_task_get_root_path(task);
+		size_t size = (root_path ? strlen(root_path) + 1 : 0) + strlen("core/index.html") + 1;
+		char* path = alloca(size);
+		snprintf(path, size, "%s%score/index.html", root_path ? root_path : "", root_path ? "/" : "");
+		tf_file_read(task, path, _httpd_endpoint_app_index_file_read, data);
+	}
+	else
+	{
+		tf_httpd_endpoint_static(data->request);
+		tf_free(data->user_app);
+		tf_http_request_unref(data->request);
+		tf_free(data);
+	}
+}
+
+void tf_httpd_endpoint_app_index(tf_http_request_t* request)
+{
+	tf_httpd_user_app_t* user_app = tf_httpd_parse_user_app_from_path(request->path, "/");
+	if (!user_app)
+	{
+		return tf_httpd_endpoint_static(request);
+	}
+
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	index_t* data = tf_malloc(sizeof(index_t));
+	(*data) = (index_t) { .request = request, .user_app = user_app };
+	tf_http_request_ref(request);
+	tf_ssb_run_work(ssb, _httpd_endpoint_app_index_work, _httpd_endpoint_app_index_after_work, data);
+}
diff --git a/src/httpd.js.c b/src/httpd.js.c
index d9266f584..21a298bf1 100644
--- a/src/httpd.js.c
+++ b/src/httpd.js.c
@@ -15,9 +15,7 @@
 #include "version.h"
 
 #include "ow-crypt.h"
-
 #include "picohttpparser.h"
-
 #include "sodium/crypto_sign.h"
 #include "sodium/utils.h"
 
@@ -37,16 +35,6 @@
 #define YELLOW "\e[1;33m"
 #define RESET "\e[0m"
 
-const int64_t k_refresh_interval = 1ULL * 7 * 24 * 60 * 60 * 1000;
-
-static JSValue _authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt);
-static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv);
-static bool _is_name_valid(const char* name);
-static const char* _make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name);
-static const char* _make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie);
-const char** _form_data_decode(const char* data, int length);
-const char* _form_data_get(const char** form_data, const char* key);
-
 static JSClassID _httpd_request_class_id;
 
 typedef struct _http_user_data_t
@@ -186,36 +174,6 @@ static void _httpd_message_callback(tf_http_request_t* request, int op_code, con
 	JS_FreeValue(context, on_message);
 }
 
-static JSValue _httpd_make_response_object(JSContext* context, tf_http_request_t* request)
-{
-	JSValue response_object = JS_NewObjectClass(context, _httpd_request_class_id);
-	JS_SetOpaque(response_object, request);
-	JS_SetPropertyStr(context, response_object, "writeHead", JS_NewCFunction(context, _httpd_response_write_head, "writeHead", 2));
-	JS_SetPropertyStr(context, response_object, "end", JS_NewCFunction(context, _httpd_response_end, "end", 1));
-	JS_SetPropertyStr(context, response_object, "send", JS_NewCFunction(context, _httpd_response_send, "send", 2));
-	JS_SetPropertyStr(context, response_object, "upgrade", JS_NewCFunction(context, _httpd_websocket_upgrade, "upgrade", 2));
-	return response_object;
-}
-
-static bool _httpd_redirect(tf_http_request_t* request)
-{
-	if (request->is_tls)
-	{
-		return false;
-	}
-
-	http_user_data_t* user_data = tf_http_get_user_data(request->http);
-	if (!user_data || !*user_data->redirect)
-	{
-		return false;
-	}
-
-	char redirect[1024];
-	snprintf(redirect, sizeof(redirect), "%s%s", user_data->redirect, request->path);
-	tf_http_respond(request, 303, (const char*[]) { "Location", redirect }, 1, NULL, 0);
-	return true;
-}
-
 static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_val, int argc, JSValueConst* argv)
 {
 	tf_http_request_t* request = JS_GetOpaque(this_val, _httpd_request_class_id);
@@ -253,12 +211,12 @@ static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_va
 
 		tf_ssb_t* ssb = tf_task_get_ssb(tf_task_get(context));
 		const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
-		JSValue jwt = _authenticate_jwt(ssb, context, session);
+		JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, session);
 		tf_free((void*)session);
 		JSValue name = !JS_IsUndefined(jwt) ? JS_GetPropertyStr(context, jwt, "name") : JS_UNDEFINED;
 		const char* name_string = !JS_IsUndefined(name) ? JS_ToCString(context, name) : NULL;
-		const char* session_token = _make_session_jwt(tf_ssb_get_context(ssb), ssb, name_string);
-		const char* cookie = _make_set_session_cookie_header(request, session_token);
+		const char* session_token = tf_httpd_make_session_jwt(tf_ssb_get_context(ssb), ssb, name_string);
+		const char* cookie = tf_httpd_make_set_session_cookie_header(request, session_token);
 		tf_free((void*)session_token);
 		JS_FreeCString(context, name_string);
 		JS_FreeValue(context, name);
@@ -302,6 +260,36 @@ static JSValue _httpd_websocket_upgrade(JSContext* context, JSValueConst this_va
 	return JS_UNDEFINED;
 }
 
+JSValue tf_httpd_make_response_object(JSContext* context, tf_http_request_t* request)
+{
+	JSValue response_object = JS_NewObjectClass(context, _httpd_request_class_id);
+	JS_SetOpaque(response_object, request);
+	JS_SetPropertyStr(context, response_object, "writeHead", JS_NewCFunction(context, _httpd_response_write_head, "writeHead", 2));
+	JS_SetPropertyStr(context, response_object, "end", JS_NewCFunction(context, _httpd_response_end, "end", 1));
+	JS_SetPropertyStr(context, response_object, "send", JS_NewCFunction(context, _httpd_response_send, "send", 2));
+	JS_SetPropertyStr(context, response_object, "upgrade", JS_NewCFunction(context, _httpd_websocket_upgrade, "upgrade", 2));
+	return response_object;
+}
+
+bool tf_httpd_redirect(tf_http_request_t* request)
+{
+	if (request->is_tls)
+	{
+		return false;
+	}
+
+	http_user_data_t* user_data = tf_http_get_user_data(request->http);
+	if (!user_data || !*user_data->redirect)
+	{
+		return false;
+	}
+
+	char redirect[1024];
+	snprintf(redirect, sizeof(redirect), "%s%s", user_data->redirect, request->path);
+	tf_http_respond(request, 303, (const char*[]) { "Location", redirect }, 1, NULL, 0);
+	return true;
+}
+
 typedef struct _httpd_listener_t
 {
 	tf_tls_context_t* tls;
@@ -379,7 +367,7 @@ static JSValue _httpd_auth_query(JSContext* context, JSValueConst this_val, int
 	JSValue cookie = JS_GetPropertyStr(context, headers, "cookie");
 	const char* cookie_string = JS_ToCString(context, cookie);
 	const char* session = tf_http_get_cookie(cookie_string, "session");
-	JSValue entry = _authenticate_jwt(ssb, context, session);
+	JSValue entry = tf_httpd_authenticate_jwt(ssb, context, session);
 	tf_free((void*)session);
 	JS_FreeCString(context, cookie_string);
 	JS_FreeValue(context, cookie);
@@ -426,7 +414,7 @@ static bool _magic_bytes_match(const magic_bytes_t* magic, const uint8_t* actual
 	return true;
 }
 
-static const char* _httpd_mime_type_from_magic_bytes(const uint8_t* bytes, size_t size)
+const char* tf_httpd_magic_bytes_to_content_type(const uint8_t* bytes, size_t size)
 {
 	const char* type = "application/binary";
 	if (bytes)
@@ -503,7 +491,7 @@ static const char* _httpd_mime_type_from_magic_bytes(const uint8_t* bytes, size_
 	return type;
 }
 
-static const char* _ext_to_content_type(const char* ext, bool use_fallback)
+const char* tf_httpd_ext_to_content_type(const char* ext, bool use_fallback)
 {
 	if (ext)
 	{
@@ -543,7 +531,7 @@ static void _httpd_request_finalizer(JSRuntime* runtime, JSValue value)
 
 static void _httpd_endpoint_trace(tf_http_request_t* request)
 {
-	if (_httpd_redirect(request))
+	if (tf_httpd_redirect(request))
 	{
 		return;
 	}
@@ -563,7 +551,7 @@ static void _httpd_endpoint_trace(tf_http_request_t* request)
 
 static void _httpd_endpoint_mem(tf_http_request_t* request)
 {
-	if (_httpd_redirect(request))
+	if (tf_httpd_redirect(request))
 	{
 		return;
 	}
@@ -594,194 +582,6 @@ static void _httpd_endpoint_mem(tf_http_request_t* request)
 	tf_free(response);
 }
 
-static const char* _after(const char* text, const char* prefix)
-{
-	size_t prefix_length = strlen(prefix);
-	if (text && strncmp(text, prefix, prefix_length) == 0)
-	{
-		return text + prefix_length;
-	}
-	return NULL;
-}
-
-static double _time_spec_to_double(const uv_timespec_t* time_spec)
-{
-	return (double)time_spec->tv_sec + (double)(time_spec->tv_nsec) / 1e9;
-}
-
-typedef struct _http_file_t
-{
-	tf_http_request_t* request;
-	char etag[512];
-} http_file_t;
-
-static bool _ends_with(const char* a, const char* suffix)
-{
-	if (!a || !suffix)
-	{
-		return false;
-	}
-	size_t alen = strlen(a);
-	size_t suffixlen = strlen(suffix);
-	return alen >= suffixlen && strcmp(a + alen - suffixlen, suffix) == 0;
-}
-
-static void _httpd_endpoint_static_read(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
-{
-	http_file_t* file = user_data;
-	tf_http_request_t* request = file->request;
-	if (result >= 0)
-	{
-		if (strcmp(path, "core/tfrpc.js") == 0 || _ends_with(path, "core/tfrpc.js"))
-		{
-			const char* content_type = _ext_to_content_type(strrchr(path, '.'), true);
-			const char* headers[] = {
-				"Content-Type",
-				content_type,
-				"etag",
-				file->etag,
-				"Access-Control-Allow-Origin",
-				"null",
-			};
-			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
-		}
-		else
-		{
-			const char* content_type = _ext_to_content_type(strrchr(path, '.'), true);
-			const char* headers[] = {
-				"Content-Type",
-				content_type,
-				"etag",
-				file->etag,
-			};
-			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
-		}
-	}
-	else
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-	}
-	tf_http_request_unref(request);
-	tf_free(file);
-}
-
-static void _httpd_endpoint_static_stat(tf_task_t* task, const char* path, int result, const uv_stat_t* stat, void* user_data)
-{
-	tf_http_request_t* request = user_data;
-	const char* match = tf_http_request_get_header(request, "if-none-match");
-	if (result != 0)
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-		tf_http_request_unref(request);
-	}
-	else
-	{
-		char etag[512];
-		snprintf(etag, sizeof(etag), "\"%f_%zd\"", _time_spec_to_double(&stat->st_mtim), (size_t)stat->st_size);
-		if (match && strcmp(match, etag) == 0)
-		{
-			tf_http_respond(request, 304, NULL, 0, NULL, 0);
-			tf_http_request_unref(request);
-		}
-		else
-		{
-			http_file_t* file = tf_malloc(sizeof(http_file_t));
-			*file = (http_file_t) { .request = request };
-			static_assert(sizeof(file->etag) == sizeof(etag), "Size mismatch");
-			memcpy(file->etag, etag, sizeof(etag));
-			tf_file_read(task, path, _httpd_endpoint_static_read, file);
-		}
-	}
-}
-
-static void _httpd_endpoint_static(tf_http_request_t* request)
-{
-	if (request->path && strncmp(request->path, "/.well-known/", strlen("/.well-known/")) && _httpd_redirect(request))
-	{
-		return;
-	}
-
-	const char* k_static_files[] = {
-		"index.html",
-		"client.js",
-		"tildefriends.svg",
-		"jszip.min.js",
-		"style.css",
-		"tfrpc.js",
-		"w3.css",
-	};
-
-	const char* k_map[][2] = {
-		{ "/static/", "core/" },
-		{ "/lit/", "deps/lit/" },
-		{ "/codemirror/", "deps/codemirror/" },
-		{ "/prettier/", "deps/prettier/" },
-		{ "/speedscope/", "deps/speedscope/" },
-		{ "/.well-known/", "data/global/.well-known/" },
-	};
-
-	bool is_core = false;
-	const char* after = NULL;
-	const char* file_path = NULL;
-	for (int i = 0; i < tf_countof(k_map) && !after; i++)
-	{
-		const char* next_after = _after(request->path, k_map[i][0]);
-		if (next_after)
-		{
-			after = next_after;
-			file_path = k_map[i][1];
-			is_core = after && i == 0;
-		}
-	}
-
-	if ((!after || !*after) && request->path[strlen(request->path) - 1] == '/')
-	{
-		after = "index.html";
-		if (!file_path)
-		{
-			file_path = "core/";
-			is_core = true;
-		}
-	}
-
-	if (!after || strstr(after, ".."))
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-		return;
-	}
-
-	if (is_core)
-	{
-		bool found = false;
-		for (int i = 0; i < tf_countof(k_static_files); i++)
-		{
-			if (strcmp(after, k_static_files[i]) == 0)
-			{
-				found = true;
-				break;
-			}
-		}
-
-		if (!found)
-		{
-			const char* k_payload = tf_http_status_text(404);
-			tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-			return;
-		}
-	}
-
-	tf_task_t* task = request->user_data;
-	const char* root_path = tf_task_get_root_path(task);
-	size_t size = (root_path ? strlen(root_path) + 1 : 0) + strlen(file_path) + strlen(after) + 1;
-	char* path = alloca(size);
-	snprintf(path, size, "%s%s%s%s", root_path ? root_path : "", root_path ? "/" : "", file_path, after);
-	tf_http_request_ref(request);
-	tf_file_stat(task, path, _httpd_endpoint_static_stat, request);
-}
-
 static void _httpd_endpoint_add_slash(tf_http_request_t* request)
 {
 	const char* host = tf_http_request_get_header(request, "x-forwarded-host");
@@ -798,13 +598,7 @@ static void _httpd_endpoint_add_slash(tf_http_request_t* request)
 	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, "", 0);
 }
 
-typedef struct _user_app_t
-{
-	const char* user;
-	const char* app;
-} user_app_t;
-
-static user_app_t* _parse_user_app_from_path(const char* path, const char* expected_suffix)
+tf_httpd_user_app_t* tf_httpd_parse_user_app_from_path(const char* path, const char* expected_suffix)
 {
 	if (!path || path[0] != '/' || path[1] != '~')
 	{
@@ -828,9 +622,9 @@ static user_app_t* _parse_user_app_from_path(const char* path, const char* expec
 	size_t user_length = (size_t)(slash - user);
 	const char* app = slash + 1;
 	size_t app_length = (size_t)(length - suffix_length - user_length - 3);
-	user_app_t* result = tf_malloc(sizeof(user_app_t) + user_length + 1 + app_length + 1);
+	tf_httpd_user_app_t* result = tf_malloc(sizeof(tf_httpd_user_app_t) + user_length + 1 + app_length + 1);
 
-	*result = (user_app_t) {
+	*result = (tf_httpd_user_app_t) {
 		.user = (char*)(result + 1),
 		.app = (char*)(result + 1) + user_length + 1,
 	};
@@ -839,7 +633,7 @@ static user_app_t* _parse_user_app_from_path(const char* path, const char* expec
 	memcpy((char*)result->app, app, app_length);
 	((char*)result->app)[app_length] = '\0';
 
-	if (!_is_name_valid(result->user) || !_is_name_valid(result->app))
+	if (!tf_httpd_is_name_valid(result->user) || !tf_httpd_is_name_valid(result->app))
 	{
 		tf_free(result);
 		result = NULL;
@@ -848,792 +642,6 @@ static user_app_t* _parse_user_app_from_path(const char* path, const char* expec
 	return result;
 }
 
-typedef struct _app_blob_t
-{
-	tf_http_request_t* request;
-	bool found;
-	bool not_modified;
-	bool use_handler;
-	bool use_static;
-	void* data;
-	size_t size;
-	char app_blob_id[k_blob_id_len];
-	const char* file;
-	user_app_t* user_app;
-	char etag[256];
-} app_blob_t;
-
-static void _httpd_endpoint_app_blob_work(tf_ssb_t* ssb, void* user_data)
-{
-	app_blob_t* data = user_data;
-	tf_http_request_t* request = data->request;
-	if (request->path[0] == '/' && request->path[1] == '~')
-	{
-		const char* last_slash = strchr(request->path + 1, '/');
-		if (last_slash)
-		{
-			last_slash = strchr(last_slash + 1, '/');
-		}
-		data->user_app = last_slash ? _parse_user_app_from_path(request->path, last_slash) : NULL;
-		if (data->user_app)
-		{
-			size_t path_length = strlen("path:") + strlen(data->user_app->app) + 1;
-			char* app_path = tf_malloc(path_length);
-			snprintf(app_path, path_length, "path:%s", data->user_app->app);
-			const char* value = tf_ssb_db_get_property(ssb, data->user_app->user, app_path);
-			tf_string_set(data->app_blob_id, sizeof(data->app_blob_id), value);
-			tf_free(app_path);
-			tf_free((void*)value);
-			data->file = last_slash + 1;
-		}
-	}
-	else if (request->path[0] == '/' && request->path[1] == '&')
-	{
-		const char* end = strstr(request->path, ".sha256/");
-		if (end)
-		{
-			snprintf(data->app_blob_id, sizeof(data->app_blob_id), "%.*s", (int)(end + strlen(".sha256") - request->path - 1), request->path + 1);
-			data->file = end + strlen(".sha256/");
-		}
-	}
-
-	char* app_blob = NULL;
-	size_t app_blob_size = 0;
-	if (*data->app_blob_id && tf_ssb_db_blob_get(ssb, data->app_blob_id, (uint8_t**)&app_blob, &app_blob_size))
-	{
-		JSMallocFunctions funcs = { 0 };
-		tf_get_js_malloc_functions(&funcs);
-		JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-		JSContext* context = JS_NewContext(runtime);
-
-		JSValue app_object = JS_ParseJSON(context, app_blob, app_blob_size, NULL);
-		JSValue files = JS_GetPropertyStr(context, app_object, "files");
-		JSValue blob_id = JS_GetPropertyStr(context, files, data->file);
-		if (JS_IsUndefined(blob_id))
-		{
-			blob_id = JS_GetPropertyStr(context, files, "handler.js");
-			if (!JS_IsUndefined(blob_id))
-			{
-				data->use_handler = true;
-			}
-		}
-		else
-		{
-			const char* blob_id_str = JS_ToCString(context, blob_id);
-			if (blob_id_str)
-			{
-				snprintf(data->etag, sizeof(data->etag), "\"%s\"", blob_id_str);
-				const char* match = tf_http_request_get_header(data->request, "if-none-match");
-				if (match && strcmp(match, data->etag) == 0)
-				{
-					data->not_modified = true;
-				}
-				else
-				{
-					data->found = tf_ssb_db_blob_get(ssb, blob_id_str, (uint8_t**)&data->data, &data->size);
-				}
-			}
-			JS_FreeCString(context, blob_id_str);
-		}
-		JS_FreeValue(context, blob_id);
-		JS_FreeValue(context, files);
-		JS_FreeValue(context, app_object);
-
-		JS_FreeContext(context);
-		JS_FreeRuntime(runtime);
-		tf_free(app_blob);
-	}
-}
-
-static void _httpd_call_app_handler(tf_ssb_t* ssb, tf_http_request_t* request, const char* app_blob_id, const char* path, const char* package_owner, const char* app)
-{
-	JSContext* context = tf_ssb_get_context(ssb);
-	JSValue global = JS_GetGlobalObject(context);
-	JSValue exports = JS_GetPropertyStr(context, global, "exports");
-	JSValue call_app_handler = JS_GetPropertyStr(context, exports, "callAppHandler");
-
-	JSValue response = _httpd_make_response_object(context, request);
-	tf_http_request_ref(request);
-	JSValue handler_blob_id = JS_NewString(context, app_blob_id);
-	JSValue path_value = JS_NewString(context, path);
-	JSValue package_owner_value = JS_NewString(context, package_owner);
-	JSValue app_value = JS_NewString(context, app);
-	JSValue query_value = request->query ? JS_NewString(context, request->query) : JS_UNDEFINED;
-
-	JSValue headers = JS_NewObject(context);
-	for (int i = 0; i < request->headers_count; i++)
-	{
-		char name[256] = "";
-		snprintf(name, sizeof(name), "%.*s", (int)request->headers[i].name_len, request->headers[i].name);
-		JS_SetPropertyStr(context, headers, name, JS_NewStringLen(context, request->headers[i].value, request->headers[i].value_len));
-	}
-
-	JSValue args[] = {
-		response,
-		handler_blob_id,
-		path_value,
-		query_value,
-		headers,
-		package_owner_value,
-		app_value,
-	};
-
-	JSValue result = JS_Call(context, call_app_handler, JS_NULL, tf_countof(args), args);
-	tf_util_report_error(context, result);
-	JS_FreeValue(context, result);
-
-	JS_FreeValue(context, headers);
-	JS_FreeValue(context, query_value);
-	JS_FreeValue(context, app_value);
-	JS_FreeValue(context, package_owner_value);
-	JS_FreeValue(context, handler_blob_id);
-	JS_FreeValue(context, path_value);
-	JS_FreeValue(context, response);
-	JS_FreeValue(context, call_app_handler);
-	JS_FreeValue(context, exports);
-	JS_FreeValue(context, global);
-}
-
-static void _httpd_endpoint_app_blob_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	app_blob_t* data = user_data;
-	if (data->not_modified)
-	{
-		tf_http_respond(data->request, 304, NULL, 0, NULL, 0);
-	}
-	else if (data->use_static)
-	{
-		_httpd_endpoint_static(data->request);
-	}
-	else if (data->use_handler)
-	{
-		_httpd_call_app_handler(ssb, data->request, data->app_blob_id, data->file, data->user_app->user, data->user_app->app);
-	}
-	else if (data->found)
-	{
-		const char* mime_type = _ext_to_content_type(strrchr(data->request->path, '.'), false);
-		if (!mime_type)
-		{
-			mime_type = _httpd_mime_type_from_magic_bytes(data->data, data->size);
-		}
-		const char* headers[] = {
-			"Access-Control-Allow-Origin",
-			"*",
-			"Content-Security-Policy",
-			"sandbox allow-downloads allow-top-navigation-by-user-activation",
-			"Content-Type",
-			mime_type ? mime_type : "application/binary",
-			"etag",
-			data->etag,
-		};
-		tf_http_respond(data->request, 200, headers, tf_countof(headers) / 2, data->data, data->size);
-	}
-	tf_free(data->user_app);
-	tf_free(data->data);
-	tf_http_request_unref(data->request);
-	tf_free(data);
-}
-
-static void _httpd_endpoint_app_blob(tf_http_request_t* request)
-{
-	tf_http_request_ref(request);
-	tf_task_t* task = request->user_data;
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	app_blob_t* data = tf_malloc(sizeof(app_blob_t));
-	*data = (app_blob_t) { .request = request };
-	tf_ssb_run_work(ssb, _httpd_endpoint_app_blob_work, _httpd_endpoint_app_blob_after_work, data);
-}
-
-static bool _has_property(JSContext* context, JSValue object, const char* name)
-{
-	JSAtom atom = JS_NewAtom(context, name);
-	bool result = JS_HasProperty(context, object, atom) > 0;
-	JS_FreeAtom(context, atom);
-	return result;
-}
-
-static void _httpd_endpoint_app_index_work(tf_ssb_t* ssb, void* user_data)
-{
-	app_blob_t* data = user_data;
-	data->use_static = true;
-	user_app_t* user_app = data->user_app;
-
-	size_t app_path_length = strlen("path:") + strlen(user_app->app) + 1;
-	char* app_path = tf_malloc(app_path_length);
-	snprintf(app_path, app_path_length, "path:%s", user_app->app);
-	const char* app_blob_id = tf_ssb_db_get_property(ssb, user_app->user, app_path);
-	tf_free(app_path);
-
-	uint8_t* app_blob = NULL;
-	size_t app_blob_size = 0;
-
-	if (tf_ssb_db_blob_get(ssb, app_blob_id, &app_blob, &app_blob_size))
-	{
-		JSMallocFunctions funcs = { 0 };
-		tf_get_js_malloc_functions(&funcs);
-		JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-		JSContext* context = JS_NewContext(runtime);
-
-		JSValue app = JS_ParseJSON(context, (const char*)app_blob, app_blob_size, NULL);
-		JSValue files = JS_GetPropertyStr(context, app, "files");
-
-		if (!_has_property(context, files, "app.js"))
-		{
-			JSValue index = JS_GetPropertyStr(context, files, "index.html");
-			if (JS_IsString(index))
-			{
-				const char* index_string = JS_ToCString(context, index);
-				tf_ssb_db_blob_get(ssb, index_string, (uint8_t**)&data->data, &data->size);
-				JS_FreeCString(context, index_string);
-			}
-			JS_FreeValue(context, index);
-		}
-
-		JS_FreeValue(context, files);
-		JS_FreeValue(context, app);
-
-		JS_FreeContext(context);
-		JS_FreeRuntime(runtime);
-
-		tf_free(app_blob);
-	}
-	tf_free((void*)app_blob_id);
-}
-
-static char* _replace(const char* original, size_t size, const char* find, const char* replace, size_t* out_size)
-{
-	char* pos = strstr(original, find);
-	if (!pos)
-	{
-		return tf_strdup(original);
-	}
-
-	size_t replace_length = strlen(replace);
-	size_t find_length = strlen(find);
-	size_t new_size = size + replace_length - find_length;
-	char* buffer = tf_malloc(new_size);
-	memcpy(buffer, original, pos - original);
-	memcpy(buffer + (pos - original), replace, replace_length);
-	memcpy(buffer + (pos - original) + replace_length, pos + find_length, size - (pos - original) - find_length);
-	*out_size = new_size;
-	return buffer;
-}
-
-static char* _append_raw(char* document, size_t* current_size, const char* data, size_t size)
-{
-	document = tf_resize_vec(document, *current_size + size);
-	memcpy(document + *current_size, data, size);
-	document[*current_size + size] = '\0';
-	*current_size += size;
-	return document;
-}
-
-static char* _append_encoded(char* document, const char* data, size_t size, size_t* out_size)
-{
-	size_t current_size = strlen(document);
-	int accum = 0;
-	for (int i = 0; (size_t)i < size; i++)
-	{
-		switch (data[i])
-		{
-		case '"':
-			if (i > accum)
-			{
-				document = _append_raw(document, &current_size, data + accum, i - accum);
-			}
-			document = _append_raw(document, &current_size, "&quot;", strlen("&quot;"));
-			accum = i + 1;
-			break;
-		case '\'':
-			if (i > accum)
-			{
-				document = _append_raw(document, &current_size, data + accum, i - accum);
-			}
-			document = _append_raw(document, &current_size, "&#x27;", strlen("&#x27;"));
-			accum = i + 1;
-			break;
-		case '<':
-			if (i > accum)
-			{
-				document = _append_raw(document, &current_size, data + accum, i - accum);
-			}
-			document = _append_raw(document, &current_size, "&lt;", strlen("&lt;"));
-			accum = i + 1;
-			break;
-		case '>':
-			if (i > accum)
-			{
-				document = _append_raw(document, &current_size, data + accum, i - accum);
-			}
-			document = _append_raw(document, &current_size, "&gt;", strlen("&gt;"));
-			accum = i + 1;
-			break;
-		case '&':
-			if (i > accum)
-			{
-				document = _append_raw(document, &current_size, data + accum, i - accum);
-			}
-			document = _append_raw(document, &current_size, "&amp;", strlen("&amp;"));
-			accum = i + 1;
-			break;
-		default:
-			break;
-		}
-	}
-	*out_size = current_size;
-	return document;
-}
-
-static void _httpd_endpoint_app_index_file_read(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
-{
-	app_blob_t* state = user_data;
-	if (result > 0)
-	{
-		char* replacement = tf_strdup("<iframe srcdoc=\"");
-		size_t replacement_size = 0;
-		replacement = _append_encoded(replacement, state->data, state->size, &replacement_size);
-		_append_raw(replacement, &replacement_size, "\"", 1);
-
-		size_t size = 0;
-		char* document = _replace(data, result, "<iframe", replacement, &size);
-		const char* headers[] = {
-			"Content-Type",
-			"text/html; charset=utf-8",
-		};
-		tf_http_respond(state->request, 200, headers, tf_countof(headers) / 2, document, size);
-		tf_free(replacement);
-		tf_free(document);
-	}
-	tf_free(state->data);
-	tf_free(state->user_app);
-	tf_http_request_unref(state->request);
-	tf_free(state);
-}
-
-static void _httpd_endpoint_app_index_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	app_blob_t* data = user_data;
-	if (data->data)
-	{
-		tf_task_t* task = data->request->user_data;
-		const char* root_path = tf_task_get_root_path(task);
-		size_t size = (root_path ? strlen(root_path) + 1 : 0) + strlen("core/index.html") + 1;
-		char* path = alloca(size);
-		snprintf(path, size, "%s%score/index.html", root_path ? root_path : "", root_path ? "/" : "");
-		tf_file_read(task, path, _httpd_endpoint_app_index_file_read, data);
-	}
-	else
-	{
-		_httpd_endpoint_static(data->request);
-		tf_free(data->user_app);
-		tf_http_request_unref(data->request);
-		tf_free(data);
-	}
-}
-
-static void _httpd_endpoint_app_index(tf_http_request_t* request)
-{
-	user_app_t* user_app = _parse_user_app_from_path(request->path, "/");
-	if (!user_app)
-	{
-		return _httpd_endpoint_static(request);
-	}
-
-	tf_task_t* task = request->user_data;
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	app_blob_t* data = tf_malloc(sizeof(app_blob_t));
-	(*data) = (app_blob_t) { .request = request, .user_app = user_app };
-	tf_http_request_ref(request);
-	tf_ssb_run_work(ssb, _httpd_endpoint_app_index_work, _httpd_endpoint_app_index_after_work, data);
-}
-
-typedef struct _view_t
-{
-	tf_http_request_t* request;
-	const char** form_data;
-	void* data;
-	size_t size;
-	char etag[256];
-	char notify_want_blob_id[k_blob_id_len];
-	bool not_modified;
-} view_t;
-
-static bool _is_filename_safe(const char* filename)
-{
-	if (!filename)
-	{
-		return NULL;
-	}
-	for (const char* p = filename; *p; p++)
-	{
-		if ((*p <= 'a' && *p >= 'z') && (*p <= 'A' && *p >= 'Z') && (*p <= '0' && *p >= '9') && *p != '.' && *p != '-' && *p != '_')
-		{
-			return false;
-		}
-	}
-	return strlen(filename) < 256;
-}
-
-static void _httpd_endpoint_view_work(tf_ssb_t* ssb, void* user_data)
-{
-	view_t* view = user_data;
-	tf_http_request_t* request = view->request;
-	char blob_id[k_blob_id_len] = "";
-
-	user_app_t* user_app = _parse_user_app_from_path(request->path, "/view");
-	if (user_app)
-	{
-		size_t app_path_length = strlen("path:") + strlen(user_app->app) + 1;
-		char* app_path = tf_malloc(app_path_length);
-		snprintf(app_path, app_path_length, "path:%s", user_app->app);
-		const char* value = tf_ssb_db_get_property(ssb, user_app->user, app_path);
-		tf_string_set(blob_id, sizeof(blob_id), value);
-		tf_free(app_path);
-		tf_free((void*)value);
-	}
-	else if (request->path[0] == '/' && request->path[1] == '&')
-	{
-		snprintf(blob_id, sizeof(blob_id), "%.*s", (int)(strlen(request->path) - strlen("/view") - 1), request->path + 1);
-	}
-	tf_free(user_app);
-
-	if (*blob_id)
-	{
-		snprintf(view->etag, sizeof(view->etag), "\"%s\"", blob_id);
-		const char* if_none_match = tf_http_request_get_header(request, "if-none-match");
-		char match[258];
-		snprintf(match, sizeof(match), "\"%s\"", blob_id);
-		if (if_none_match && strcmp(if_none_match, match) == 0)
-		{
-			view->not_modified = true;
-		}
-		else
-		{
-			if (!tf_ssb_db_blob_get(ssb, blob_id, (uint8_t**)&view->data, &view->size))
-			{
-				sqlite3* db = tf_ssb_acquire_db_writer(ssb);
-				tf_ssb_db_add_blob_wants(db, blob_id);
-				tf_ssb_release_db_writer(ssb, db);
-				tf_string_set(view->notify_want_blob_id, sizeof(view->notify_want_blob_id), blob_id);
-			}
-		}
-	}
-}
-
-static void _httpd_endpoint_view_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	view_t* view = user_data;
-	const char* filename = _form_data_get(view->form_data, "filename");
-	if (!_is_filename_safe(filename))
-	{
-		filename = NULL;
-	}
-	char content_disposition[512] = "";
-	if (filename)
-	{
-		snprintf(content_disposition, sizeof(content_disposition), "attachment; filename=%s", filename);
-	}
-	const char* headers[] = {
-		"Content-Security-Policy",
-		"sandbox allow-downloads allow-top-navigation-by-user-activation",
-		"Content-Type",
-		view->data ? _httpd_mime_type_from_magic_bytes(view->data, view->size) : "text/plain",
-		"etag",
-		view->etag,
-		filename ? "Content-Disposition" : NULL,
-		filename ? content_disposition : NULL,
-	};
-	int count = filename ? tf_countof(headers) / 2 : (tf_countof(headers) / 2 - 1);
-	if (view->not_modified)
-	{
-		tf_http_respond(view->request, 304, headers, count, NULL, 0);
-	}
-	else if (view->data)
-	{
-		tf_http_respond(view->request, 200, headers, count, view->data, view->size);
-		tf_free(view->data);
-	}
-	else
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(view->request, 404, NULL, 0, k_payload, strlen(k_payload));
-	}
-
-	if (*view->notify_want_blob_id)
-	{
-		tf_ssb_notify_blob_want_added(ssb, view->notify_want_blob_id);
-	}
-
-	tf_free(view->form_data);
-	tf_http_request_unref(view->request);
-	tf_free(view);
-}
-
-static void _httpd_endpoint_view(tf_http_request_t* request)
-{
-	tf_http_request_ref(request);
-	tf_task_t* task = request->user_data;
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	view_t* view = tf_malloc(sizeof(view_t));
-	*view = (view_t) { .request = request, .form_data = _form_data_decode(request->query, request->query ? strlen(request->query) : 0) };
-	tf_ssb_run_work(ssb, _httpd_endpoint_view_work, _httpd_endpoint_view_after_work, view);
-}
-
-typedef struct _save_t
-{
-	tf_http_request_t* request;
-	int response;
-	char blob_id[k_blob_id_len];
-} save_t;
-
-static void _httpd_endpoint_save_work(tf_ssb_t* ssb, void* user_data)
-{
-	save_t* save = user_data;
-	tf_http_request_t* request = save->request;
-	const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
-
-	JSMallocFunctions funcs = { 0 };
-	tf_get_js_malloc_functions(&funcs);
-	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-	JSContext* context = JS_NewContext(runtime);
-
-	JSValue jwt = _authenticate_jwt(ssb, context, session);
-	JSValue user = JS_GetPropertyStr(context, jwt, "name");
-	const char* user_string = JS_ToCString(context, user);
-
-	if (user_string && _is_name_valid(user_string))
-	{
-		user_app_t* user_app = _parse_user_app_from_path(request->path, "/save");
-		if (user_app)
-		{
-			if (strcmp(user_string, user_app->user) == 0 || (strcmp(user_app->user, "core") == 0 && tf_ssb_db_user_has_permission(ssb, NULL, user_string, "administration")))
-			{
-				size_t path_length = strlen("path:") + strlen(user_app->app) + 1;
-				char* app_path = tf_malloc(path_length);
-				snprintf(app_path, path_length, "path:%s", user_app->app);
-
-				const char* old_blob_id = tf_ssb_db_get_property(ssb, user_app->user, app_path);
-
-				JSValue new_app = JS_ParseJSON(context, request->body, request->content_length, NULL);
-				tf_util_report_error(context, new_app);
-				if (JS_IsObject(new_app))
-				{
-					uint8_t* old_blob = NULL;
-					size_t old_blob_size = 0;
-					if (tf_ssb_db_blob_get(ssb, old_blob_id, &old_blob, &old_blob_size))
-					{
-						JSValue old_app = JS_ParseJSON(context, (const char*)old_blob, old_blob_size, NULL);
-						if (JS_IsObject(old_app))
-						{
-							JSAtom previous = JS_NewAtom(context, "previous");
-							JS_DeleteProperty(context, old_app, previous, 0);
-							JS_DeleteProperty(context, new_app, previous, 0);
-
-							JSValue old_app_json = JS_JSONStringify(context, old_app, JS_NULL, JS_NULL);
-							JSValue new_app_json = JS_JSONStringify(context, new_app, JS_NULL, JS_NULL);
-							const char* old_app_str = JS_ToCString(context, old_app_json);
-							const char* new_app_str = JS_ToCString(context, new_app_json);
-
-							if (old_app_str && new_app_str && strcmp(old_app_str, new_app_str) == 0)
-							{
-								snprintf(save->blob_id, sizeof(save->blob_id), "/%s", old_blob_id);
-								save->response = 200;
-							}
-
-							JS_FreeCString(context, old_app_str);
-							JS_FreeCString(context, new_app_str);
-							JS_FreeValue(context, old_app_json);
-							JS_FreeValue(context, new_app_json);
-							JS_FreeAtom(context, previous);
-						}
-						JS_FreeValue(context, old_app);
-						tf_free(old_blob);
-					}
-
-					if (!save->response)
-					{
-						if (old_blob_id)
-						{
-							JS_SetPropertyStr(context, new_app, "previous", JS_NewString(context, old_blob_id));
-						}
-						JSValue new_app_json = JS_JSONStringify(context, new_app, JS_NULL, JS_NULL);
-						size_t new_app_length = 0;
-						const char* new_app_str = JS_ToCStringLen(context, &new_app_length, new_app_json);
-
-						char blob_id[k_blob_id_len] = { 0 };
-						if (tf_ssb_db_blob_store(ssb, (const uint8_t*)new_app_str, new_app_length, blob_id, sizeof(blob_id), NULL) &&
-							tf_ssb_db_set_property(ssb, user_app->user, app_path, blob_id))
-						{
-							tf_ssb_db_add_value_to_array_property(ssb, user_app->user, "apps", user_app->app);
-							tf_string_set(save->blob_id, sizeof(save->blob_id), blob_id);
-							save->response = 200;
-						}
-						else
-						{
-							tf_printf("Blob store or property set failed.\n");
-							save->response = 500;
-						}
-
-						JS_FreeCString(context, new_app_str);
-						JS_FreeValue(context, new_app_json);
-					}
-				}
-				else
-				{
-					save->response = 400;
-				}
-				JS_FreeValue(context, new_app);
-
-				tf_free(app_path);
-				tf_free((void*)old_blob_id);
-			}
-			else
-			{
-				save->response = 403;
-			}
-			tf_free(user_app);
-		}
-		else if (strcmp(request->path, "/save") == 0)
-		{
-			char blob_id[k_blob_id_len] = { 0 };
-			if (tf_ssb_db_blob_store(ssb, request->body, request->content_length, blob_id, sizeof(blob_id), NULL))
-			{
-				tf_string_set(save->blob_id, sizeof(save->blob_id), blob_id);
-				save->response = 200;
-			}
-			else
-			{
-				tf_printf("Blob store failed.\n");
-				save->response = 500;
-			}
-		}
-		else
-		{
-			save->response = 400;
-		}
-	}
-	else
-	{
-		save->response = 401;
-	}
-
-	tf_free((void*)session);
-	JS_FreeCString(context, user_string);
-	JS_FreeValue(context, user);
-	JS_FreeValue(context, jwt);
-	JS_FreeContext(context);
-	JS_FreeRuntime(runtime);
-}
-
-static void _httpd_endpoint_save_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	save_t* save = user_data;
-	tf_http_request_t* request = save->request;
-	if (*save->blob_id)
-	{
-		char body[256] = "";
-		int length = snprintf(body, sizeof(body), "/%s", save->blob_id);
-		tf_http_respond(request, 200, NULL, 0, body, length);
-	}
-	tf_http_request_unref(request);
-	tf_free(save);
-}
-
-static void _httpd_endpoint_save(tf_http_request_t* request)
-{
-	tf_http_request_ref(request);
-	tf_task_t* task = request->user_data;
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	save_t* save = tf_malloc(sizeof(save_t));
-	*save = (save_t) {
-		.request = request,
-	};
-	tf_ssb_run_work(ssb, _httpd_endpoint_save_work, _httpd_endpoint_save_after_work, save);
-}
-
-typedef struct _delete_t
-{
-	tf_http_request_t* request;
-	const char* session;
-	int response;
-} delete_t;
-
-static void _httpd_endpoint_delete_work(tf_ssb_t* ssb, void* user_data)
-{
-	delete_t* delete = user_data;
-	tf_http_request_t* request = delete->request;
-
-	JSMallocFunctions funcs = { 0 };
-	tf_get_js_malloc_functions(&funcs);
-	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-	JSContext* context = JS_NewContext(runtime);
-
-	JSValue jwt = _authenticate_jwt(ssb, context, delete->session);
-	JSValue user = JS_GetPropertyStr(context, jwt, "name");
-	const char* user_string = JS_ToCString(context, user);
-	if (user_string && _is_name_valid(user_string))
-	{
-		user_app_t* user_app = _parse_user_app_from_path(request->path, "/delete");
-		if (user_app)
-		{
-			if (strcmp(user_string, user_app->user) == 0 || (strcmp(user_app->user, "core") == 0 && tf_ssb_db_user_has_permission(ssb, NULL, user_string, "administration")))
-			{
-				size_t path_length = strlen("path:") + strlen(user_app->app) + 1;
-				char* app_path = tf_malloc(path_length);
-				snprintf(app_path, path_length, "path:%s", user_app->app);
-
-				bool changed = false;
-				changed = tf_ssb_db_remove_value_from_array_property(ssb, user_string, "apps", user_app->app) || changed;
-				changed = tf_ssb_db_remove_property(ssb, user_string, app_path) || changed;
-				delete->response = changed ? 200 : 404;
-				tf_free(app_path);
-			}
-			else
-			{
-				delete->response = 401;
-			}
-		}
-		else
-		{
-			delete->response = 404;
-		}
-		tf_free(user_app);
-	}
-	else
-	{
-		delete->response = 401;
-	}
-
-	JS_FreeCString(context, user_string);
-	JS_FreeValue(context, user);
-	JS_FreeValue(context, jwt);
-	JS_FreeContext(context);
-	JS_FreeRuntime(runtime);
-}
-
-static void _httpd_endpoint_delete_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	delete_t* delete = user_data;
-	const char* k_payload = tf_http_status_text(delete->response ? delete->response : 404);
-	tf_http_respond(delete->request, delete->response ? delete->response : 404, NULL, 0, k_payload, strlen(k_payload));
-	tf_http_request_unref(delete->request);
-	tf_free((void*)delete->session);
-	tf_free(delete);
-}
-
-static void _httpd_endpoint_delete(tf_http_request_t* request)
-{
-	tf_http_request_ref(request);
-	tf_task_t* task = request->user_data;
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	delete_t* delete = tf_malloc(sizeof(delete_t));
-	*delete = (delete_t) {
-		.request = request,
-		.session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session"),
-	};
-	tf_ssb_run_work(ssb, _httpd_endpoint_delete_work, _httpd_endpoint_delete_after_work, delete);
-}
-
 static void _httpd_endpoint_root_callback(const char* path, void* user_data)
 {
 	tf_http_request_t* request = user_data;
@@ -1660,7 +668,7 @@ static void _httpd_endpoint_root(tf_http_request_t* request)
 
 static void _httpd_endpoint_robots_txt(tf_http_request_t* request)
 {
-	if (_httpd_redirect(request))
+	if (tf_httpd_redirect(request))
 	{
 		return;
 	}
@@ -1673,7 +681,7 @@ static void _httpd_endpoint_robots_txt(tf_http_request_t* request)
 
 static void _httpd_endpoint_debug(tf_http_request_t* request)
 {
-	if (_httpd_redirect(request))
+	if (tf_httpd_redirect(request))
 	{
 		return;
 	}
@@ -1690,7 +698,7 @@ static void _httpd_endpoint_debug(tf_http_request_t* request)
 	tf_free(response);
 }
 
-const char** _form_data_decode(const char* data, int length)
+const char** tf_httpd_form_data_decode(const char* data, int length)
 {
 	int key_max = 1;
 	for (int i = 0; i < length; i++)
@@ -1755,7 +763,7 @@ const char** _form_data_decode(const char* data, int length)
 	return (const char**)result;
 }
 
-const char* _form_data_get(const char** form_data, const char* key)
+const char* tf_httpd_form_data_get(const char** form_data, const char* key)
 {
 	for (int i = 0; form_data[i]; i += 2)
 	{
@@ -1767,100 +775,6 @@ const char* _form_data_get(const char** form_data, const char* key)
 	return NULL;
 }
 
-typedef struct _login_request_t
-{
-	tf_http_request_t* request;
-	const char* name;
-	const char* error;
-	const char* settings;
-	const char* code_of_conduct;
-	bool have_administrator;
-	bool session_is_new;
-
-	char location_header[1024];
-	const char* set_cookie_header;
-
-	int pending;
-} login_request_t;
-
-static const char* _make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie)
-{
-	const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly";
-	int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_refresh_interval, request->is_tls ? "Secure; " : "") : 0;
-	char* cookie = length ? tf_malloc(length + 1) : NULL;
-	if (cookie)
-	{
-		snprintf(cookie, length + 1, k_pattern, session_cookie, k_refresh_interval, request->is_tls ? "Secure; " : "");
-	}
-	return cookie;
-}
-
-static void _login_release(login_request_t* login)
-{
-	int ref_count = --login->pending;
-	if (ref_count == 0)
-	{
-		tf_free((void*)login->name);
-		tf_free((void*)login->code_of_conduct);
-		tf_free((void*)login->set_cookie_header);
-		tf_free(login);
-	}
-}
-
-static void _httpd_endpoint_login_file_read_callback(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
-{
-	login_request_t* login = user_data;
-	tf_http_request_t* request = login->request;
-	if (result >= 0)
-	{
-		const char* headers[] = {
-			"Content-Type",
-			"text/html; charset=utf-8",
-			"Set-Cookie",
-			login->set_cookie_header ? login->set_cookie_header : "",
-		};
-		const char* replace_me = "$AUTH_DATA";
-		const char* auth = strstr(data, replace_me);
-		if (auth)
-		{
-			JSContext* context = tf_task_get_context(task);
-			JSValue object = JS_NewObject(context);
-			JS_SetPropertyStr(context, object, "session_is_new", JS_NewBool(context, login->session_is_new));
-			JS_SetPropertyStr(context, object, "name", login->name ? JS_NewString(context, login->name) : JS_UNDEFINED);
-			JS_SetPropertyStr(context, object, "error", login->error ? JS_NewString(context, login->error) : JS_UNDEFINED);
-			JS_SetPropertyStr(context, object, "code_of_conduct", login->code_of_conduct ? JS_NewString(context, login->code_of_conduct) : JS_UNDEFINED);
-			JS_SetPropertyStr(context, object, "have_administrator", JS_NewBool(context, login->have_administrator));
-			JSValue object_json = JS_JSONStringify(context, object, JS_NULL, JS_NULL);
-			size_t json_length = 0;
-			const char* json = JS_ToCStringLen(context, &json_length, object_json);
-
-			char* copy = tf_malloc(result + json_length);
-			int replace_start = (auth - (const char*)data);
-			int replace_end = (auth - (const char*)data) + (int)strlen(replace_me);
-			memcpy(copy, data, replace_start);
-			memcpy(copy + replace_start, json, json_length);
-			memcpy(copy + replace_start + json_length, ((const char*)data) + replace_end, result - replace_end);
-			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, copy, replace_start + json_length + (result - replace_end));
-			tf_free(copy);
-
-			JS_FreeCString(context, json);
-			JS_FreeValue(context, object_json);
-			JS_FreeValue(context, object);
-		}
-		else
-		{
-			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
-		}
-	}
-	else
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
-	}
-	tf_http_request_unref(request);
-	_login_release(login);
-}
-
 static bool _string_property_equals(JSContext* context, JSValue object, const char* name, const char* value)
 {
 	JSValue object_value = JS_GetPropertyStr(context, object, name);
@@ -1871,7 +785,7 @@ static bool _string_property_equals(JSContext* context, JSValue object, const ch
 	return equals;
 }
 
-static JSValue _authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt)
+JSValue tf_httpd_authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt)
 {
 	if (!jwt)
 	{
@@ -1944,18 +858,7 @@ static JSValue _authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char*
 	return parsed;
 }
 
-static bool _session_is_authenticated_as_user(JSContext* context, JSValue session)
-{
-	bool result = false;
-	JSValue user = JS_GetPropertyStr(context, session, "name");
-	const char* user_string = JS_ToCString(context, user);
-	result = user_string && strcmp(user_string, "guest") != 0;
-	JS_FreeCString(context, user_string);
-	JS_FreeValue(context, user);
-	return result;
-}
-
-static bool _is_name_valid(const char* name)
+bool tf_httpd_is_name_valid(const char* name)
 {
 	if (!name || !((*name >= 'a' && *name <= 'z') || (*name >= 'A' && *name <= 'Z')))
 	{
@@ -1972,465 +875,6 @@ static bool _is_name_valid(const char* name)
 	return true;
 }
 
-static const char* _make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name)
-{
-	if (!name || !*name)
-	{
-		return NULL;
-	}
-
-	uv_timespec64_t now = { 0 };
-	uv_clock_gettime(UV_CLOCK_REALTIME, &now);
-
-	const char* header_json = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}";
-	char header_base64[256];
-	sodium_bin2base64(header_base64, sizeof(header_base64), (uint8_t*)header_json, strlen(header_json), sodium_base64_VARIANT_URLSAFE_NO_PADDING);
-
-	JSValue payload = JS_NewObject(context);
-	JS_SetPropertyStr(context, payload, "name", JS_NewString(context, name));
-	JS_SetPropertyStr(context, payload, "exp", JS_NewInt64(context, now.tv_sec * 1000 + now.tv_nsec / 1000000LL + k_refresh_interval));
-	JSValue payload_json = JS_JSONStringify(context, payload, JS_NULL, JS_NULL);
-	size_t payload_length = 0;
-	const char* payload_string = JS_ToCStringLen(context, &payload_length, payload_json);
-	char payload_base64[256];
-	sodium_bin2base64(payload_base64, sizeof(payload_base64), (uint8_t*)payload_string, payload_length, sodium_base64_VARIANT_URLSAFE_NO_PADDING);
-
-	char* result = NULL;
-	uint8_t signature[crypto_sign_BYTES];
-	unsigned long long signature_length = 0;
-	char signature_base64[256] = { 0 };
-
-	uint8_t private_key[crypto_sign_SECRETKEYBYTES] = { 0 };
-	tf_ssb_get_private_key(ssb, private_key, sizeof(private_key));
-
-	if (crypto_sign_detached(signature, &signature_length, (const uint8_t*)payload_base64, strlen(payload_base64), private_key) == 0)
-	{
-		sodium_bin2base64(signature_base64, sizeof(signature_base64), signature, sizeof(signature), sodium_base64_VARIANT_URLSAFE_NO_PADDING);
-		size_t size = strlen(header_base64) + 1 + strlen(payload_base64) + 1 + strlen(signature_base64) + 1;
-		result = tf_malloc(size);
-		snprintf(result, size, "%s.%s.%s", header_base64, payload_base64, signature_base64);
-	}
-	sodium_memzero(private_key, sizeof(private_key));
-
-	JS_FreeCString(context, payload_string);
-	JS_FreeValue(context, payload_json);
-	JS_FreeValue(context, payload);
-
-	return result;
-}
-
-static bool _verify_password(const char* password, const char* hash)
-{
-	char buffer[7 + 22 + 31 + 1];
-	const char* out_hash = crypt_rn(password, hash, buffer, sizeof(buffer));
-	return out_hash && strcmp(hash, out_hash) == 0;
-}
-
-static bool _make_administrator_if_first(tf_ssb_t* ssb, JSContext* context, const char* account_name_copy, bool may_become_first_admin)
-{
-	const char* settings = tf_ssb_db_get_property(ssb, "core", "settings");
-	JSValue settings_value = settings && *settings ? JS_ParseJSON(context, settings, strlen(settings), NULL) : JS_UNDEFINED;
-	if (JS_IsUndefined(settings_value))
-	{
-		settings_value = JS_NewObject(context);
-	}
-
-	bool have_administrator = false;
-	JSValue permissions = JS_GetPropertyStr(context, settings_value, "permissions");
-
-	JSPropertyEnum* ptab = NULL;
-	uint32_t plen = 0;
-	JS_GetOwnPropertyNames(context, &ptab, &plen, permissions, JS_GPN_STRING_MASK);
-	for (int i = 0; i < (int)plen; i++)
-	{
-		JSPropertyDescriptor desc = { 0 };
-		if (JS_GetOwnProperty(context, &desc, permissions, ptab[i].atom) == 1)
-		{
-			int permission_length = tf_util_get_length(context, desc.value);
-			for (int i = 0; i < permission_length; i++)
-			{
-				JSValue entry = JS_GetPropertyUint32(context, desc.value, i);
-				const char* permission = JS_ToCString(context, entry);
-				if (permission && strcmp(permission, "administration") == 0)
-				{
-					have_administrator = true;
-				}
-				JS_FreeCString(context, permission);
-				JS_FreeValue(context, entry);
-			}
-			JS_FreeValue(context, desc.setter);
-			JS_FreeValue(context, desc.getter);
-			JS_FreeValue(context, desc.value);
-		}
-	}
-	for (uint32_t i = 0; i < plen; ++i)
-	{
-		JS_FreeAtom(context, ptab[i].atom);
-	}
-	js_free(context, ptab);
-
-	if (!have_administrator && may_become_first_admin)
-	{
-		if (JS_IsUndefined(permissions))
-		{
-			permissions = JS_NewObject(context);
-			JS_SetPropertyStr(context, settings_value, "permissions", JS_DupValue(context, permissions));
-		}
-		JSValue user = JS_GetPropertyStr(context, permissions, account_name_copy);
-		if (JS_IsUndefined(user))
-		{
-			user = JS_NewArray(context);
-			JS_SetPropertyStr(context, permissions, account_name_copy, JS_DupValue(context, user));
-		}
-		JS_SetPropertyUint32(context, user, tf_util_get_length(context, user), JS_NewString(context, "administration"));
-		JS_FreeValue(context, user);
-
-		JSValue settings_json = JS_JSONStringify(context, settings_value, JS_NULL, JS_NULL);
-		const char* settings_string = JS_ToCString(context, settings_json);
-		tf_ssb_db_set_property(ssb, "core", "settings", settings_string);
-		JS_FreeCString(context, settings_string);
-		JS_FreeValue(context, settings_json);
-	}
-
-	JS_FreeValue(context, permissions);
-	JS_FreeValue(context, settings_value);
-	tf_free((void*)settings);
-	return have_administrator;
-}
-
-static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
-{
-	login_request_t* login = user_data;
-	tf_http_request_t* request = login->request;
-
-	JSMallocFunctions funcs = { 0 };
-	tf_get_js_malloc_functions(&funcs);
-	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-	JSContext* context = JS_NewContext(runtime);
-
-	const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
-	const char** form_data = _form_data_decode(request->query, request->query ? strlen(request->query) : 0);
-	const char* account_name_copy = NULL;
-	JSValue jwt = _authenticate_jwt(ssb, context, session);
-
-	if (_session_is_authenticated_as_user(context, jwt))
-	{
-		const char* return_url = _form_data_get(form_data, "return");
-		if (return_url)
-		{
-			tf_string_set(login->location_header, sizeof(login->location_header), return_url);
-		}
-		else
-		{
-			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
-		}
-		goto done;
-	}
-
-	const char* send_session = tf_strdup(session);
-	bool session_is_new = false;
-	const char* login_error = NULL;
-	bool may_become_first_admin = false;
-	if (strcmp(request->method, "POST") == 0)
-	{
-		session_is_new = true;
-		const char** post_form_data = _form_data_decode(request->body, request->content_length);
-		const char* submit = _form_data_get(post_form_data, "submit");
-		if (submit && strcmp(submit, "Login") == 0)
-		{
-			const char* account_name = _form_data_get(post_form_data, "name");
-			account_name_copy = tf_strdup(account_name);
-			const char* password = _form_data_get(post_form_data, "password");
-			const char* new_password = _form_data_get(post_form_data, "new_password");
-			const char* confirm = _form_data_get(post_form_data, "confirm");
-			const char* change = _form_data_get(post_form_data, "change");
-			const char* form_register = _form_data_get(post_form_data, "register");
-			char account_passwd[256] = { 0 };
-			bool have_account = tf_ssb_db_get_account_password_hash(ssb, _form_data_get(post_form_data, "name"), account_passwd, sizeof(account_passwd));
-
-			if (form_register && strcmp(form_register, "1") == 0)
-			{
-				bool registered = false;
-				if (!_is_name_valid(account_name))
-				{
-					login_error = "Invalid username.  Usernames must contain only letters from the English alphabet and digits and must start with a letter.";
-				}
-				else
-				{
-					if (!have_account && _is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0)
-					{
-						sqlite3* db = tf_ssb_acquire_db_writer(ssb);
-						registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, account_name, password);
-						tf_ssb_release_db_writer(ssb, db);
-						if (registered)
-						{
-							tf_free((void*)send_session);
-							send_session = _make_session_jwt(context, ssb, account_name);
-							may_become_first_admin = true;
-						}
-					}
-				}
-				if (!registered && !login_error)
-				{
-					login_error = "Error registering account.";
-				}
-			}
-			else if (change && strcmp(change, "1") == 0)
-			{
-				bool set = false;
-				if (have_account && _is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 && _verify_password(password, account_passwd))
-				{
-					sqlite3* db = tf_ssb_acquire_db_writer(ssb);
-					set = tf_ssb_db_set_account_password(tf_ssb_get_loop(ssb), db, context, account_name, new_password);
-					tf_ssb_release_db_writer(ssb, db);
-					if (set)
-					{
-						tf_free((void*)send_session);
-						send_session = _make_session_jwt(context, ssb, account_name);
-					}
-				}
-				if (!set)
-				{
-					login_error = "Error changing password.";
-				}
-			}
-			else
-			{
-				if (have_account && *account_passwd && _verify_password(password, account_passwd))
-				{
-					tf_free((void*)send_session);
-					send_session = _make_session_jwt(context, ssb, account_name);
-					may_become_first_admin = true;
-				}
-				else
-				{
-					login_error = "Invalid username or password.";
-				}
-			}
-		}
-		else
-		{
-			tf_free((void*)send_session);
-			send_session = _make_session_jwt(context, ssb, "guest");
-		}
-		tf_free(post_form_data);
-	}
-
-	bool have_administrator = _make_administrator_if_first(ssb, context, account_name_copy, may_become_first_admin);
-
-	if (session_is_new && _form_data_get(form_data, "return") && !login_error)
-	{
-		const char* return_url = _form_data_get(form_data, "return");
-		if (return_url)
-		{
-			tf_string_set(login->location_header, sizeof(login->location_header), return_url);
-		}
-		else
-		{
-			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
-		}
-		login->set_cookie_header = _make_set_session_cookie_header(request, send_session);
-		tf_free((void*)send_session);
-	}
-	else
-	{
-
-		login->name = account_name_copy;
-		login->error = login_error;
-		login->set_cookie_header = _make_set_session_cookie_header(request, send_session);
-		tf_free((void*)send_session);
-		login->session_is_new = session_is_new;
-		login->have_administrator = have_administrator;
-		login->settings = tf_ssb_db_get_property(ssb, "core", "settings");
-
-		if (login->settings)
-		{
-			JSValue settings_value = JS_ParseJSON(context, login->settings, strlen(login->settings), NULL);
-			JSValue code_of_conduct_value = JS_GetPropertyStr(context, settings_value, "code_of_conduct");
-			const char* code_of_conduct = JS_ToCString(context, code_of_conduct_value);
-			const char* result = tf_strdup(code_of_conduct);
-			JS_FreeCString(context, code_of_conduct);
-			JS_FreeValue(context, code_of_conduct_value);
-			JS_FreeValue(context, settings_value);
-			tf_free((void*)login->settings);
-			login->settings = NULL;
-			login->code_of_conduct = result;
-		}
-
-		login->pending++;
-		tf_http_request_ref(request);
-		tf_file_read(login->request->user_data, "core/auth.html", _httpd_endpoint_login_file_read_callback, login);
-
-		account_name_copy = NULL;
-	}
-
-done:
-	tf_free((void*)session);
-	tf_free(form_data);
-	tf_free((void*)account_name_copy);
-	JS_FreeValue(context, jwt);
-
-	JS_FreeContext(context);
-	JS_FreeRuntime(runtime);
-}
-
-static void _httpd_endpoint_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	login_request_t* login = user_data;
-	tf_http_request_t* request = login->request;
-	if (login->pending == 1)
-	{
-		if (*login->location_header)
-		{
-			const char* headers[] = {
-				"Location",
-				login->location_header,
-				"Set-Cookie",
-				login->set_cookie_header ? login->set_cookie_header : "",
-			};
-			tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
-		}
-	}
-	tf_http_request_unref(request);
-	_login_release(login);
-}
-
-static void _httpd_endpoint_login(tf_http_request_t* request)
-{
-	tf_task_t* task = request->user_data;
-	tf_http_request_ref(request);
-
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-	login_request_t* login = tf_malloc(sizeof(login_request_t));
-	*login = (login_request_t) {
-		.request = request,
-	};
-	login->pending++;
-	tf_ssb_run_work(ssb, _httpd_endpoint_login_work, _httpd_endpoint_login_after_work, login);
-}
-
-static void _httpd_endpoint_logout(tf_http_request_t* request)
-{
-	const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"
-											   : "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly";
-	const char* k_location_format = "/login%s%s";
-	int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query);
-	char* location = alloca(length + 1);
-	snprintf(location, length + 1, k_location_format, request->query ? "?" : "", request->query ? request->query : "");
-	const char* headers[] = {
-		"Set-Cookie",
-		k_set_cookie,
-		"Location",
-		location,
-	};
-	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
-}
-
-typedef struct _auto_login_t
-{
-	tf_http_request_t* request;
-	bool autologin;
-	const char* users;
-} auto_login_t;
-
-static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
-{
-	auto_login_t* request = user_data;
-	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
-	tf_ssb_db_get_global_setting_bool(db, "autologin", &request->autologin);
-	tf_ssb_release_db_reader(ssb, db);
-
-	if (request->autologin)
-	{
-		request->users = tf_ssb_db_get_property(ssb, "auth", "users");
-		if (request->users && strcmp(request->users, "[]") == 0)
-		{
-			tf_free((void*)request->users);
-			request->users = NULL;
-		}
-
-		if (!request->users)
-		{
-			JSMallocFunctions funcs = { 0 };
-			tf_get_js_malloc_functions(&funcs);
-			JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
-			JSContext* context = JS_NewContext(runtime);
-			static const char* k_account_name = "mobile";
-			sqlite3* db = tf_ssb_acquire_db_writer(ssb);
-			bool registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, k_account_name, k_account_name);
-			tf_ssb_release_db_writer(ssb, db);
-			if (registered)
-			{
-				_make_administrator_if_first(ssb, context, k_account_name, true);
-			}
-			JS_FreeContext(context);
-			JS_FreeRuntime(runtime);
-
-			request->users = tf_ssb_db_get_property(ssb, "auth", "users");
-		}
-	}
-}
-
-static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
-{
-	auto_login_t* work = user_data;
-	JSContext* context = tf_ssb_get_context(ssb);
-	const char* session_token = NULL;
-	if (!work->autologin)
-	{
-		const char* k_payload = tf_http_status_text(404);
-		tf_http_respond(work->request, 404, NULL, 0, k_payload, strlen(k_payload));
-	}
-	else
-	{
-		if (work->users)
-		{
-			JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
-			JSValue user = JS_GetPropertyUint32(context, json, 0);
-			const char* user_string = JS_ToCString(context, user);
-			session_token = _make_session_jwt(context, ssb, user_string);
-			JS_FreeCString(context, user_string);
-			JS_FreeValue(context, user);
-			JS_FreeValue(context, json);
-		}
-		if (session_token)
-		{
-			const char* cookie = _make_set_session_cookie_header(work->request, session_token);
-			tf_free((void*)session_token);
-			const char* headers[] = {
-				"Set-Cookie",
-				cookie,
-				"Location",
-				"/",
-			};
-			tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
-			tf_free((void*)cookie);
-		}
-		else
-		{
-			const char* headers[] = {
-				"Location",
-				"/",
-			};
-			tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
-		}
-	}
-	tf_http_request_unref(work->request);
-	tf_free((void*)work->users);
-	tf_free(work);
-}
-
-static void _httpd_endpoint_login_auto(tf_http_request_t* request)
-{
-	tf_task_t* task = request->user_data;
-	tf_http_request_ref(request);
-	tf_ssb_t* ssb = tf_task_get_ssb(task);
-
-	auto_login_t* work = tf_malloc(sizeof(auto_login_t));
-	*work = (auto_login_t) { .request = request };
-	tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work);
-}
-
 static void _httpd_endpoint_app_socket(tf_http_request_t* request)
 {
 	tf_task_t* task = request->user_data;
@@ -2449,7 +893,7 @@ static void _httpd_endpoint_app_socket(tf_http_request_t* request)
 	}
 	JS_SetPropertyStr(context, request_object, "headers", headers);
 
-	JSValue response = _httpd_make_response_object(context, request);
+	JSValue response = tf_httpd_make_response_object(context, request);
 	tf_http_request_ref(request);
 
 	JSValue args[] = {
@@ -2555,32 +999,32 @@ tf_http_t* tf_httpd_create(JSContext* context)
 	}
 
 	tf_http_add_handler(http, "/", _httpd_endpoint_root, NULL, task);
-	tf_http_add_handler(http, "/codemirror/*", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/lit/*", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/prettier/*", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/speedscope/*", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/static/*", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/.well-known/*", _httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/codemirror/*", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/lit/*", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/prettier/*", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/speedscope/*", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/static/*", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/.well-known/*", tf_httpd_endpoint_static, NULL, task);
 	tf_http_add_handler(http, "/&*.sha256", _httpd_endpoint_add_slash, NULL, task);
-	tf_http_add_handler(http, "/&*.sha256/", _httpd_endpoint_static, NULL, task);
-	tf_http_add_handler(http, "/&*.sha256/view", _httpd_endpoint_view, NULL, task);
-	tf_http_add_handler(http, "/&*.sha256/*", _httpd_endpoint_app_blob, NULL, task);
+	tf_http_add_handler(http, "/&*.sha256/", tf_httpd_endpoint_static, NULL, task);
+	tf_http_add_handler(http, "/&*.sha256/view", tf_httpd_endpoint_view, NULL, task);
+	tf_http_add_handler(http, "/&*.sha256/*", tf_httpd_endpoint_app, NULL, task);
 	tf_http_add_handler(http, "/~{word}/{word}", _httpd_endpoint_add_slash, NULL, task);
-	tf_http_add_handler(http, "/~{word}/{word}/", _httpd_endpoint_app_index, NULL, task);
-	tf_http_add_handler(http, "/~{word}/{word}/save", _httpd_endpoint_save, NULL, task);
-	tf_http_add_handler(http, "/~{word}/{word}/delete", _httpd_endpoint_delete, NULL, task);
-	tf_http_add_handler(http, "/~{word}/{word}/view", _httpd_endpoint_view, NULL, task);
-	tf_http_add_handler(http, "/~{word}/{word}/*", _httpd_endpoint_app_blob, NULL, task);
-	tf_http_add_handler(http, "/save", _httpd_endpoint_save, NULL, task);
+	tf_http_add_handler(http, "/~{word}/{word}/", tf_httpd_endpoint_app_index, NULL, task);
+	tf_http_add_handler(http, "/~{word}/{word}/save", tf_httpd_endpoint_save, NULL, task);
+	tf_http_add_handler(http, "/~{word}/{word}/delete", tf_httpd_endpoint_delete, NULL, task);
+	tf_http_add_handler(http, "/~{word}/{word}/view", tf_httpd_endpoint_view, NULL, task);
+	tf_http_add_handler(http, "/~{word}/{word}/*", tf_httpd_endpoint_app, NULL, task);
+	tf_http_add_handler(http, "/save", tf_httpd_endpoint_save, NULL, task);
 
 	tf_http_add_handler(http, "/robots.txt", _httpd_endpoint_robots_txt, NULL, NULL);
 	tf_http_add_handler(http, "/debug", _httpd_endpoint_debug, NULL, task);
 	tf_http_add_handler(http, "/mem", _httpd_endpoint_mem, NULL, task);
 	tf_http_add_handler(http, "/trace", _httpd_endpoint_trace, NULL, task);
 
-	tf_http_add_handler(http, "/login/logout", _httpd_endpoint_logout, NULL, task);
-	tf_http_add_handler(http, "/login/auto", _httpd_endpoint_login_auto, NULL, task);
-	tf_http_add_handler(http, "/login", _httpd_endpoint_login, NULL, task);
+	tf_http_add_handler(http, "/login/logout", tf_httpd_endpoint_logout, NULL, task);
+	tf_http_add_handler(http, "/login/auto", tf_httpd_endpoint_login_auto, NULL, task);
+	tf_http_add_handler(http, "/login", tf_httpd_endpoint_login, NULL, task);
 
 	tf_http_add_handler(http, "/app/socket", _httpd_endpoint_app_socket, NULL, task);
 
@@ -2635,3 +1079,50 @@ void tf_httpd_destroy(tf_http_t* http)
 {
 	tf_http_destroy(http);
 }
+
+const char* tf_httpd_make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name)
+{
+	if (!name || !*name)
+	{
+		return NULL;
+	}
+
+	uv_timespec64_t now = { 0 };
+	uv_clock_gettime(UV_CLOCK_REALTIME, &now);
+
+	const char* header_json = "{\"alg\":\"HS256\",\"typ\":\"JWT\"}";
+	char header_base64[256];
+	sodium_bin2base64(header_base64, sizeof(header_base64), (uint8_t*)header_json, strlen(header_json), sodium_base64_VARIANT_URLSAFE_NO_PADDING);
+
+	JSValue payload = JS_NewObject(context);
+	JS_SetPropertyStr(context, payload, "name", JS_NewString(context, name));
+	JS_SetPropertyStr(context, payload, "exp", JS_NewInt64(context, now.tv_sec * 1000 + now.tv_nsec / 1000000LL + k_httpd_auth_refresh_interval));
+	JSValue payload_json = JS_JSONStringify(context, payload, JS_NULL, JS_NULL);
+	size_t payload_length = 0;
+	const char* payload_string = JS_ToCStringLen(context, &payload_length, payload_json);
+	char payload_base64[256];
+	sodium_bin2base64(payload_base64, sizeof(payload_base64), (uint8_t*)payload_string, payload_length, sodium_base64_VARIANT_URLSAFE_NO_PADDING);
+
+	char* result = NULL;
+	uint8_t signature[crypto_sign_BYTES];
+	unsigned long long signature_length = 0;
+	char signature_base64[256] = { 0 };
+
+	uint8_t private_key[crypto_sign_SECRETKEYBYTES] = { 0 };
+	tf_ssb_get_private_key(ssb, private_key, sizeof(private_key));
+
+	if (crypto_sign_detached(signature, &signature_length, (const uint8_t*)payload_base64, strlen(payload_base64), private_key) == 0)
+	{
+		sodium_bin2base64(signature_base64, sizeof(signature_base64), signature, sizeof(signature), sodium_base64_VARIANT_URLSAFE_NO_PADDING);
+		size_t size = strlen(header_base64) + 1 + strlen(payload_base64) + 1 + strlen(signature_base64) + 1;
+		result = tf_malloc(size);
+		snprintf(result, size, "%s.%s.%s", header_base64, payload_base64, signature_base64);
+	}
+	sodium_memzero(private_key, sizeof(private_key));
+
+	JS_FreeCString(context, payload_string);
+	JS_FreeValue(context, payload_json);
+	JS_FreeValue(context, payload);
+
+	return result;
+}
diff --git a/src/httpd.js.h b/src/httpd.js.h
index 2ceba4606..d80d88403 100644
--- a/src/httpd.js.h
+++ b/src/httpd.js.h
@@ -11,6 +11,14 @@
 ** @{
 */
 
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include "quickjs.h"
+
+static const int64_t k_httpd_auth_refresh_interval = 1ULL * 7 * 24 * 60 * 60 * 1000;
+
 /** A JS context. */
 typedef struct JSContext JSContext;
 
@@ -19,6 +27,27 @@ typedef struct JSContext JSContext;
 */
 typedef struct _tf_http_t tf_http_t;
 
+/**
+** An HTTP request.
+*/
+typedef struct _tf_http_request_t tf_http_request_t;
+
+/**
+** An SSB instance.
+*/
+typedef struct _tf_ssb_t tf_ssb_t;
+
+/**
+** A user and app name.
+*/
+typedef struct _tf_httpd_user_app_t
+{
+	/** The username. */
+	const char* user;
+	/** The app name. */
+	const char* app;
+} tf_httpd_user_app_t;
+
 /**
 ** Register the HTTP script interface.  Also registers a number of built-in
 ** request handlers.  An ongoing project is to move the JS request handlers
@@ -39,4 +68,147 @@ tf_http_t* tf_httpd_create(JSContext* context);
 */
 void tf_httpd_destroy(tf_http_t* http);
 
+/**
+** Determine a content-type from a file extension.
+** @param ext The file extension.
+** @param use_fallback If not found, fallback to application/binary.
+** @return A MIME type or NULL.
+*/
+const char* tf_httpd_ext_to_content_type(const char* ext, bool use_fallback);
+
+/**
+** Determine a content type from magic bytes.
+** @param bytes The first bytes of a file.
+** @param size The length of the bytes.
+** @return A MIME type or NULL.
+*/
+const char* tf_httpd_magic_bytes_to_content_type(const uint8_t* bytes, size_t size);
+
+/**
+** Respond with a redirect.
+** @param request The HTTP request.
+** @return true if redirected.
+*/
+bool tf_httpd_redirect(tf_http_request_t* request);
+
+/**
+** Parse a username and app from a path like /~user/app/.
+** @param path The path.
+** @param expected_suffix A suffix that is required to be on the path, and removed.
+** @return The user and app.  Free with tf_free().
+*/
+tf_httpd_user_app_t* tf_httpd_parse_user_app_from_path(const char* path, const char* expected_suffix);
+
+/**
+** Decode form data into key value pairs.
+** @param data The form data string.
+** @param length The length of the form data string.
+** @return Key values pairs terminated by NULL.
+*/
+const char** tf_httpd_form_data_decode(const char* data, int length);
+
+/**
+** Get a form data value from an array of key value pairs produced by tf_httpd_form_data_decode().
+** @param form_data The form data.
+** @param key The key for which to fetch the value.
+** @return the value for the case-insensitive key or NULL.
+*/
+const char* tf_httpd_form_data_get(const char** form_data, const char* key);
+
+/**
+** Validate a JWT.
+** @param ssb The SSB instance.
+** @param context A JS context.
+** @param jwt The JWT.
+** @return The JWT contents if valid.
+*/
+JSValue tf_httpd_authenticate_jwt(tf_ssb_t* ssb, JSContext* context, const char* jwt);
+;
+
+/**
+** Make a JS response object for a request.
+** @param context The JS context.
+** @param request The HTTP request.
+** @return The respone object.
+*/
+JSValue tf_httpd_make_response_object(JSContext* context, tf_http_request_t* request);
+
+/**
+** Check if a name meets requirements.
+** @param name The name.
+** @return true if the name is valid.
+*/
+bool tf_httpd_is_name_valid(const char* name);
+
+/**
+** Make a header for the session cookie.
+** @param request The HTTP request.
+** @param session_cookie The session cookie.
+** @return The header.
+*/
+const char* tf_httpd_make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie);
+
+/**
+** Make a JWT for the session.
+** @param context A JS context.
+** @param ssb The SSB instance.
+** @param name The username.
+** @return The JWT.
+*/
+const char* tf_httpd_make_session_jwt(JSContext* context, tf_ssb_t* ssb, const char* name);
+
+/**
+** Serve a static file.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_static(tf_http_request_t* request);
+
+/**
+** View a blob.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_view(tf_http_request_t* request);
+
+/**
+** Save a blob or app.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_save(tf_http_request_t* request);
+
+/**
+** Delete a blob or app.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_delete(tf_http_request_t* request);
+
+/**
+** App endpoint.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_app(tf_http_request_t* request);
+
+/**
+** App index endpoint.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_app_index(tf_http_request_t* request);
+
+/**
+** Login endpoint.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_login(tf_http_request_t* request);
+
+/**
+** Auto-login endpoint.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_login_auto(tf_http_request_t* request);
+
+/**
+** Logout endpoint.
+** @param request The HTTP request.
+*/
+void tf_httpd_endpoint_logout(tf_http_request_t* request);
+
 /** @} */
diff --git a/src/httpd.login.c b/src/httpd.login.c
new file mode 100644
index 000000000..fd285260c
--- /dev/null
+++ b/src/httpd.login.c
@@ -0,0 +1,537 @@
+#include "httpd.js.h"
+
+#include "file.js.h"
+#include "http.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+#include "ow-crypt.h"
+#include "sodium/utils.h"
+
+#include <inttypes.h>
+#include <stdlib.h>
+
+#if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32)
+#include <alloca.h>
+#endif
+
+typedef struct _login_request_t
+{
+	tf_http_request_t* request;
+	const char* name;
+	const char* error;
+	const char* settings;
+	const char* code_of_conduct;
+	bool have_administrator;
+	bool session_is_new;
+
+	char location_header[1024];
+	const char* set_cookie_header;
+
+	int pending;
+} login_request_t;
+
+const char* tf_httpd_make_set_session_cookie_header(tf_http_request_t* request, const char* session_cookie)
+{
+	const char* k_pattern = "session=%s; path=/; Max-Age=%" PRId64 "; %sSameSite=Strict; HttpOnly";
+	int length = session_cookie ? snprintf(NULL, 0, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "") : 0;
+	char* cookie = length ? tf_malloc(length + 1) : NULL;
+	if (cookie)
+	{
+		snprintf(cookie, length + 1, k_pattern, session_cookie, k_httpd_auth_refresh_interval, request->is_tls ? "Secure; " : "");
+	}
+	return cookie;
+}
+
+static void _login_release(login_request_t* login)
+{
+	int ref_count = --login->pending;
+	if (ref_count == 0)
+	{
+		tf_free((void*)login->name);
+		tf_free((void*)login->code_of_conduct);
+		tf_free((void*)login->set_cookie_header);
+		tf_free(login);
+	}
+}
+
+static void _httpd_endpoint_login_file_read_callback(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
+{
+	login_request_t* login = user_data;
+	tf_http_request_t* request = login->request;
+	if (result >= 0)
+	{
+		const char* headers[] = {
+			"Content-Type",
+			"text/html; charset=utf-8",
+			"Set-Cookie",
+			login->set_cookie_header ? login->set_cookie_header : "",
+		};
+		const char* replace_me = "$AUTH_DATA";
+		const char* auth = strstr(data, replace_me);
+		if (auth)
+		{
+			JSContext* context = tf_task_get_context(task);
+			JSValue object = JS_NewObject(context);
+			JS_SetPropertyStr(context, object, "session_is_new", JS_NewBool(context, login->session_is_new));
+			JS_SetPropertyStr(context, object, "name", login->name ? JS_NewString(context, login->name) : JS_UNDEFINED);
+			JS_SetPropertyStr(context, object, "error", login->error ? JS_NewString(context, login->error) : JS_UNDEFINED);
+			JS_SetPropertyStr(context, object, "code_of_conduct", login->code_of_conduct ? JS_NewString(context, login->code_of_conduct) : JS_UNDEFINED);
+			JS_SetPropertyStr(context, object, "have_administrator", JS_NewBool(context, login->have_administrator));
+			JSValue object_json = JS_JSONStringify(context, object, JS_NULL, JS_NULL);
+			size_t json_length = 0;
+			const char* json = JS_ToCStringLen(context, &json_length, object_json);
+
+			char* copy = tf_malloc(result + json_length);
+			int replace_start = (auth - (const char*)data);
+			int replace_end = (auth - (const char*)data) + (int)strlen(replace_me);
+			memcpy(copy, data, replace_start);
+			memcpy(copy + replace_start, json, json_length);
+			memcpy(copy + replace_start + json_length, ((const char*)data) + replace_end, result - replace_end);
+			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, copy, replace_start + json_length + (result - replace_end));
+			tf_free(copy);
+
+			JS_FreeCString(context, json);
+			JS_FreeValue(context, object_json);
+			JS_FreeValue(context, object);
+		}
+		else
+		{
+			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
+		}
+	}
+	else
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
+	}
+	tf_http_request_unref(request);
+	_login_release(login);
+}
+
+static bool _session_is_authenticated_as_user(JSContext* context, JSValue session)
+{
+	bool result = false;
+	JSValue user = JS_GetPropertyStr(context, session, "name");
+	const char* user_string = JS_ToCString(context, user);
+	result = user_string && strcmp(user_string, "guest") != 0;
+	JS_FreeCString(context, user_string);
+	JS_FreeValue(context, user);
+	return result;
+}
+
+static bool _make_administrator_if_first(tf_ssb_t* ssb, JSContext* context, const char* account_name_copy, bool may_become_first_admin)
+{
+	const char* settings = tf_ssb_db_get_property(ssb, "core", "settings");
+	JSValue settings_value = settings && *settings ? JS_ParseJSON(context, settings, strlen(settings), NULL) : JS_UNDEFINED;
+	if (JS_IsUndefined(settings_value))
+	{
+		settings_value = JS_NewObject(context);
+	}
+
+	bool have_administrator = false;
+	JSValue permissions = JS_GetPropertyStr(context, settings_value, "permissions");
+
+	JSPropertyEnum* ptab = NULL;
+	uint32_t plen = 0;
+	JS_GetOwnPropertyNames(context, &ptab, &plen, permissions, JS_GPN_STRING_MASK);
+	for (int i = 0; i < (int)plen; i++)
+	{
+		JSPropertyDescriptor desc = { 0 };
+		if (JS_GetOwnProperty(context, &desc, permissions, ptab[i].atom) == 1)
+		{
+			int permission_length = tf_util_get_length(context, desc.value);
+			for (int i = 0; i < permission_length; i++)
+			{
+				JSValue entry = JS_GetPropertyUint32(context, desc.value, i);
+				const char* permission = JS_ToCString(context, entry);
+				if (permission && strcmp(permission, "administration") == 0)
+				{
+					have_administrator = true;
+				}
+				JS_FreeCString(context, permission);
+				JS_FreeValue(context, entry);
+			}
+			JS_FreeValue(context, desc.setter);
+			JS_FreeValue(context, desc.getter);
+			JS_FreeValue(context, desc.value);
+		}
+	}
+	for (uint32_t i = 0; i < plen; ++i)
+	{
+		JS_FreeAtom(context, ptab[i].atom);
+	}
+	js_free(context, ptab);
+
+	if (!have_administrator && may_become_first_admin)
+	{
+		if (JS_IsUndefined(permissions))
+		{
+			permissions = JS_NewObject(context);
+			JS_SetPropertyStr(context, settings_value, "permissions", JS_DupValue(context, permissions));
+		}
+		JSValue user = JS_GetPropertyStr(context, permissions, account_name_copy);
+		if (JS_IsUndefined(user))
+		{
+			user = JS_NewArray(context);
+			JS_SetPropertyStr(context, permissions, account_name_copy, JS_DupValue(context, user));
+		}
+		JS_SetPropertyUint32(context, user, tf_util_get_length(context, user), JS_NewString(context, "administration"));
+		JS_FreeValue(context, user);
+
+		JSValue settings_json = JS_JSONStringify(context, settings_value, JS_NULL, JS_NULL);
+		const char* settings_string = JS_ToCString(context, settings_json);
+		tf_ssb_db_set_property(ssb, "core", "settings", settings_string);
+		JS_FreeCString(context, settings_string);
+		JS_FreeValue(context, settings_json);
+	}
+
+	JS_FreeValue(context, permissions);
+	JS_FreeValue(context, settings_value);
+	tf_free((void*)settings);
+	return have_administrator;
+}
+
+static bool _verify_password(const char* password, const char* hash)
+{
+	char buffer[7 + 22 + 31 + 1];
+	const char* out_hash = crypt_rn(password, hash, buffer, sizeof(buffer));
+	return out_hash && strcmp(hash, out_hash) == 0;
+}
+
+static void _httpd_endpoint_login_work(tf_ssb_t* ssb, void* user_data)
+{
+	login_request_t* login = user_data;
+	tf_http_request_t* request = login->request;
+
+	JSMallocFunctions funcs = { 0 };
+	tf_get_js_malloc_functions(&funcs);
+	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+	JSContext* context = JS_NewContext(runtime);
+
+	const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
+	const char** form_data = tf_httpd_form_data_decode(request->query, request->query ? strlen(request->query) : 0);
+	const char* account_name_copy = NULL;
+	JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, session);
+
+	if (_session_is_authenticated_as_user(context, jwt))
+	{
+		const char* return_url = tf_httpd_form_data_get(form_data, "return");
+		if (return_url)
+		{
+			tf_string_set(login->location_header, sizeof(login->location_header), return_url);
+		}
+		else
+		{
+			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
+		}
+		goto done;
+	}
+
+	const char* send_session = tf_strdup(session);
+	bool session_is_new = false;
+	const char* login_error = NULL;
+	bool may_become_first_admin = false;
+	if (strcmp(request->method, "POST") == 0)
+	{
+		session_is_new = true;
+		const char** post_form_data = tf_httpd_form_data_decode(request->body, request->content_length);
+		const char* submit = tf_httpd_form_data_get(post_form_data, "submit");
+		if (submit && strcmp(submit, "Login") == 0)
+		{
+			const char* account_name = tf_httpd_form_data_get(post_form_data, "name");
+			account_name_copy = tf_strdup(account_name);
+			const char* password = tf_httpd_form_data_get(post_form_data, "password");
+			const char* new_password = tf_httpd_form_data_get(post_form_data, "new_password");
+			const char* confirm = tf_httpd_form_data_get(post_form_data, "confirm");
+			const char* change = tf_httpd_form_data_get(post_form_data, "change");
+			const char* form_register = tf_httpd_form_data_get(post_form_data, "register");
+			char account_passwd[256] = { 0 };
+			bool have_account = tf_ssb_db_get_account_password_hash(ssb, tf_httpd_form_data_get(post_form_data, "name"), account_passwd, sizeof(account_passwd));
+
+			if (form_register && strcmp(form_register, "1") == 0)
+			{
+				bool registered = false;
+				if (!tf_httpd_is_name_valid(account_name))
+				{
+					login_error = "Invalid username.  Usernames must contain only letters from the English alphabet and digits and must start with a letter.";
+				}
+				else
+				{
+					if (!have_account && tf_httpd_is_name_valid(account_name) && password && confirm && strcmp(password, confirm) == 0)
+					{
+						sqlite3* db = tf_ssb_acquire_db_writer(ssb);
+						registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, account_name, password);
+						tf_ssb_release_db_writer(ssb, db);
+						if (registered)
+						{
+							tf_free((void*)send_session);
+							send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
+							may_become_first_admin = true;
+						}
+					}
+				}
+				if (!registered && !login_error)
+				{
+					login_error = "Error registering account.";
+				}
+			}
+			else if (change && strcmp(change, "1") == 0)
+			{
+				bool set = false;
+				if (have_account && tf_httpd_is_name_valid(account_name) && new_password && confirm && strcmp(new_password, confirm) == 0 &&
+					_verify_password(password, account_passwd))
+				{
+					sqlite3* db = tf_ssb_acquire_db_writer(ssb);
+					set = tf_ssb_db_set_account_password(tf_ssb_get_loop(ssb), db, context, account_name, new_password);
+					tf_ssb_release_db_writer(ssb, db);
+					if (set)
+					{
+						tf_free((void*)send_session);
+						send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
+					}
+				}
+				if (!set)
+				{
+					login_error = "Error changing password.";
+				}
+			}
+			else
+			{
+				if (have_account && *account_passwd && _verify_password(password, account_passwd))
+				{
+					tf_free((void*)send_session);
+					send_session = tf_httpd_make_session_jwt(context, ssb, account_name);
+					may_become_first_admin = true;
+				}
+				else
+				{
+					login_error = "Invalid username or password.";
+				}
+			}
+		}
+		else
+		{
+			tf_free((void*)send_session);
+			send_session = tf_httpd_make_session_jwt(context, ssb, "guest");
+		}
+		tf_free(post_form_data);
+	}
+
+	bool have_administrator = _make_administrator_if_first(ssb, context, account_name_copy, may_become_first_admin);
+
+	if (session_is_new && tf_httpd_form_data_get(form_data, "return") && !login_error)
+	{
+		const char* return_url = tf_httpd_form_data_get(form_data, "return");
+		if (return_url)
+		{
+			tf_string_set(login->location_header, sizeof(login->location_header), return_url);
+		}
+		else
+		{
+			snprintf(login->location_header, sizeof(login->location_header), "%s%s/", request->is_tls ? "https://" : "http://", tf_http_request_get_header(request, "host"));
+		}
+		login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session);
+		tf_free((void*)send_session);
+	}
+	else
+	{
+
+		login->name = account_name_copy;
+		login->error = login_error;
+		login->set_cookie_header = tf_httpd_make_set_session_cookie_header(request, send_session);
+		tf_free((void*)send_session);
+		login->session_is_new = session_is_new;
+		login->have_administrator = have_administrator;
+		login->settings = tf_ssb_db_get_property(ssb, "core", "settings");
+
+		if (login->settings)
+		{
+			JSValue settings_value = JS_ParseJSON(context, login->settings, strlen(login->settings), NULL);
+			JSValue code_of_conduct_value = JS_GetPropertyStr(context, settings_value, "code_of_conduct");
+			const char* code_of_conduct = JS_ToCString(context, code_of_conduct_value);
+			const char* result = tf_strdup(code_of_conduct);
+			JS_FreeCString(context, code_of_conduct);
+			JS_FreeValue(context, code_of_conduct_value);
+			JS_FreeValue(context, settings_value);
+			tf_free((void*)login->settings);
+			login->settings = NULL;
+			login->code_of_conduct = result;
+		}
+
+		login->pending++;
+		tf_http_request_ref(request);
+		tf_file_read(login->request->user_data, "core/auth.html", _httpd_endpoint_login_file_read_callback, login);
+
+		account_name_copy = NULL;
+	}
+
+done:
+	tf_free((void*)session);
+	tf_free(form_data);
+	tf_free((void*)account_name_copy);
+	JS_FreeValue(context, jwt);
+
+	JS_FreeContext(context);
+	JS_FreeRuntime(runtime);
+}
+
+static void _httpd_endpoint_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	login_request_t* login = user_data;
+	tf_http_request_t* request = login->request;
+	if (login->pending == 1)
+	{
+		if (*login->location_header)
+		{
+			const char* headers[] = {
+				"Location",
+				login->location_header,
+				"Set-Cookie",
+				login->set_cookie_header ? login->set_cookie_header : "",
+			};
+			tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+		}
+	}
+	tf_http_request_unref(request);
+	_login_release(login);
+}
+
+void tf_httpd_endpoint_login(tf_http_request_t* request)
+{
+	tf_task_t* task = request->user_data;
+	tf_http_request_ref(request);
+
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	login_request_t* login = tf_malloc(sizeof(login_request_t));
+	*login = (login_request_t) {
+		.request = request,
+	};
+	login->pending++;
+	tf_ssb_run_work(ssb, _httpd_endpoint_login_work, _httpd_endpoint_login_after_work, login);
+}
+
+void tf_httpd_endpoint_logout(tf_http_request_t* request)
+{
+	const char* k_set_cookie = request->is_tls ? "session=; path=/; Secure; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly"
+											   : "session=; path=/; SameSite=Strict; expires=Thu, 01 Jan 1970 00:00:00 GMT; HttpOnly";
+	const char* k_location_format = "/login%s%s";
+	int length = snprintf(NULL, 0, k_location_format, request->query ? "?" : "", request->query);
+	char* location = alloca(length + 1);
+	snprintf(location, length + 1, k_location_format, request->query ? "?" : "", request->query ? request->query : "");
+	const char* headers[] = {
+		"Set-Cookie",
+		k_set_cookie,
+		"Location",
+		location,
+	};
+	tf_http_respond(request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+}
+
+typedef struct _auto_login_t
+{
+	tf_http_request_t* request;
+	bool autologin;
+	const char* users;
+} auto_login_t;
+
+static void _httpd_auto_login_work(tf_ssb_t* ssb, void* user_data)
+{
+	auto_login_t* request = user_data;
+	sqlite3* db = tf_ssb_acquire_db_reader(ssb);
+	tf_ssb_db_get_global_setting_bool(db, "autologin", &request->autologin);
+	tf_ssb_release_db_reader(ssb, db);
+
+	if (request->autologin)
+	{
+		request->users = tf_ssb_db_get_property(ssb, "auth", "users");
+		if (request->users && strcmp(request->users, "[]") == 0)
+		{
+			tf_free((void*)request->users);
+			request->users = NULL;
+		}
+
+		if (!request->users)
+		{
+			JSMallocFunctions funcs = { 0 };
+			tf_get_js_malloc_functions(&funcs);
+			JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+			JSContext* context = JS_NewContext(runtime);
+			static const char* k_account_name = "mobile";
+			sqlite3* db = tf_ssb_acquire_db_writer(ssb);
+			bool registered = tf_ssb_db_register_account(tf_ssb_get_loop(ssb), db, context, k_account_name, k_account_name);
+			tf_ssb_release_db_writer(ssb, db);
+			if (registered)
+			{
+				_make_administrator_if_first(ssb, context, k_account_name, true);
+			}
+			JS_FreeContext(context);
+			JS_FreeRuntime(runtime);
+
+			request->users = tf_ssb_db_get_property(ssb, "auth", "users");
+		}
+	}
+}
+
+static void _httpd_auto_login_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	auto_login_t* work = user_data;
+	JSContext* context = tf_ssb_get_context(ssb);
+	const char* session_token = NULL;
+	if (!work->autologin)
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(work->request, 404, NULL, 0, k_payload, strlen(k_payload));
+	}
+	else
+	{
+		if (work->users)
+		{
+			JSValue json = JS_ParseJSON(context, work->users, strlen(work->users), NULL);
+			JSValue user = JS_GetPropertyUint32(context, json, 0);
+			const char* user_string = JS_ToCString(context, user);
+			session_token = tf_httpd_make_session_jwt(context, ssb, user_string);
+			JS_FreeCString(context, user_string);
+			JS_FreeValue(context, user);
+			JS_FreeValue(context, json);
+		}
+		if (session_token)
+		{
+			const char* cookie = tf_httpd_make_set_session_cookie_header(work->request, session_token);
+			tf_free((void*)session_token);
+			const char* headers[] = {
+				"Set-Cookie",
+				cookie,
+				"Location",
+				"/",
+			};
+			tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+			tf_free((void*)cookie);
+		}
+		else
+		{
+			const char* headers[] = {
+				"Location",
+				"/",
+			};
+			tf_http_respond(work->request, 303, headers, tf_countof(headers) / 2, NULL, 0);
+		}
+	}
+	tf_http_request_unref(work->request);
+	tf_free((void*)work->users);
+	tf_free(work);
+}
+
+void tf_httpd_endpoint_login_auto(tf_http_request_t* request)
+{
+	tf_task_t* task = request->user_data;
+	tf_http_request_ref(request);
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+
+	auto_login_t* work = tf_malloc(sizeof(auto_login_t));
+	*work = (auto_login_t) { .request = request };
+	tf_ssb_run_work(ssb, _httpd_auto_login_work, _httpd_auto_login_after_work, work);
+}
diff --git a/src/httpd.save.c b/src/httpd.save.c
new file mode 100644
index 000000000..f3de2c876
--- /dev/null
+++ b/src/httpd.save.c
@@ -0,0 +1,181 @@
+#include "httpd.js.h"
+
+#include "http.h"
+#include "log.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+typedef struct _save_t
+{
+	tf_http_request_t* request;
+	int response;
+	char blob_id[k_blob_id_len];
+} save_t;
+
+static void _httpd_endpoint_save_work(tf_ssb_t* ssb, void* user_data)
+{
+	save_t* save = user_data;
+	tf_http_request_t* request = save->request;
+	const char* session = tf_http_get_cookie(tf_http_request_get_header(request, "cookie"), "session");
+
+	JSMallocFunctions funcs = { 0 };
+	tf_get_js_malloc_functions(&funcs);
+	JSRuntime* runtime = JS_NewRuntime2(&funcs, NULL);
+	JSContext* context = JS_NewContext(runtime);
+
+	JSValue jwt = tf_httpd_authenticate_jwt(ssb, context, session);
+	JSValue user = JS_GetPropertyStr(context, jwt, "name");
+	const char* user_string = JS_ToCString(context, user);
+
+	if (user_string && tf_httpd_is_name_valid(user_string))
+	{
+		tf_httpd_user_app_t* user_app = tf_httpd_parse_user_app_from_path(request->path, "/save");
+		if (user_app)
+		{
+			if (strcmp(user_string, user_app->user) == 0 || (strcmp(user_app->user, "core") == 0 && tf_ssb_db_user_has_permission(ssb, NULL, user_string, "administration")))
+			{
+				size_t path_length = strlen("path:") + strlen(user_app->app) + 1;
+				char* app_path = tf_malloc(path_length);
+				snprintf(app_path, path_length, "path:%s", user_app->app);
+
+				const char* old_blob_id = tf_ssb_db_get_property(ssb, user_app->user, app_path);
+
+				JSValue new_app = JS_ParseJSON(context, request->body, request->content_length, NULL);
+				tf_util_report_error(context, new_app);
+				if (JS_IsObject(new_app))
+				{
+					uint8_t* old_blob = NULL;
+					size_t old_blob_size = 0;
+					if (tf_ssb_db_blob_get(ssb, old_blob_id, &old_blob, &old_blob_size))
+					{
+						JSValue old_app = JS_ParseJSON(context, (const char*)old_blob, old_blob_size, NULL);
+						if (JS_IsObject(old_app))
+						{
+							JSAtom previous = JS_NewAtom(context, "previous");
+							JS_DeleteProperty(context, old_app, previous, 0);
+							JS_DeleteProperty(context, new_app, previous, 0);
+
+							JSValue old_app_json = JS_JSONStringify(context, old_app, JS_NULL, JS_NULL);
+							JSValue new_app_json = JS_JSONStringify(context, new_app, JS_NULL, JS_NULL);
+							const char* old_app_str = JS_ToCString(context, old_app_json);
+							const char* new_app_str = JS_ToCString(context, new_app_json);
+
+							if (old_app_str && new_app_str && strcmp(old_app_str, new_app_str) == 0)
+							{
+								snprintf(save->blob_id, sizeof(save->blob_id), "/%s", old_blob_id);
+								save->response = 200;
+							}
+
+							JS_FreeCString(context, old_app_str);
+							JS_FreeCString(context, new_app_str);
+							JS_FreeValue(context, old_app_json);
+							JS_FreeValue(context, new_app_json);
+							JS_FreeAtom(context, previous);
+						}
+						JS_FreeValue(context, old_app);
+						tf_free(old_blob);
+					}
+
+					if (!save->response)
+					{
+						if (old_blob_id)
+						{
+							JS_SetPropertyStr(context, new_app, "previous", JS_NewString(context, old_blob_id));
+						}
+						JSValue new_app_json = JS_JSONStringify(context, new_app, JS_NULL, JS_NULL);
+						size_t new_app_length = 0;
+						const char* new_app_str = JS_ToCStringLen(context, &new_app_length, new_app_json);
+
+						char blob_id[k_blob_id_len] = { 0 };
+						if (tf_ssb_db_blob_store(ssb, (const uint8_t*)new_app_str, new_app_length, blob_id, sizeof(blob_id), NULL) &&
+							tf_ssb_db_set_property(ssb, user_app->user, app_path, blob_id))
+						{
+							tf_ssb_db_add_value_to_array_property(ssb, user_app->user, "apps", user_app->app);
+							tf_string_set(save->blob_id, sizeof(save->blob_id), blob_id);
+							save->response = 200;
+						}
+						else
+						{
+							tf_printf("Blob store or property set failed.\n");
+							save->response = 500;
+						}
+
+						JS_FreeCString(context, new_app_str);
+						JS_FreeValue(context, new_app_json);
+					}
+				}
+				else
+				{
+					save->response = 400;
+				}
+				JS_FreeValue(context, new_app);
+
+				tf_free(app_path);
+				tf_free((void*)old_blob_id);
+			}
+			else
+			{
+				save->response = 403;
+			}
+			tf_free(user_app);
+		}
+		else if (strcmp(request->path, "/save") == 0)
+		{
+			char blob_id[k_blob_id_len] = { 0 };
+			if (tf_ssb_db_blob_store(ssb, request->body, request->content_length, blob_id, sizeof(blob_id), NULL))
+			{
+				tf_string_set(save->blob_id, sizeof(save->blob_id), blob_id);
+				save->response = 200;
+			}
+			else
+			{
+				tf_printf("Blob store failed.\n");
+				save->response = 500;
+			}
+		}
+		else
+		{
+			save->response = 400;
+		}
+	}
+	else
+	{
+		save->response = 401;
+	}
+
+	tf_free((void*)session);
+	JS_FreeCString(context, user_string);
+	JS_FreeValue(context, user);
+	JS_FreeValue(context, jwt);
+	JS_FreeContext(context);
+	JS_FreeRuntime(runtime);
+}
+
+static void _httpd_endpoint_save_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	save_t* save = user_data;
+	tf_http_request_t* request = save->request;
+	if (*save->blob_id)
+	{
+		char body[256] = "";
+		int length = snprintf(body, sizeof(body), "/%s", save->blob_id);
+		tf_http_respond(request, 200, NULL, 0, body, length);
+	}
+	tf_http_request_unref(request);
+	tf_free(save);
+}
+
+void tf_httpd_endpoint_save(tf_http_request_t* request)
+{
+	tf_http_request_ref(request);
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	save_t* save = tf_malloc(sizeof(save_t));
+	*save = (save_t) {
+		.request = request,
+	};
+	tf_ssb_run_work(ssb, _httpd_endpoint_save_work, _httpd_endpoint_save_after_work, save);
+}
diff --git a/src/httpd.static.c b/src/httpd.static.c
new file mode 100644
index 000000000..87e5a051e
--- /dev/null
+++ b/src/httpd.static.c
@@ -0,0 +1,202 @@
+#include "httpd.js.h"
+
+#include "file.js.h"
+#include "http.h"
+#include "mem.h"
+#include "task.h"
+#include "util.js.h"
+
+#include <assert.h>
+#include <stdlib.h>
+
+#if !defined(__APPLE__) && !defined(__OpenBSD__) && !defined(_WIN32)
+#include <alloca.h>
+#endif
+
+typedef struct _http_file_t
+{
+	tf_http_request_t* request;
+	char etag[512];
+} http_file_t;
+
+static bool _ends_with(const char* a, const char* suffix)
+{
+	if (!a || !suffix)
+	{
+		return false;
+	}
+	size_t alen = strlen(a);
+	size_t suffixlen = strlen(suffix);
+	return alen >= suffixlen && strcmp(a + alen - suffixlen, suffix) == 0;
+}
+
+static const char* _after(const char* text, const char* prefix)
+{
+	size_t prefix_length = strlen(prefix);
+	if (text && strncmp(text, prefix, prefix_length) == 0)
+	{
+		return text + prefix_length;
+	}
+	return NULL;
+}
+
+static double _time_spec_to_double(const uv_timespec_t* time_spec)
+{
+	return (double)time_spec->tv_sec + (double)(time_spec->tv_nsec) / 1e9;
+}
+
+static void _httpd_endpoint_static_read(tf_task_t* task, const char* path, int result, const void* data, void* user_data)
+{
+	http_file_t* file = user_data;
+	tf_http_request_t* request = file->request;
+	if (result >= 0)
+	{
+		if (strcmp(path, "core/tfrpc.js") == 0 || _ends_with(path, "core/tfrpc.js"))
+		{
+			const char* content_type = tf_httpd_ext_to_content_type(strrchr(path, '.'), true);
+			const char* headers[] = {
+				"Content-Type",
+				content_type,
+				"etag",
+				file->etag,
+				"Access-Control-Allow-Origin",
+				"null",
+			};
+			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
+		}
+		else
+		{
+			const char* content_type = tf_httpd_ext_to_content_type(strrchr(path, '.'), true);
+			const char* headers[] = {
+				"Content-Type",
+				content_type,
+				"etag",
+				file->etag,
+			};
+			tf_http_respond(request, 200, headers, tf_countof(headers) / 2, data, result);
+		}
+	}
+	else
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
+	}
+	tf_http_request_unref(request);
+	tf_free(file);
+}
+
+static void _httpd_endpoint_static_stat(tf_task_t* task, const char* path, int result, const uv_stat_t* stat, void* user_data)
+{
+	tf_http_request_t* request = user_data;
+	const char* match = tf_http_request_get_header(request, "if-none-match");
+	if (result != 0)
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
+		tf_http_request_unref(request);
+	}
+	else
+	{
+		char etag[512];
+		snprintf(etag, sizeof(etag), "\"%f_%zd\"", _time_spec_to_double(&stat->st_mtim), (size_t)stat->st_size);
+		if (match && strcmp(match, etag) == 0)
+		{
+			tf_http_respond(request, 304, NULL, 0, NULL, 0);
+			tf_http_request_unref(request);
+		}
+		else
+		{
+			http_file_t* file = tf_malloc(sizeof(http_file_t));
+			*file = (http_file_t) { .request = request };
+			static_assert(sizeof(file->etag) == sizeof(etag), "Size mismatch");
+			memcpy(file->etag, etag, sizeof(etag));
+			tf_file_read(task, path, _httpd_endpoint_static_read, file);
+		}
+	}
+}
+
+void tf_httpd_endpoint_static(tf_http_request_t* request)
+{
+	if (request->path && strncmp(request->path, "/.well-known/", strlen("/.well-known/")) && tf_httpd_redirect(request))
+	{
+		return;
+	}
+
+	const char* k_static_files[] = {
+		"index.html",
+		"client.js",
+		"tildefriends.svg",
+		"jszip.min.js",
+		"style.css",
+		"tfrpc.js",
+		"w3.css",
+	};
+
+	const char* k_map[][2] = {
+		{ "/static/", "core/" },
+		{ "/lit/", "deps/lit/" },
+		{ "/codemirror/", "deps/codemirror/" },
+		{ "/prettier/", "deps/prettier/" },
+		{ "/speedscope/", "deps/speedscope/" },
+		{ "/.well-known/", "data/global/.well-known/" },
+	};
+
+	bool is_core = false;
+	const char* after = NULL;
+	const char* file_path = NULL;
+	for (int i = 0; i < tf_countof(k_map) && !after; i++)
+	{
+		const char* next_after = _after(request->path, k_map[i][0]);
+		if (next_after)
+		{
+			after = next_after;
+			file_path = k_map[i][1];
+			is_core = after && i == 0;
+		}
+	}
+
+	if ((!after || !*after) && request->path[strlen(request->path) - 1] == '/')
+	{
+		after = "index.html";
+		if (!file_path)
+		{
+			file_path = "core/";
+			is_core = true;
+		}
+	}
+
+	if (!after || strstr(after, ".."))
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
+		return;
+	}
+
+	if (is_core)
+	{
+		bool found = false;
+		for (int i = 0; i < tf_countof(k_static_files); i++)
+		{
+			if (strcmp(after, k_static_files[i]) == 0)
+			{
+				found = true;
+				break;
+			}
+		}
+
+		if (!found)
+		{
+			const char* k_payload = tf_http_status_text(404);
+			tf_http_respond(request, 404, NULL, 0, k_payload, strlen(k_payload));
+			return;
+		}
+	}
+
+	tf_task_t* task = request->user_data;
+	const char* root_path = tf_task_get_root_path(task);
+	size_t size = (root_path ? strlen(root_path) + 1 : 0) + strlen(file_path) + strlen(after) + 1;
+	char* path = alloca(size);
+	snprintf(path, size, "%s%s%s%s", root_path ? root_path : "", root_path ? "/" : "", file_path, after);
+	tf_http_request_ref(request);
+	tf_file_stat(task, path, _httpd_endpoint_static_stat, request);
+}
diff --git a/src/httpd.view.c b/src/httpd.view.c
new file mode 100644
index 000000000..4a4ab0ae6
--- /dev/null
+++ b/src/httpd.view.c
@@ -0,0 +1,140 @@
+#include "httpd.js.h"
+
+#include "http.h"
+#include "mem.h"
+#include "ssb.db.h"
+#include "ssb.h"
+#include "task.h"
+#include "util.js.h"
+
+typedef struct _view_t
+{
+	tf_http_request_t* request;
+	const char** form_data;
+	void* data;
+	size_t size;
+	char etag[256];
+	char notify_want_blob_id[k_blob_id_len];
+	bool not_modified;
+} view_t;
+
+static bool _is_filename_safe(const char* filename)
+{
+	if (!filename)
+	{
+		return NULL;
+	}
+	for (const char* p = filename; *p; p++)
+	{
+		if ((*p <= 'a' && *p >= 'z') && (*p <= 'A' && *p >= 'Z') && (*p <= '0' && *p >= '9') && *p != '.' && *p != '-' && *p != '_')
+		{
+			return false;
+		}
+	}
+	return strlen(filename) < 256;
+}
+
+static void _httpd_endpoint_view_work(tf_ssb_t* ssb, void* user_data)
+{
+	view_t* view = user_data;
+	tf_http_request_t* request = view->request;
+	char blob_id[k_blob_id_len] = "";
+
+	tf_httpd_user_app_t* user_app = tf_httpd_parse_user_app_from_path(request->path, "/view");
+	if (user_app)
+	{
+		size_t app_path_length = strlen("path:") + strlen(user_app->app) + 1;
+		char* app_path = tf_malloc(app_path_length);
+		snprintf(app_path, app_path_length, "path:%s", user_app->app);
+		const char* value = tf_ssb_db_get_property(ssb, user_app->user, app_path);
+		tf_string_set(blob_id, sizeof(blob_id), value);
+		tf_free(app_path);
+		tf_free((void*)value);
+	}
+	else if (request->path[0] == '/' && request->path[1] == '&')
+	{
+		snprintf(blob_id, sizeof(blob_id), "%.*s", (int)(strlen(request->path) - strlen("/view") - 1), request->path + 1);
+	}
+	tf_free(user_app);
+
+	if (*blob_id)
+	{
+		snprintf(view->etag, sizeof(view->etag), "\"%s\"", blob_id);
+		const char* if_none_match = tf_http_request_get_header(request, "if-none-match");
+		char match[258];
+		snprintf(match, sizeof(match), "\"%s\"", blob_id);
+		if (if_none_match && strcmp(if_none_match, match) == 0)
+		{
+			view->not_modified = true;
+		}
+		else
+		{
+			if (!tf_ssb_db_blob_get(ssb, blob_id, (uint8_t**)&view->data, &view->size))
+			{
+				sqlite3* db = tf_ssb_acquire_db_writer(ssb);
+				tf_ssb_db_add_blob_wants(db, blob_id);
+				tf_ssb_release_db_writer(ssb, db);
+				tf_string_set(view->notify_want_blob_id, sizeof(view->notify_want_blob_id), blob_id);
+			}
+		}
+	}
+}
+
+static void _httpd_endpoint_view_after_work(tf_ssb_t* ssb, int status, void* user_data)
+{
+	view_t* view = user_data;
+	const char* filename = tf_httpd_form_data_get(view->form_data, "filename");
+	if (!_is_filename_safe(filename))
+	{
+		filename = NULL;
+	}
+	char content_disposition[512] = "";
+	if (filename)
+	{
+		snprintf(content_disposition, sizeof(content_disposition), "attachment; filename=%s", filename);
+	}
+	const char* headers[] = {
+		"Content-Security-Policy",
+		"sandbox allow-downloads allow-top-navigation-by-user-activation",
+		"Content-Type",
+		view->data ? tf_httpd_magic_bytes_to_content_type(view->data, view->size) : "text/plain",
+		"etag",
+		view->etag,
+		filename ? "Content-Disposition" : NULL,
+		filename ? content_disposition : NULL,
+	};
+	int count = filename ? tf_countof(headers) / 2 : (tf_countof(headers) / 2 - 1);
+	if (view->not_modified)
+	{
+		tf_http_respond(view->request, 304, headers, count, NULL, 0);
+	}
+	else if (view->data)
+	{
+		tf_http_respond(view->request, 200, headers, count, view->data, view->size);
+		tf_free(view->data);
+	}
+	else
+	{
+		const char* k_payload = tf_http_status_text(404);
+		tf_http_respond(view->request, 404, NULL, 0, k_payload, strlen(k_payload));
+	}
+
+	if (*view->notify_want_blob_id)
+	{
+		tf_ssb_notify_blob_want_added(ssb, view->notify_want_blob_id);
+	}
+
+	tf_free(view->form_data);
+	tf_http_request_unref(view->request);
+	tf_free(view);
+}
+
+void tf_httpd_endpoint_view(tf_http_request_t* request)
+{
+	tf_http_request_ref(request);
+	tf_task_t* task = request->user_data;
+	tf_ssb_t* ssb = tf_task_get_ssb(task);
+	view_t* view = tf_malloc(sizeof(view_t));
+	*view = (view_t) { .request = request, .form_data = tf_httpd_form_data_decode(request->query, request->query ? strlen(request->query) : 0) };
+	tf_ssb_run_work(ssb, _httpd_endpoint_view_work, _httpd_endpoint_view_after_work, view);
+}