Skip to Content
ConfigurationAccount Recovery

Account Recovery

If you’re locked out of your Tracearr instance, you can recover access with the built-in admin CLI. It runs directly against the database, so no working web login is required. You only need shell access to wherever Tracearr runs.

Common Lockout Scenarios

You upgraded and used to sign in with Jellyfin credentials. Signing in to Tracearr with Jellyfin credentials was removed. Jellyfin and Emby servers are still fully supported for monitoring; only the login method is gone. Run reset-password to set a password for your account, then sign in with it. If your account has a linked Plex account, Sign in with Plex also works with no CLI needed.

You forgot your password. Run reset-password. It works even when the account only ever signed in with Plex and has no password at all.

Local login is disabled and SSO is broken. If a misconfigured OIDC provider (or a disabled local login setting) leaves the login page unusable, run enable-local-login, then sign in with username and password.

You’re not sure which account is which. Run list-users to see every user with their email, role, and available login methods.

If your account has a linked Plex account, Sign in with Plex keeps working through all of these scenarios. Try it before reaching for the CLI.

Running the CLI

docker exec -it tracearr node apps/server/dist/scripts/cli.js <command> [args]

Running it without a command prints the usage summary.

Commands

reset-password

docker exec -it tracearr node apps/server/dist/scripts/cli.js reset-password [username] [--generate]

Resets a user’s password. Without a username it targets the owner account. By default it prompts you to enter a new password; pass --generate to have it generate and print a random one instead.

Key behaviors:

  • Works even when the account has no existing password (for example, an owner who only ever signed in with Plex or Jellyfin). In that case, local username/password login is created for the account.
  • Signs out all of the user’s existing sessions as a security measure.
  • If Redis is unreachable, the command fails without changing the password. Fix Redis connectivity and re-run it.
# Reset the owner's password interactively docker exec -it tracearr node apps/server/dist/scripts/cli.js reset-password # Reset a specific user's password to a generated value docker exec -it tracearr node apps/server/dist/scripts/cli.js reset-password alice --generate

set-username

docker exec -it tracearr node apps/server/dist/scripts/cli.js set-username <current-username> <new-username>

Renames a user’s login username. Usernames are stored lowercase; the command fails cleanly if the new name is already taken by another login-enabled account.

set-email

docker exec -it tracearr node apps/server/dist/scripts/cli.js set-email <username> <new-email>

Changes a user’s email address. The command fails cleanly if the email is already in use by another account.

list-users

docker exec tracearr node apps/server/dist/scripts/cli.js list-users

Lists every user with their username, email, role, and login methods (for example credential, plex).

enable-local-login

docker exec tracearr node apps/server/dist/scripts/cli.js enable-local-login

Re-enables local username/password login. Use this when an OIDC misconfiguration or a disabled local login setting has made the login page unusable. Combine with reset-password if you also need a working password.

Last updated on