I don't understand.

Remove update step from release make target
Bump
2023-03-18 13:34:52 -04:00 · 2023-03-18 13:22:58 -04:00 · 2023-03-18 13:18:59 -04:00 · 2023-03-17 22:27:10 -04:00 · 2023-03-17 22:05:07 -04:00 · 2023-03-17 21:52:36 -04:00
115 changed files with 6989 additions and 1695 deletions
--- a/.github/ISSUE_TEMPLATE/1_bug_report.md
+++ b/.github/ISSUE_TEMPLATE/1_bug_report.md
@@ -0,0 +1,26 @@
+---
+name: 🐛 Bug Report
+about: Report any errors and problems
+title: ''
+labels: '🪲 bug'
+assignees: ''
+
+---
+
+:lady_beetle: **Describe the bug**
+<!-- A clear and concise description of the problem. -->
+
+:computer: **Components impacted**
+<!-- ntfy server, Android app, iOS app, web app  -->
+
+:bulb: **Screenshots and/or logs**
+<!-- 
+If applicable, add screenshots or share logs help explain your problem.
+To get logs from the ...
+- ntfy server: Enable "log-level: trace" in your server.yml file
+- Android app: Go to "Settings" -> "Record logs", then eventually "Copy/upload logs"
+- web app: Press "F12" and find the "Console" window 
+-->
+
+:crystal_ball: **Additional context**
+<!-- Add any other context about the problem here. -->
--- a/.github/ISSUE_TEMPLATE/2_enhancement_request.md
+++ b/.github/ISSUE_TEMPLATE/2_enhancement_request.md
@@ -0,0 +1,26 @@
+---
+name: 💡 Feature/Enhancement Request
+about: Got a great idea? Let us know!
+title: ''
+labels: 'enhancement'
+assignees: ''
+
+---
+
+<!--
+
+Before you submit, consider asking on Discord/Matrix instead. You'll usually get an answer
+sooner, and there are more people there to help!
+
+- Discord: https://discord.gg/cT7ECsZj9w
+- Matrix: https://matrix.to/#/#ntfy:matrix.org / https://matrix.to/#/#ntfy-space:matrix.org
+
+-->
+
+:bulb: **Idea**
+<!-- Share your thoughts; try to be detailed if you can -->
+
+:computer: **Target components**
+<!-- Where should this feature/enhancement be added? -->
+<!-- e.g. ntfy server, Android app, iOS app, web app -->
+
--- a/.github/ISSUE_TEMPLATE/3_tech_support.md
+++ b/.github/ISSUE_TEMPLATE/3_tech_support.md
@@ -0,0 +1,21 @@
+---
+name: 🆘 I need help with ...
+about: Installing ntfy, configuring the app, etc.
+title: ''
+labels: 'tech-support'
+assignees: ''
+
+---
+
+
+<!--
+
+STOP! 
+
+This is not the right place to ask for help. Consider asking on Discord/Matrix instead. 
+You'll usually get an answer sooner, and there are more people there to help!
+
+- Discord: https://discord.gg/cT7ECsZj9w
+- Matrix: https://matrix.to/#/#ntfy:matrix.org / https://matrix.to/#/#ntfy-space:matrix.org
+
+-->
--- a/.github/ISSUE_TEMPLATE/4_question.md
+++ b/.github/ISSUE_TEMPLATE/4_question.md
@@ -0,0 +1,21 @@
+---
+name: ❓ Question
+about: Ask a question about ntfy
+title: ''
+labels: 'question'
+assignees: ''
+
+---
+
+<!--
+
+Before you submit, consider asking on Discord/Matrix instead. You'll usually get an answer
+sooner, and there are more people there to help!
+
+- Discord: https://discord.gg/cT7ECsZj9w
+- Matrix: https://matrix.to/#/#ntfy:matrix.org / https://matrix.to/#/#ntfy-space:matrix.org
+
+-->
+
+:question: **Question**
+<!-- Go ahead and ask your question here :) -->
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -13,7 +13,7 @@ jobs:
        name: Install node
        uses: actions/setup-node@v2
        with:
-          node-version: '17'
+          node-version: '18'
      -
        name: Checkout code
        uses: actions/checkout@v2
--- a/.github/workflows/release.yaml
+++ b/.github/workflows/release.yaml
@@ -16,7 +16,7 @@ jobs:
        name: Install node
        uses: actions/setup-node@v2
        with:
-          node-version: '17'
+          node-version: '18'
      -
        name: Checkout code
        uses: actions/checkout@v2
--- a/.github/workflows/test.yaml
+++ b/.github/workflows/test.yaml
@@ -13,7 +13,7 @@ jobs:
        name: Install node
        uses: actions/setup-node@v2
        with:
-          node-version: '17'
+          node-version: '18'
      -
        name: Checkout code
        uses: actions/checkout@v2
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ secrets/
 *.iml
 node_modules/
 .DS_Store
+__pycache__
--- a/12
+++ b/12
@@ -1,9 +1,15 @@
 FROM alpine
-MAINTAINER Philipp C. Heckel <philipp.heckel@gmail.com>
+
+LABEL org.opencontainers.image.authors="philipp.heckel@gmail.com"
+LABEL org.opencontainers.image.url="https://ntfy.sh/"
+LABEL org.opencontainers.image.documentation="https://docs.ntfy.sh/"
+LABEL org.opencontainers.image.source="https://github.com/binwiederhier/ntfy"
+LABEL org.opencontainers.image.vendor="Philipp C. Heckel"
+LABEL org.opencontainers.image.licenses="Apache-2.0, GPL-2.0"
+LABEL org.opencontainers.image.title="ntfy"
+LABEL org.opencontainers.image.description="Send push notifications to your phone or desktop using PUT/POST"

 COPY ntfy /usr/bin

-HEALTHCHECK --interval=60s --timeout=10s CMD wget -q --tries=1 http://localhost/v1/health -O - | grep -Eo '"healthy"\s*:\s*true' || exit 1
-
 EXPOSE 80/tcp
 ENTRYPOINT ["ntfy"]
--- a/8
+++ b/8
@@ -277,11 +277,11 @@ staticcheck: .PHONY

 # Releasing targets

-release: clean update cli-deps release-checks docs web check
-	goreleaser release --rm-dist
+release: clean cli-deps release-checks docs web check
+	goreleaser release --clean

-release-snapshot: clean update cli-deps docs web check
-	goreleaser release --snapshot --skip-publish --rm-dist
+release-snapshot: clean cli-deps docs web check
+	goreleaser release --snapshot --skip-publish --clean

 release-checks:
 	$(eval LATEST_TAG := $(shell git describe --abbrev=0 --tags | cut -c2-))
--- a/README.md
+++ b/README.md
@@ -13,11 +13,14 @@
 [![Healthcheck](https://healthchecks.io/badge/68b65976-b3b0-4102-aec9-980921/kcoEgrLY.svg)](https://ntfy.statuspage.io/)
 [![Gitpod](https://img.shields.io/badge/Contribute%20with-Gitpod-908a85?logo=gitpod)](https://gitpod.io/#https://github.com/binwiederhier/ntfy)

-**ntfy** (pronounce: *notify*) is a simple HTTP-based [pub-sub](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) notification service.
-It allows you to **send notifications to your phone or desktop via scripts** from any computer, entirely **without signup or cost**.
-It's also open source (as you can plainly see) if you want to run your own.
+**ntfy** (pronounced "*notify*") is a simple HTTP-based [pub-sub](https://en.wikipedia.org/wiki/Publish%E2%80%93subscribe_pattern) 
+notification service. With ntfy, you can **send notifications to your phone or desktop via scripts** from any computer, 
+**without having to sign up or pay any fees**. If you'd like to run your own instance of the service, you can easily do 
+so since ntfy is open source.

-I run a free version of it at **[ntfy.sh](https://ntfy.sh)**. There's also an [open source Android app](https://github.com/binwiederhier/ntfy-android) (see [Google Play](https://play.google.com/store/apps/details?id=io.heckel.ntfy) or [F-Droid](https://f-droid.org/en/packages/io.heckel.ntfy/)), and an [open source iOS app](https://github.com/binwiederhier/ntfy-ios) (see [App Store](https://apps.apple.com/us/app/ntfy/id1625396347)).
+You can access the free version of ntfy at **[ntfy.sh](https://ntfy.sh)**. There is also an [open source Android app](https://github.com/binwiederhier/ntfy-android)
+available on [Google Play](https://play.google.com/store/apps/details?id=io.heckel.ntfy) or [F-Droid](https://f-droid.org/en/packages/io.heckel.ntfy/),
+as well as an [open source iOS app](https://github.com/binwiederhier/ntfy-ios) available on the [App Store](https://apps.apple.com/us/app/ntfy/id1625396347).

 <p>
  <img src="web/public/static/img/screenshot-curl.png" height="180">
@@ -117,6 +120,13 @@ account costs. Even small donations are very much appreciated. A big fat **Thank
 <a href="https://github.com/IanKulin"><img src="https://github.com/IanKulin.png" width="40px" /></a>
 <a href="https://github.com/Joachim256"><img src="https://github.com/Joachim256.png" width="40px" /></a>
 <a href="https://github.com/overtone1000"><img src="https://github.com/overtone1000.png" width="40px" /></a>
+<a href="https://github.com/oakd"><img src="https://github.com/oakd.png" width="40px" /></a>
+<a href="https://github.com/KucharczykL"><img src="https://github.com/KucharczykL.png" width="40px" /></a>
+<a href="https://github.com/hansbickhofe"><img src="https://github.com/hansbickhofe.png" width="40px" /></a>
+<a href="https://github.com/caseodilla"><img src="https://github.com/caseodilla.png" width="40px" /></a>
+<a href="https://github.com/0xAF"><img src="https://github.com/0xAF.png" width="40px" /></a>
+<a href="https://github.com/soonoo"><img src="https://github.com/soonoo.png" width="40px" /></a>
+<a href="https://github.com/nichu42"><img src="https://github.com/soonoo.png" width="40px" /></a>

 I'd also like to thank JetBrains for providing their awesome [IntelliJ IDEA](https://www.jetbrains.com/idea/) to me for free,
 and [DigitalOcean](https://m.do.co/c/442b929528db) (*referral link*) for supporting the project:
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -0,0 +1,10 @@
+# Security Policy
+
+## Supported Versions
+
+As of today, I only support the latest version of ntfy. Please make sure you stay up-to-date.
+
+## Reporting a Vulnerability
+
+Please report severe security issues privately via ntfy@heckel.io, [Discord](https://discord.gg/cT7ECsZj9w),
+or [Matrix](https://matrix.to/#/#ntfy:matrix.org) (my username is `binwiederhier`).
--- a/client/client.yml
+++ b/client/client.yml
@@ -5,10 +5,12 @@
 #
 # default-host: https://ntfy.sh

-# Default username and password will be used with "ntfy publish" if no credentials are provided on command line
-# Default username and password will be used with "ntfy subscribe" if no credentials are provided in subscription below
-# For an empty password, use empty double-quotes ("")
-#
+# Default credentials will be used with "ntfy publish" and "ntfy subscribe" if no other credentials are provided.
+# You can set a default token to use or a default user:password combination, but not both. For an empty password,
+# use empty double-quotes ("")
+
+# default-token:
+
 # default-user:
 # default-password:

@@ -30,6 +32,8 @@
 #         command: 'notify-send "$m"'
 #         user: phill
 #         password: mypass
+#       - topic: token_topic
+#         token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
 #
 # Variables:
 #     Variable        Aliases               Description
--- a/client/config.go
+++ b/client/config.go
@@ -12,17 +12,22 @@ const (

 // Config is the config struct for a Client
 type Config struct {
-	DefaultHost     string  `yaml:"default-host"`
-	DefaultUser     string  `yaml:"default-user"`
-	DefaultPassword *string `yaml:"default-password"`
-	DefaultCommand  string  `yaml:"default-command"`
-	Subscribe       []struct {
-		Topic    string            `yaml:"topic"`
-		User     string            `yaml:"user"`
-		Password *string           `yaml:"password"`
-		Command  string            `yaml:"command"`
-		If       map[string]string `yaml:"if"`
-	} `yaml:"subscribe"`
+	DefaultHost     string      `yaml:"default-host"`
+	DefaultUser     string      `yaml:"default-user"`
+	DefaultPassword *string     `yaml:"default-password"`
+	DefaultToken    string      `yaml:"default-token"`
+	DefaultCommand  string      `yaml:"default-command"`
+	Subscribe       []Subscribe `yaml:"subscribe"`
+}
+
+// Subscribe is the struct for a Subscription within Config
+type Subscribe struct {
+	Topic    string            `yaml:"topic"`
+	User     string            `yaml:"user"`
+	Password *string           `yaml:"password"`
+	Token    string            `yaml:"token"`
+	Command  string            `yaml:"command"`
+	If       map[string]string `yaml:"if"`
 }

 // NewConfig creates a new Config struct for a Client
@@ -31,6 +36,7 @@ func NewConfig() *Config {
 		DefaultHost:     DefaultBaseURL,
 		DefaultUser:     "",
 		DefaultPassword: nil,
+		DefaultToken:    "",
 		DefaultCommand:  "",
 		Subscribe:       nil,
 	}
--- a/client/config_test.go
+++ b/client/config_test.go
@@ -116,3 +116,25 @@ subscribe:
 	require.Equal(t, "phil", conf.Subscribe[0].User)
 	require.Nil(t, conf.Subscribe[0].Password)
 }
+
+func TestConfig_DefaultToken(t *testing.T) {
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(`
+default-host: http://localhost
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+subscribe:
+  - topic: mytopic
+`), 0600))
+
+	conf, err := client.LoadConfig(filename)
+	require.Nil(t, err)
+	require.Equal(t, "http://localhost", conf.DefaultHost)
+	require.Equal(t, "", conf.DefaultUser)
+	require.Nil(t, conf.DefaultPassword)
+	require.Equal(t, "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", conf.DefaultToken)
+	require.Equal(t, 1, len(conf.Subscribe))
+	require.Equal(t, "mytopic", conf.Subscribe[0].Topic)
+	require.Equal(t, "", conf.Subscribe[0].User)
+	require.Nil(t, conf.Subscribe[0].Password)
+	require.Equal(t, "", conf.Subscribe[0].Token)
+}
--- a/cmd/publish.go
+++ b/cmd/publish.go
@@ -40,7 +40,6 @@ var flagsPublish = append(
 	&cli.BoolFlag{Name: "wait-cmd", Aliases: []string{"wait_cmd", "cmd", "done"}, EnvVars: []string{"NTFY_WAIT_CMD"}, Usage: "run command and wait until it finishes before publishing"},
 	&cli.BoolFlag{Name: "no-cache", Aliases: []string{"no_cache", "C"}, EnvVars: []string{"NTFY_NO_CACHE"}, Usage: "do not cache message server-side"},
 	&cli.BoolFlag{Name: "no-firebase", Aliases: []string{"no_firebase", "F"}, EnvVars: []string{"NTFY_NO_FIREBASE"}, Usage: "do not forward message to Firebase"},
-	&cli.BoolFlag{Name: "env-topic", Aliases: []string{"env_topic", "P"}, EnvVars: []string{"NTFY_ENV_TOPIC"}, Usage: "use topic from NTFY_TOPIC env variable"},
 	&cli.BoolFlag{Name: "quiet", Aliases: []string{"q"}, EnvVars: []string{"NTFY_QUIET"}, Usage: "do not print message"},
 )

@@ -155,8 +154,7 @@ func execPublish(c *cli.Context) error {
 	}
 	if token != "" {
 		options = append(options, client.WithBearerAuth(token))
-	}
-	if user != "" {
+	} else if user != "" {
 		var pass string
 		parts := strings.SplitN(user, ":", 2)
 		if len(parts) == 2 {
@@ -172,6 +170,8 @@ func execPublish(c *cli.Context) error {
 			fmt.Fprintf(c.App.ErrWriter, "\r%s\r", strings.Repeat(" ", 20))
 		}
 		options = append(options, client.WithBasicAuth(user, pass))
+	} else if conf.DefaultToken != "" {
+		options = append(options, client.WithBearerAuth(conf.DefaultToken))
 	} else if conf.DefaultUser != "" && conf.DefaultPassword != nil {
 		options = append(options, client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword))
 	}
--- a/cmd/publish_test.go
+++ b/cmd/publish_test.go
@@ -5,8 +5,11 @@ import (
 	"github.com/stretchr/testify/require"
 	"heckel.io/ntfy/test"
 	"heckel.io/ntfy/util"
+	"net/http"
+	"net/http/httptest"
 	"os"
 	"os/exec"
+	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
@@ -130,11 +133,11 @@ func TestCLI_Publish_Wait_PID_And_Cmd(t *testing.T) {
 	require.Equal(t, `command failed: does-not-exist-no-really "really though", error: exec: "does-not-exist-no-really": executable file not found in $PATH`, err.Error())

 	// Tests with NTFY_TOPIC set ////
-	require.Nil(t, os.Setenv("NTFY_TOPIC", topic))
+	t.Setenv("NTFY_TOPIC", topic)

 	// Test: Successful command with NTFY_TOPIC
 	app, _, stdout, _ = newTestApp()
-	require.Nil(t, app.Run([]string{"ntfy", "publish", "--env-topic", "--cmd", "echo", "hi there"}))
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--cmd", "echo", "hi there"}))
 	m = toMessage(t, stdout.String())
 	require.Equal(t, "mytopic", m.Topic)

@@ -143,7 +146,155 @@ func TestCLI_Publish_Wait_PID_And_Cmd(t *testing.T) {
 	require.Nil(t, sleep.Start())
 	go sleep.Wait() // Must be called to release resources
 	app, _, stdout, _ = newTestApp()
-	require.Nil(t, app.Run([]string{"ntfy", "publish", "--env-topic", "--wait-pid", strconv.Itoa(sleep.Process.Pid)}))
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--wait-pid", strconv.Itoa(sleep.Process.Pid)}))
 	m = toMessage(t, stdout.String())
 	require.Regexp(t, `Process with PID \d+ exited after .+ms`, m.Message)
 }
+
+func TestCLI_Publish_Default_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: philipp
+default-password: mypass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Default_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Default_UserPass_CLI_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: philipp
+default-password: mypass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "--token", "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Default_Token_CLI_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "--user", "philipp:mypass", "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Default_Token_CLI_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_FAKETOKEN01234567890FAKETOKEN
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "--token", "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Default_UserPass_CLI_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: philipp
+default-password: fakepass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+	require.Nil(t, app.Run([]string{"ntfy", "publish", "--config=" + filename, "--user", "philipp:mypass", "mytopic", "triggered"}))
+	m := toMessage(t, stdout.String())
+	require.Equal(t, "triggered", m.Message)
+}
+
+func TestCLI_Publish_Token_And_UserPass(t *testing.T) {
+	app, _, _, _ := newTestApp()
+	err := app.Run([]string{"ntfy", "publish", "--token", "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", "--user", "philipp:mypass", "mytopic", "triggered"})
+	require.Error(t, err)
+	require.Equal(t, "cannot set both --user and --token", err.Error())
+}
--- a/cmd/serve.go
+++ b/cmd/serve.go
@@ -37,8 +37,8 @@ var flagsServe = append(
 	append([]cli.Flag{}, flagsDefault...),
 	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, EnvVars: []string{"NTFY_CONFIG_FILE"}, Value: defaultServerConfigFile, DefaultText: defaultServerConfigFile, Usage: "config file"},
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "base-url", Aliases: []string{"base_url", "B"}, EnvVars: []string{"NTFY_BASE_URL"}, Usage: "externally visible base URL for this host (e.g. https://ntfy.sh)"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-http", Aliases: []string{"listen_http", "l"}, EnvVars: []string{"NTFY_LISTEN_HTTP"}, Value: server.DefaultListenHTTP, Usage: "ip:port used to as HTTP listen address"}),
-	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-https", Aliases: []string{"listen_https", "L"}, EnvVars: []string{"NTFY_LISTEN_HTTPS"}, Usage: "ip:port used to as HTTPS listen address"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-http", Aliases: []string{"listen_http", "l"}, EnvVars: []string{"NTFY_LISTEN_HTTP"}, Value: server.DefaultListenHTTP, Usage: "ip:port used as HTTP listen address"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-https", Aliases: []string{"listen_https", "L"}, EnvVars: []string{"NTFY_LISTEN_HTTPS"}, Usage: "ip:port used as HTTPS listen address"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "listen-unix", Aliases: []string{"listen_unix", "U"}, EnvVars: []string{"NTFY_LISTEN_UNIX"}, Usage: "listen on unix socket path"}),
 	altsrc.NewIntFlag(&cli.IntFlag{Name: "listen-unix-mode", Aliases: []string{"listen_unix_mode"}, EnvVars: []string{"NTFY_LISTEN_UNIX_MODE"}, DefaultText: "system default", Usage: "file permissions of unix socket, e.g. 0700"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "key-file", Aliases: []string{"key_file", "K"}, EnvVars: []string{"NTFY_KEY_FILE"}, Usage: "private key file, if listen-https is set"}),
@@ -81,9 +81,13 @@ var flagsServe = append(
 	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-message-daily-limit", Aliases: []string{"visitor_message_daily_limit"}, EnvVars: []string{"NTFY_VISITOR_MESSAGE_DAILY_LIMIT"}, Value: server.DefaultVisitorMessageDailyLimit, Usage: "max messages per visitor per day, derived from request limit if unset"}),
 	altsrc.NewIntFlag(&cli.IntFlag{Name: "visitor-email-limit-burst", Aliases: []string{"visitor_email_limit_burst"}, EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_BURST"}, Value: server.DefaultVisitorEmailLimitBurst, Usage: "initial limit of e-mails per visitor"}),
 	altsrc.NewDurationFlag(&cli.DurationFlag{Name: "visitor-email-limit-replenish", Aliases: []string{"visitor_email_limit_replenish"}, EnvVars: []string{"NTFY_VISITOR_EMAIL_LIMIT_REPLENISH"}, Value: server.DefaultVisitorEmailLimitReplenish, Usage: "interval at which burst limit is replenished (one per x)"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "visitor-subscriber-rate-limiting", Aliases: []string{"visitor_subscriber_rate_limiting"}, EnvVars: []string{"NTFY_VISITOR_SUBSCRIBER_RATE_LIMITING"}, Value: false, Usage: "enables subscriber-based rate limiting"}),
 	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "behind-proxy", Aliases: []string{"behind_proxy", "P"}, EnvVars: []string{"NTFY_BEHIND_PROXY"}, Value: false, Usage: "if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting)"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "stripe-secret-key", Aliases: []string{"stripe_secret_key"}, EnvVars: []string{"NTFY_STRIPE_SECRET_KEY"}, Value: "", Usage: "key used for the Stripe API communication, this enables payments"}),
 	altsrc.NewStringFlag(&cli.StringFlag{Name: "stripe-webhook-key", Aliases: []string{"stripe_webhook_key"}, EnvVars: []string{"NTFY_STRIPE_WEBHOOK_KEY"}, Value: "", Usage: "key required to validate the authenticity of incoming webhooks from Stripe"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "billing-contact", Aliases: []string{"billing_contact"}, EnvVars: []string{"NTFY_BILLING_CONTACT"}, Value: "", Usage: "e-mail or website to display in upgrade dialog (only if payments are enabled)"}),
+	altsrc.NewBoolFlag(&cli.BoolFlag{Name: "enable-metrics", Aliases: []string{"enable_metrics"}, EnvVars: []string{"NTFY_ENABLE_METRICS"}, Value: false, Usage: "if set, Prometheus metrics are exposed via the /metrics endpoint"}),
+	altsrc.NewStringFlag(&cli.StringFlag{Name: "metrics-listen-http", Aliases: []string{"metrics_listen_http"}, EnvVars: []string{"NTFY_METRICS_LISTEN_HTTP"}, Usage: "ip:port used to expose the metrics endpoint (implicitly enables metrics)"}),
 )

 var cmdServe = &cli.Command{
@@ -148,6 +152,7 @@ func execServe(c *cli.Context) error {
 	smtpServerAddrPrefix := c.String("smtp-server-addr-prefix")
 	totalTopicLimit := c.Int("global-topic-limit")
 	visitorSubscriptionLimit := c.Int("visitor-subscription-limit")
+	visitorSubscriberRateLimiting := c.Bool("visitor-subscriber-rate-limiting")
 	visitorAttachmentTotalSizeLimitStr := c.String("visitor-attachment-total-size-limit")
 	visitorAttachmentDailyBandwidthLimitStr := c.String("visitor-attachment-daily-bandwidth-limit")
 	visitorRequestLimitBurst := c.Int("visitor-request-limit-burst")
@@ -159,6 +164,9 @@ func execServe(c *cli.Context) error {
 	behindProxy := c.Bool("behind-proxy")
 	stripeSecretKey := c.String("stripe-secret-key")
 	stripeWebhookKey := c.String("stripe-webhook-key")
+	billingContact := c.String("billing-contact")
+	metricsListenHTTP := c.String("metrics-listen-http")
+	enableMetrics := c.Bool("enable-metrics") || metricsListenHTTP != ""

 	// Check values
 	if firebaseKeyFile != "" && !util.FileExists(firebaseKeyFile) {
@@ -175,8 +183,8 @@ func execServe(c *cli.Context) error {
 		return errors.New("if set, certificate file must exist")
 	} else if listenHTTPS != "" && (keyFile == "" || certFile == "") {
 		return errors.New("if listen-https is set, both key-file and cert-file must be set")
-	} else if smtpSenderAddr != "" && (baseURL == "" || smtpSenderUser == "" || smtpSenderPass == "" || smtpSenderFrom == "") {
-		return errors.New("if smtp-sender-addr is set, base-url, smtp-sender-user, smtp-sender-pass and smtp-sender-from must also be set")
+	} else if smtpSenderAddr != "" && (baseURL == "" || smtpSenderFrom == "") {
+		return errors.New("if smtp-sender-addr is set, base-url, and smtp-sender-from must also be set")
 	} else if smtpServerListen != "" && smtpServerDomain == "" {
 		return errors.New("if smtp-server-listen is set, smtp-server-domain must also be set")
 	} else if attachmentCacheDir != "" && baseURL == "" {
@@ -250,6 +258,7 @@ func execServe(c *cli.Context) error {

 	// Stripe things
 	if stripeSecretKey != "" {
+		stripe.EnableTelemetry = false // Whoa!
 		stripe.Key = stripeSecretKey
 	}

@@ -301,13 +310,17 @@ func execServe(c *cli.Context) error {
 	conf.VisitorMessageDailyLimit = visitorMessageDailyLimit
 	conf.VisitorEmailLimitBurst = visitorEmailLimitBurst
 	conf.VisitorEmailLimitReplenish = visitorEmailLimitReplenish
+	conf.VisitorSubscriberRateLimiting = visitorSubscriberRateLimiting
 	conf.BehindProxy = behindProxy
 	conf.StripeSecretKey = stripeSecretKey
 	conf.StripeWebhookKey = stripeWebhookKey
+	conf.BillingContact = billingContact
 	conf.EnableWeb = enableWeb
 	conf.EnableSignup = enableSignup
 	conf.EnableLogin = enableLogin
 	conf.EnableReservations = enableReservations
+	conf.EnableMetrics = enableMetrics
+	conf.MetricsListenHTTP = metricsListenHTTP
 	conf.Version = c.App.Version

 	// Set up hot-reloading of config
--- a/cmd/subscribe.go
+++ b/cmd/subscribe.go
@@ -30,6 +30,7 @@ var flagsSubscribe = append(
 	&cli.StringFlag{Name: "config", Aliases: []string{"c"}, Usage: "client config file"},
 	&cli.StringFlag{Name: "since", Aliases: []string{"s"}, Usage: "return events since `SINCE` (Unix timestamp, or all)"},
 	&cli.StringFlag{Name: "user", Aliases: []string{"u"}, EnvVars: []string{"NTFY_USER"}, Usage: "username[:password] used to auth against the server"},
+	&cli.StringFlag{Name: "token", Aliases: []string{"k"}, EnvVars: []string{"NTFY_TOKEN"}, Usage: "access token used to auth against the server"},
 	&cli.BoolFlag{Name: "from-config", Aliases: []string{"from_config", "C"}, Usage: "read subscriptions from config file (service mode)"},
 	&cli.BoolFlag{Name: "poll", Aliases: []string{"p"}, Usage: "return events and exit, do not listen for new events"},
 	&cli.BoolFlag{Name: "scheduled", Aliases: []string{"sched", "S"}, Usage: "also return scheduled/delayed events"},
@@ -97,11 +98,18 @@ func execSubscribe(c *cli.Context) error {
 	cl := client.New(conf)
 	since := c.String("since")
 	user := c.String("user")
+	token := c.String("token")
 	poll := c.Bool("poll")
 	scheduled := c.Bool("scheduled")
 	fromConfig := c.Bool("from-config")
 	topic := c.Args().Get(0)
 	command := c.Args().Get(1)
+
+	// Checks
+	if user != "" && token != "" {
+		return errors.New("cannot set both --user and --token")
+	}
+
 	if !fromConfig {
 		conf.Subscribe = nil // wipe if --from-config not passed
 	}
@@ -109,6 +117,9 @@ func execSubscribe(c *cli.Context) error {
 	if since != "" {
 		options = append(options, client.WithSince(since))
 	}
+	if token != "" {
+		options = append(options, client.WithBearerAuth(token))
+	}
 	if user != "" {
 		var pass string
 		parts := strings.SplitN(user, ":", 2)
@@ -126,9 +137,6 @@ func execSubscribe(c *cli.Context) error {
 		}
 		options = append(options, client.WithBasicAuth(user, pass))
 	}
-	if poll {
-		options = append(options, client.WithPoll())
-	}
 	if scheduled {
 		options = append(options, client.WithScheduled())
 	}
@@ -145,6 +153,9 @@ func execSubscribe(c *cli.Context) error {

 func doPoll(c *cli.Context, cl *client.Client, conf *client.Config, topic, command string, options ...client.SubscribeOption) error {
 	for _, s := range conf.Subscribe { // may be nil
+		if auth := maybeAddAuthHeader(s, conf); auth != nil {
+			options = append(options, auth)
+		}
 		if err := doPollSingle(c, cl, s.Topic, s.Command, options...); err != nil {
 			return err
 		}
@@ -175,21 +186,11 @@ func doSubscribe(c *cli.Context, cl *client.Client, conf *client.Config, topic,
 		for filter, value := range s.If {
 			topicOptions = append(topicOptions, client.WithFilter(filter, value))
 		}
-		var user string
-		var password *string
-		if s.User != "" {
-			user = s.User
-		} else if conf.DefaultUser != "" {
-			user = conf.DefaultUser
-		}
-		if s.Password != nil {
-			password = s.Password
-		} else if conf.DefaultPassword != nil {
-			password = conf.DefaultPassword
-		}
-		if user != "" && password != nil {
-			topicOptions = append(topicOptions, client.WithBasicAuth(user, *password))
+
+		if auth := maybeAddAuthHeader(s, conf); auth != nil {
+			topicOptions = append(topicOptions, auth)
 		}
+
 		subscriptionID := cl.Subscribe(s.Topic, topicOptions...)
 		if s.Command != "" {
 			cmds[subscriptionID] = s.Command
@@ -214,6 +215,25 @@ func doSubscribe(c *cli.Context, cl *client.Client, conf *client.Config, topic,
 	return nil
 }

+func maybeAddAuthHeader(s client.Subscribe, conf *client.Config) client.SubscribeOption {
+	// check for subscription token then subscription user:pass
+	if s.Token != "" {
+		return client.WithBearerAuth(s.Token)
+	}
+	if s.User != "" && s.Password != nil {
+		return client.WithBasicAuth(s.User, *s.Password)
+	}
+
+	// if no subscription token nor subscription user:pass, check for default token then default user:pass
+	if conf.DefaultToken != "" {
+		return client.WithBearerAuth(conf.DefaultToken)
+	}
+	if conf.DefaultUser != "" && conf.DefaultPassword != nil {
+		return client.WithBasicAuth(conf.DefaultUser, *conf.DefaultPassword)
+	}
+	return nil
+}
+
 func printMessageOrRunCommand(c *cli.Context, m *client.Message, command string) {
 	if command != "" {
 		runCommand(c, command, m)
--- a/cmd/subscribe_test.go
+++ b/cmd/subscribe_test.go
@@ -0,0 +1,312 @@
+package cmd
+
+import (
+	"fmt"
+	"github.com/stretchr/testify/require"
+	"net/http"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"strings"
+	"testing"
+)
+
+func TestCLI_Subscribe_Default_UserPass_Subscription_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: philipp
+default-password: mypass
+subscribe:
+  - topic: mytopic
+    token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_Subscription_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+subscribe:
+  - topic: mytopic
+    user: philipp
+    password: mypass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_Subscription_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_FAKETOKEN01234567890FAKETOKEN
+subscribe:
+  - topic: mytopic
+    token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_UserPass_Subscription_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: fake
+default-password: password
+subscribe:
+  - topic: mytopic
+    user: philipp
+    password: mypass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_Subscription_Empty(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+subscribe:
+  - topic: mytopic
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_UserPass_Subscription_Empty(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-user: philipp
+default-password: mypass
+subscribe:
+  - topic: mytopic
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Empty_Subscription_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+subscribe:
+  - topic: mytopic
+    token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Empty_Subscription_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+subscribe:
+  - topic: mytopic
+    user: philipp
+    password: mypass
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_CLI_Token(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_FAKETOKEN0123456789FAKETOKEN
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename, "--token", "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", "mytopic"}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_CLI_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Basic cGhpbGlwcDpteXBhc3M=", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename, "--user", "philipp:mypass", "mytopic"}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Default_Token_Subscription_Token_CLI_UserPass(t *testing.T) {
+	message := `{"id":"RXIQBFaieLVr","time":124,"expires":1124,"event":"message","topic":"mytopic","message":"triggered"}`
+	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic/json", r.URL.Path)
+		require.Equal(t, "Bearer tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", r.Header.Get("Authorization"))
+
+		w.WriteHeader(http.StatusOK)
+		w.Write([]byte(message))
+	}))
+	defer server.Close()
+
+	filename := filepath.Join(t.TempDir(), "client.yml")
+	require.Nil(t, os.WriteFile(filename, []byte(fmt.Sprintf(`
+default-host: %s
+default-token: tk_FAKETOKEN01234567890FAKETOKEN
+subscribe:
+  - topic: mytopic
+    token: tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2
+`, server.URL)), 0600))
+
+	app, _, stdout, _ := newTestApp()
+
+	require.Nil(t, app.Run([]string{"ntfy", "subscribe", "--poll", "--from-config", "--config=" + filename, "--user", "philipp:mypass"}))
+
+	require.Equal(t, message, strings.TrimSpace(stdout.String()))
+}
+
+func TestCLI_Subscribe_Token_And_UserPass(t *testing.T) {
+	app, _, _, _ := newTestApp()
+	err := app.Run([]string{"ntfy", "subscribe", "--poll", "--token", "tk_AgQdq7mVBoFD37zQVN29RhuMzNIz2", "--user", "philipp:mypass", "mytopic", "triggered"})
+	require.Error(t, err)
+	require.Equal(t, "cannot set both --user and --token", err.Error())
+}
--- a/cmd/tier.go
+++ b/cmd/tier.go
@@ -8,7 +8,6 @@ import (
 	"github.com/urfave/cli/v2"
 	"heckel.io/ntfy/user"
 	"heckel.io/ntfy/util"
-	"time"
 )

 func init() {
@@ -17,12 +16,12 @@ func init() {

 const (
 	defaultMessageLimit             = 5000
-	defaultMessageExpiryDuration    = 12 * time.Hour
+	defaultMessageExpiryDuration    = "12h"
 	defaultEmailLimit               = 20
 	defaultReservationLimit         = 3
 	defaultAttachmentFileSizeLimit  = "15M"
 	defaultAttachmentTotalSizeLimit = "100M"
-	defaultAttachmentExpiryDuration = 6 * time.Hour
+	defaultAttachmentExpiryDuration = "6h"
 	defaultAttachmentBandwidthLimit = "1G"
 )

@@ -47,14 +46,15 @@ var cmdTier = &cli.Command{
 			Flags: []cli.Flag{
 				&cli.StringFlag{Name: "name", Usage: "tier name"},
 				&cli.Int64Flag{Name: "message-limit", Value: defaultMessageLimit, Usage: "daily message limit"},
-				&cli.DurationFlag{Name: "message-expiry-duration", Value: defaultMessageExpiryDuration, Usage: "duration after which messages are deleted"},
+				&cli.StringFlag{Name: "message-expiry-duration", Value: defaultMessageExpiryDuration, Usage: "duration after which messages are deleted"},
 				&cli.Int64Flag{Name: "email-limit", Value: defaultEmailLimit, Usage: "daily email limit"},
 				&cli.Int64Flag{Name: "reservation-limit", Value: defaultReservationLimit, Usage: "topic reservation limit"},
 				&cli.StringFlag{Name: "attachment-file-size-limit", Value: defaultAttachmentFileSizeLimit, Usage: "per-attachment file size limit"},
 				&cli.StringFlag{Name: "attachment-total-size-limit", Value: defaultAttachmentTotalSizeLimit, Usage: "total size limit of attachments for the user"},
-				&cli.DurationFlag{Name: "attachment-expiry-duration", Value: defaultAttachmentExpiryDuration, Usage: "duration after which attachments are deleted"},
+				&cli.StringFlag{Name: "attachment-expiry-duration", Value: defaultAttachmentExpiryDuration, Usage: "duration after which attachments are deleted"},
 				&cli.StringFlag{Name: "attachment-bandwidth-limit", Value: defaultAttachmentBandwidthLimit, Usage: "daily bandwidth limit for attachment uploads/downloads"},
-				&cli.StringFlag{Name: "stripe-price-id", Usage: "Stripe price ID for paid tiers (e.g. price_12345)"},
+				&cli.StringFlag{Name: "stripe-monthly-price-id", Usage: "Monthly Stripe price ID for paid tiers (e.g. price_12345)"},
+				&cli.StringFlag{Name: "stripe-yearly-price-id", Usage: "Yearly Stripe price ID for paid tiers (e.g. price_12345)"},
 				&cli.BoolFlag{Name: "ignore-exists", Usage: "if the tier already exists, perform no action and exit"},
 			},
 			Description: `Add a new tier to the ntfy user database.
@@ -89,14 +89,15 @@ Examples:
 			Flags: []cli.Flag{
 				&cli.StringFlag{Name: "name", Usage: "tier name"},
 				&cli.Int64Flag{Name: "message-limit", Usage: "daily message limit"},
-				&cli.DurationFlag{Name: "message-expiry-duration", Usage: "duration after which messages are deleted"},
+				&cli.StringFlag{Name: "message-expiry-duration", Usage: "duration after which messages are deleted"},
 				&cli.Int64Flag{Name: "email-limit", Usage: "daily email limit"},
 				&cli.Int64Flag{Name: "reservation-limit", Usage: "topic reservation limit"},
 				&cli.StringFlag{Name: "attachment-file-size-limit", Usage: "per-attachment file size limit"},
 				&cli.StringFlag{Name: "attachment-total-size-limit", Usage: "total size limit of attachments for the user"},
-				&cli.DurationFlag{Name: "attachment-expiry-duration", Usage: "duration after which attachments are deleted"},
+				&cli.StringFlag{Name: "attachment-expiry-duration", Usage: "duration after which attachments are deleted"},
 				&cli.StringFlag{Name: "attachment-bandwidth-limit", Usage: "daily bandwidth limit for attachment uploads/downloads"},
-				&cli.StringFlag{Name: "stripe-price-id", Usage: "Stripe price ID for paid tiers (e.g. price_12345)"},
+				&cli.StringFlag{Name: "stripe-monthly-price-id", Usage: "Monthly Stripe price ID for paid tiers (e.g. price_12345)"},
+				&cli.StringFlag{Name: "stripe-yearly-price-id", Usage: "Yearly Stripe price ID for paid tiers (e.g. price_12345)"},
 			},
 			Description: `Updates a tier to change the limits.

@@ -110,7 +111,8 @@ Examples:
  ntfy tier change --name="Pro" pro        # Update the name of an existing tier
  ntfy tier change \                       # Update multiple limits and fields
    --message-expiry-duration=24h \
-    --stripe-price-id=price_1234 \
+    --stripe-monthly-price-id=price_1234 \
+    --stripe-monthly-price-id=price_5678 \
    pro
 `,
 		},
@@ -166,6 +168,10 @@ func execTierAdd(c *cli.Context) error {
 		return errors.New("tier code expected, type 'ntfy tier add --help' for help")
 	} else if !user.AllowedTier(code) {
 		return errors.New("tier code must consist only of numbers and letters")
+	} else if c.String("stripe-monthly-price-id") != "" && c.String("stripe-yearly-price-id") == "" {
+		return errors.New("if stripe-monthly-price-id is set, stripe-yearly-price-id must also be set")
+	} else if c.String("stripe-monthly-price-id") == "" && c.String("stripe-yearly-price-id") != "" {
+		return errors.New("if stripe-yearly-price-id is set, stripe-monthly-price-id must also be set")
 	}
 	manager, err := createUserManager(c)
 	if err != nil {
@@ -182,6 +188,10 @@ func execTierAdd(c *cli.Context) error {
 	if name == "" {
 		name = code
 	}
+	messageExpiryDuration, err := util.ParseDuration(c.String("message-expiry-duration"))
+	if err != nil {
+		return err
+	}
 	attachmentFileSizeLimit, err := util.ParseSize(c.String("attachment-file-size-limit"))
 	if err != nil {
 		return err
@@ -194,19 +204,24 @@ func execTierAdd(c *cli.Context) error {
 	if err != nil {
 		return err
 	}
+	attachmentExpiryDuration, err := util.ParseDuration(c.String("attachment-expiry-duration"))
+	if err != nil {
+		return err
+	}
 	tier := &user.Tier{
 		ID:                       "", // Generated
 		Code:                     code,
 		Name:                     name,
 		MessageLimit:             c.Int64("message-limit"),
-		MessageExpiryDuration:    c.Duration("message-expiry-duration"),
+		MessageExpiryDuration:    messageExpiryDuration,
 		EmailLimit:               c.Int64("email-limit"),
 		ReservationLimit:         c.Int64("reservation-limit"),
 		AttachmentFileSizeLimit:  attachmentFileSizeLimit,
 		AttachmentTotalSizeLimit: attachmentTotalSizeLimit,
-		AttachmentExpiryDuration: c.Duration("attachment-expiry-duration"),
+		AttachmentExpiryDuration: attachmentExpiryDuration,
 		AttachmentBandwidthLimit: attachmentBandwidthLimit,
-		StripePriceID:            c.String("stripe-price-id"),
+		StripeMonthlyPriceID:     c.String("stripe-monthly-price-id"),
+		StripeYearlyPriceID:      c.String("stripe-yearly-price-id"),
 	}
 	if err := manager.AddTier(tier); err != nil {
 		return err
@@ -244,7 +259,10 @@ func execTierChange(c *cli.Context) error {
 		tier.MessageLimit = c.Int64("message-limit")
 	}
 	if c.IsSet("message-expiry-duration") {
-		tier.MessageExpiryDuration = c.Duration("message-expiry-duration")
+		tier.MessageExpiryDuration, err = util.ParseDuration(c.String("message-expiry-duration"))
+		if err != nil {
+			return err
+		}
 	}
 	if c.IsSet("email-limit") {
 		tier.EmailLimit = c.Int64("email-limit")
@@ -265,7 +283,10 @@ func execTierChange(c *cli.Context) error {
 		}
 	}
 	if c.IsSet("attachment-expiry-duration") {
-		tier.AttachmentExpiryDuration = c.Duration("attachment-expiry-duration")
+		tier.AttachmentExpiryDuration, err = util.ParseDuration(c.String("attachment-expiry-duration"))
+		if err != nil {
+			return err
+		}
 	}
 	if c.IsSet("attachment-bandwidth-limit") {
 		tier.AttachmentBandwidthLimit, err = util.ParseSize(c.String("attachment-bandwidth-limit"))
@@ -273,8 +294,16 @@ func execTierChange(c *cli.Context) error {
 			return err
 		}
 	}
-	if c.IsSet("stripe-price-id") {
-		tier.StripePriceID = c.String("stripe-price-id")
+	if c.IsSet("stripe-monthly-price-id") {
+		tier.StripeMonthlyPriceID = c.String("stripe-monthly-price-id")
+	}
+	if c.IsSet("stripe-yearly-price-id") {
+		tier.StripeYearlyPriceID = c.String("stripe-yearly-price-id")
+	}
+	if tier.StripeMonthlyPriceID != "" && tier.StripeYearlyPriceID == "" {
+		return errors.New("if stripe-monthly-price-id is set, stripe-yearly-price-id must also be set")
+	} else if tier.StripeMonthlyPriceID == "" && tier.StripeYearlyPriceID != "" {
+		return errors.New("if stripe-yearly-price-id is set, stripe-monthly-price-id must also be set")
 	}
 	if err := manager.UpdateTier(tier); err != nil {
 		return err
@@ -319,9 +348,9 @@ func execTierList(c *cli.Context) error {
 }

 func printTier(c *cli.Context, tier *user.Tier) {
-	stripePriceID := tier.StripePriceID
-	if stripePriceID == "" {
-		stripePriceID = "(none)"
+	prices := "(none)"
+	if tier.StripeMonthlyPriceID != "" && tier.StripeYearlyPriceID != "" {
+		prices = fmt.Sprintf("%s / %s", tier.StripeMonthlyPriceID, tier.StripeYearlyPriceID)
 	}
 	fmt.Fprintf(c.App.ErrWriter, "tier %s (id: %s)\n", tier.Code, tier.ID)
 	fmt.Fprintf(c.App.ErrWriter, "- Name: %s\n", tier.Name)
@@ -333,5 +362,5 @@ func printTier(c *cli.Context, tier *user.Tier) {
 	fmt.Fprintf(c.App.ErrWriter, "- Attachment total size limit: %s\n", util.FormatSize(tier.AttachmentTotalSizeLimit))
 	fmt.Fprintf(c.App.ErrWriter, "- Attachment expiry duration: %s (%d seconds)\n", tier.AttachmentExpiryDuration.String(), int64(tier.AttachmentExpiryDuration.Seconds()))
 	fmt.Fprintf(c.App.ErrWriter, "- Attachment daily bandwidth limit: %s\n", util.FormatSize(tier.AttachmentBandwidthLimit))
-	fmt.Fprintf(c.App.ErrWriter, "- Stripe price: %s\n", stripePriceID)
+	fmt.Fprintf(c.App.ErrWriter, "- Stripe prices (monthly/yearly): %s\n", prices)
 }
--- a/cmd/tier_test.go
+++ b/cmd/tier_test.go
@@ -29,24 +29,25 @@ func TestCLI_Tier_AddListChangeDelete(t *testing.T) {
 	app, _, _, stderr = newTestApp()
 	require.Nil(t, runTierCommand(app, conf, "change",
 		"--message-limit=999",
-		"--message-expiry-duration=99h",
+		"--message-expiry-duration=2d",
 		"--email-limit=91",
 		"--reservation-limit=98",
 		"--attachment-file-size-limit=100m",
-		"--attachment-expiry-duration=7h",
+		"--attachment-expiry-duration=1d",
 		"--attachment-total-size-limit=10G",
 		"--attachment-bandwidth-limit=100G",
-		"--stripe-price-id=price_991",
+		"--stripe-monthly-price-id=price_991",
+		"--stripe-yearly-price-id=price_992",
 		"pro",
 	))
 	require.Contains(t, stderr.String(), "- Message limit: 999")
-	require.Contains(t, stderr.String(), "- Message expiry duration: 99h")
+	require.Contains(t, stderr.String(), "- Message expiry duration: 48h")
 	require.Contains(t, stderr.String(), "- Email limit: 91")
 	require.Contains(t, stderr.String(), "- Reservation limit: 98")
 	require.Contains(t, stderr.String(), "- Attachment file size limit: 100.0 MB")
-	require.Contains(t, stderr.String(), "- Attachment expiry duration: 7h")
+	require.Contains(t, stderr.String(), "- Attachment expiry duration: 24h")
 	require.Contains(t, stderr.String(), "- Attachment total size limit: 10.0 GB")
-	require.Contains(t, stderr.String(), "- Stripe price: price_991")
+	require.Contains(t, stderr.String(), "- Stripe prices (monthly/yearly): price_991 / price_992")

 	app, _, _, stderr = newTestApp()
 	require.Nil(t, runTierCommand(app, conf, "remove", "pro"))
--- a/docs/_overrides/main.html
+++ b/docs/_overrides/main.html
@@ -0,0 +1,50 @@
+{% extends "base.html" %}
+
+{% block announce %}
+<style>
+    div[data-md-component="announce"] {
+        z-index: 10;
+    }
+
+    div[data-md-component="announce"] a {
+        color: white;
+    }
+
+    div[data-md-component="announce"] a:hover, div[data-md-component="announce"] a:focus {
+        transition: ease-in 150ms;
+        color: #ccc;
+    }
+
+    div[data-md-component="announce"] .md-banner__button {
+        color: #ccc;
+    }
+
+    div[data-md-component="announce"] .md-banner.hidden {
+        display: none;
+    }
+
+    div[data-md-component="announce"] .twemoji {
+        margin-top: 2px;
+    }
+</style>
+<button id="announce-bar-close" class="md-banner__button md-icon" aria-label="Don't show this again">
+    <svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24">
+        <path d="M19 6.41 17.59 5 12 10.59 6.41 5 5 6.41 10.59 12 5 17.59 6.41 19 12 13.41 17.59 19 19 17.59 13.41 12 19 6.41Z"></path>
+    </svg>
+</button>
+If you like ntfy, please consider sponsoring it via <a target="_blank" href="https://github.com/sponsors/binwiederhier"><strong>GitHub Sponsors</strong></a>
+or <a target="_blank" href="https://en.liberapay.com/ntfy/"><strong>Liberapay</strong></a>
+<svg xmlns="http://www.w3.org/2000/svg" role="img" viewBox="0 0 36 36" class="twemoji md-footer-custom-text">
+    <path fill="#DD2E44" d="M35.885 11.833c0-5.45-4.418-9.868-9.867-9.868-3.308 0-6.227 1.633-8.018 4.129-1.791-2.496-4.71-4.129-8.017-4.129-5.45 0-9.868 4.417-9.868 9.868 0 .772.098 1.52.266 2.241C1.751 22.587 11.216 31.568 18 34.034c6.783-2.466 16.249-11.447 17.617-19.959.17-.721.268-1.469.268-2.242z"/>
+</svg>
+<script>
+    announceBarKey = 'announce-bar-closed-sponsor';
+    document.getElementById('announce-bar-close').addEventListener('click', (e) => {
+        localStorage.setItem(announceBarKey, 'true');
+        document.querySelector('div[data-md-component="announce"] .md-banner').style.display = 'none';
+    });
+    if (localStorage.getItem(announceBarKey) === 'true') {
+        document.querySelector('div[data-md-component="announce"] .md-banner').style.display = 'none';
+    }
+</script>
+{% endblock %}
--- a/docs/config.md
+++ b/docs/config.md
@@ -839,6 +839,8 @@ config options:
   enables payments in the ntfy web app (e.g. Upgrade dialog). See [API keys](https://dashboard.stripe.com/apikeys).
 * `stripe-webhook-key` is the key required to validate the authenticity of incoming webhooks from Stripe.
   Webhooks are essential to keep the local database in sync with the payment provider. See [Webhooks](https://dashboard.stripe.com/webhooks).
+* `billing-contact` is an email address or website displayed in the "Upgrade tier" dialog to let people reach
+   out with billing questions. If unset, nothing will be displayed.

 In addition to setting these two options, you also need to define a [Stripe webhook](https://dashboard.stripe.com/webhooks)
 for the `customer.subscription.updated` and `customer.subscription.deleted` event, which points 
@@ -849,6 +851,7 @@ Here's an example:
 ``` yaml
 stripe-secret-key: "sk_test_ZmhzZGtmbGhkc2tqZmhzYcO2a2hmbGtnaHNkbGtnaGRsc2hnbG"
 stripe-webhook-key: "whsec_ZnNkZnNIRExBSFNES0hBRFNmaHNka2ZsaGR"
+billing-contact: "phil@example.com"
 ```

 ## Rate limiting
@@ -929,6 +932,25 @@ If this ever happens, there will be a log message that looks something like this
 WARN Firebase quota exceeded (likely for topic), temporarily denying Firebase access to visitor
 ```

+### Subscriber-based rate limiting
+By default, ntfy puts almost all rate limits on the message publisher, e.g. number of messages, requests, and attachment
+size are all based on the visitor who publishes a message. **Subscriber-based rate limiting is a way to use the rate limits
+of a topic's subscriber, instead of the limits of the publisher.**
+
+If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed
+to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume
+publishers (e.g. Matrix/Mastodon servers) are allowed to send.
+
+Once enabled, a client may send a `Rate-Topics: <topic1>,<topic2>,...` header when subscribing to topics via
+HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits
+to use when publishing on this topic. Note that setting the rate visitor requires **read-write permission** on the topic.
+
+UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to an `HTTP 507 Insufficient Storage`
+response if no "rate visitor" has been previously registered. This is to avoid burning the publisher's 
+`visitor-message-daily-limit`.
+
+To enable subscriber-based rate limiting, set `visitor-subscriber-rate-limiting: true`.
+
 ## Tuning for scale
 If you're running ntfy for your home server, you probably don't need to worry about scale at all. In its default config,
 if it's not behind a proxy, the ntfy server can keep about **as many connections as the open file limit allows**.
@@ -1067,6 +1089,38 @@ and [here](https://easyengine.io/tutorials/nginx/block-wp-login-php-bruteforce-a
    maxretry = 10
    ```

+## Health checks
+A preliminary health check API endpoint is exposed at `/v1/health`. The endpoint returns a `json` response in the format shown below.
+If a non-200 HTTP status code is returned or if the returned `health` field is `false` the ntfy service should be considered as unhealthy.
+
+```json
+{"health":true}
+```
+
+See [Installation for Docker](install.md#docker) for an example of how this could be used in a `docker-compose` environment.
+
+## Monitoring
+If configured, ntfy can expose a `/metrics` endpoint for [Prometheus](https://prometheus.io/), which can then be used to
+create dashboards and alerts (e.g. via [Grafana](https://grafana.com/)).
+
+To configure the metrics endpoint, either set `enable-metrics` and/or set the `listen-metrics-http` option to a dedicated
+listen address. Metrics may be considered sensitive information, so before you enable them, be sure you know what you are
+doing, and/or secure access to the endpoint in your reverse proxy.
+
+- `enable-metrics` enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket)
+- `metrics-listen-http` exposes the metrics endpoint via a dedicated `[IP]:port`. If set, this option implicitly
+  enables metrics as well, e.g. "10.0.1.1:9090" or ":9090"
+
+=== "Using default port"
+    ```yaml
+    enable-metrics: true
+    ```
+
+=== "Using dedicated IP/port"
+    ```yaml
+    metrics-listen-http: "10.0.1.1:9090"
+    ```
+
 ## Logging & debugging
 By default, ntfy logs to the console (stderr), with an `info` log level, and in a human-readable text format.

@@ -1178,12 +1232,14 @@ variable before running the `ntfy` command (e.g. `export NTFY_LISTEN_HTTP=:80`).
 | `visitor-request-limit-replenish`          | `NTFY_VISITOR_REQUEST_LIMIT_REPLENISH`          | *duration*                                          | 5s                | Rate limiting: Strongly related to `visitor-request-limit-burst`: The rate at which the bucket is refilled                                                                                                                      |
 | `visitor-request-limit-exempt-hosts`       | `NTFY_VISITOR_REQUEST_LIMIT_EXEMPT_HOSTS`       | *comma-separated host/IP list*                      | -                 | Rate limiting: List of hostnames and IPs to be exempt from request rate limiting                                                                                                                                                |
 | `visitor-subscription-limit`               | `NTFY_VISITOR_SUBSCRIPTION_LIMIT`               | *number*                                            | 30                | Rate limiting: Number of subscriptions per visitor (IP address)                                                                                                                                                                 |
+| `visitor-subscriber-rate-limiting`         | `NTFY_VISITOR_SUBSCRIBER_RATE_LIMITING`         | *bool*                                              | `false`           | Rate limiting: Enables subscriber-based rate limiting                                                                                                                                                                           |
 | `web-root`                                 | `NTFY_WEB_ROOT`                                 | `app`, `home` or `disable`                          | `app`             | Sets web root to landing page (home), web app (app) or disables the web app entirely (disable)                                                                                                                                  |
-| `enable-signup`                            | `NTFY_SIGNUP`                                   | *boolean* (`true` or `false`)                       | `false`           | Allows users to sign up via the web app, or API                                                                                                                                                                                 |
-| `enable-login`                             | `NTFY_LOGIN`                                    | *boolean* (`true` or `false`)                       | `false`           | Allows users to log in via the web app, or API                                                                                                                                                                                  |
-| `enable-reservations`                      | `NTFY_RESERVATIONS`                             | *boolean* (`true` or `false`)                       | `false`           | Allows users to reserve topics (if their tier allows it)                                                                                                                                                                        |
+| `enable-signup`                            | `NTFY_ENABLE_SIGNUP`                            | *boolean* (`true` or `false`)                       | `false`           | Allows users to sign up via the web app, or API                                                                                                                                                                                 |
+| `enable-login`                             | `NTFY_ENABLE_LOGIN`                             | *boolean* (`true` or `false`)                       | `false`           | Allows users to log in via the web app, or API                                                                                                                                                                                  |
+| `enable-reservations`                      | `NTFY_ENABLE_RESERVATIONS`                      | *boolean* (`true` or `false`)                       | `false`           | Allows users to reserve topics (if their tier allows it)                                                                                                                                                                        |
 | `stripe-secret-key`                        | `NTFY_STRIPE_SECRET_KEY`                        | *string*                                            | -                 | Payments: Key used for the Stripe API communication, this enables payments                                                                                                                                                      |
 | `stripe-webhook-key`                       | `NTFY_STRIPE_WEBHOOK_KEY`                       | *string*                                            | -                 | Payments: Key required to validate the authenticity of incoming webhooks from Stripe                                                                                                                                            |
+| `billing-contact`                          | `NTFY_BILLING_CONTACT`                          | *email address* or *website*                        | -                 | Payments: Email or website displayed in Upgrade dialog as a billing contact                                                                                                                                                     |

 The format for a *duration* is: `<number>(smh)`, e.g. 30s, 20m or 1h.   
 The format for a *size* is: `<number>(GMK)`, e.g. 1G, 200M or 4000k.
@@ -1267,6 +1323,7 @@ OPTIONS:
   --behind-proxy, --behind_proxy, -P                                                                                     if set, use X-Forwarded-For header to determine visitor IP address (for rate limiting) (default: false) [$NTFY_BEHIND_PROXY]
   --stripe-secret-key value, --stripe_secret_key value                                                                   key used for the Stripe API communication, this enables payments [$NTFY_STRIPE_SECRET_KEY]
   --stripe-webhook-key value, --stripe_webhook_key value                                                                 key required to validate the authenticity of incoming webhooks from Stripe [$NTFY_STRIPE_WEBHOOK_KEY]
+   --billing-contact value, --billing_contact value                                                                       e-mail or website to display in upgrade dialog (only if payments are enabled) [$NTFY_BILLING_CONTACT]   
   --help, -h                                                                                                             show help (default: false)
 ```

--- a/docs/examples.md
+++ b/docs/examples.md
@@ -572,4 +572,27 @@ Example `template.html`:
 Add notification on Rundeck (attachment type must be: `Attached as file to email`):
 ![Rundeck](static/img/rundeck.png)

+## Traccar
+This will only work on selfhosted [traccar](https://www.traccar.org/) ([Github](https://github.com/traccar/traccar)) instances, as you need to be able to set `sms.http.*` keys, which is not possible through the UI attributes

+The easiest way to integrate traccar with ntfy, is to configure ntfy as the SMS provider for your instance. You then can set your ntfy topic as your account's phone number in traccar. Sending the email notifications to ntfy will not work, as ntfy does not support HTML emails.
+
+**Caution:** JSON publishing is only possible, when POST-ing to the root URL of the ntfy instance. (see [documentation](publish.md#publish-as-json))
+```xml
+        <entry key='sms.http.url'>https://ntfy.sh</entry>
+        <entry key='sms.http.template'>
+            {
+                "topic": "{phone}",
+                "message": "{message}"
+            }
+        </entry>
+```
+If [access control](config.md#access-control) is enabled, and the target topic does not support anonymous writes, you'll also have to provide an authorization header, for example in form of a privileged token
+```xml
+        <entry key='sms.http.authorization'>Bearer tk_JhbsnoMrgy2FcfHeofv97Pi5uXaZZ</entry>
+```
+or by simply providing traccar with a valid username/password combination.
+```xml
+        <entry key='sms.http.user'>phil</entry>
+        <entry key='sms.http.password'>mypass</entry>
+```
--- a/docs/hooks.py
+++ b/docs/hooks.py
@@ -0,0 +1,6 @@
+import os
+import shutil
+
+def copy_fonts(config, **kwargs):
+    site_dir = config['site_dir']
+    shutil.copytree('docs/static/fonts', os.path.join(site_dir, 'get'))
--- a/docs/install.md
+++ b/docs/install.md
@@ -26,37 +26,37 @@ deb/rpm packages.

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_x86_64.tar.gz
-    tar zxvf ntfy_2.0.0_linux_x86_64.tar.gz
-    sudo cp -a ntfy_2.0.0_linux_x86_64/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.0.0_linux_x86_64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_x86_64.tar.gz
+    tar zxvf ntfy_2.2.0_linux_x86_64.tar.gz
+    sudo cp -a ntfy_2.2.0_linux_x86_64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.2.0_linux_x86_64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv6.tar.gz
-    tar zxvf ntfy_2.0.0_linux_armv6.tar.gz
-    sudo cp -a ntfy_2.0.0_linux_armv6/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.0.0_linux_armv6/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv6.tar.gz
+    tar zxvf ntfy_2.2.0_linux_armv6.tar.gz
+    sudo cp -a ntfy_2.2.0_linux_armv6/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.2.0_linux_armv6/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv7.tar.gz
-    tar zxvf ntfy_2.0.0_linux_armv7.tar.gz
-    sudo cp -a ntfy_2.0.0_linux_armv7/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.0.0_linux_armv7/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv7.tar.gz
+    tar zxvf ntfy_2.2.0_linux_armv7.tar.gz
+    sudo cp -a ntfy_2.2.0_linux_armv7/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.2.0_linux_armv7/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_arm64.tar.gz
-    tar zxvf ntfy_2.0.0_linux_arm64.tar.gz
-    sudo cp -a ntfy_2.0.0_linux_arm64/ntfy /usr/bin/ntfy
-    sudo mkdir /etc/ntfy && sudo cp ntfy_2.0.0_linux_arm64/{client,server}/*.yml /etc/ntfy
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_arm64.tar.gz
+    tar zxvf ntfy_2.2.0_linux_arm64.tar.gz
+    sudo cp -a ntfy_2.2.0_linux_arm64/ntfy /usr/bin/ntfy
+    sudo mkdir /etc/ntfy && sudo cp ntfy_2.2.0_linux_arm64/{client,server}/*.yml /etc/ntfy
    sudo ntfy serve
    ```

@@ -106,7 +106,7 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_amd64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_amd64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -114,7 +114,7 @@ Manually installing the .deb file:

 === "armv6"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv6.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv6.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -122,7 +122,7 @@ Manually installing the .deb file:

 === "armv7/armhf"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv7.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv7.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -130,7 +130,7 @@ Manually installing the .deb file:

 === "arm64"
    ```bash
-    wget https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_arm64.deb
+    wget https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_arm64.deb
    sudo dpkg -i ntfy_*.deb
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
@@ -140,28 +140,28 @@ Manually installing the .deb file:

 === "x86_64/amd64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_amd64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_amd64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "armv6"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv6.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv6.rpm
    sudo systemctl enable ntfy
    sudo systemctl start ntfy
    ```

 === "armv7/armhf"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_armv7.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_armv7.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```

 === "arm64"
    ```bash
-    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_linux_arm64.rpm
+    sudo rpm -ivh https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_linux_arm64.rpm
    sudo systemctl enable ntfy 
    sudo systemctl start ntfy
    ```
@@ -189,18 +189,18 @@ NixOS also supports [declarative setup of the ntfy server](https://search.nixos.

 ## macOS
 The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on macOS as well. 
-To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_macOS_all.tar.gz), 
+To install, please [download the tarball](https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_macOS_all.tar.gz), 
 extract it and place it somewhere in your `PATH` (e.g. `/usr/local/bin/ntfy`). 

 If run as `root`, ntfy will look for its config at `/etc/ntfy/client.yml`. For all other users, it'll look for it at 
 `~/Library/Application Support/ntfy/client.yml` (sample included in the tarball).

 ```bash
-curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_macOS_all.tar.gz > ntfy_2.0.0_macOS_all.tar.gz
-tar zxvf ntfy_2.0.0_macOS_all.tar.gz
-sudo cp -a ntfy_2.0.0_macOS_all/ntfy /usr/local/bin/ntfy
+curl -L https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_macOS_all.tar.gz > ntfy_2.2.0_macOS_all.tar.gz
+tar zxvf ntfy_2.2.0_macOS_all.tar.gz
+sudo cp -a ntfy_2.2.0_macOS_all/ntfy /usr/local/bin/ntfy
 mkdir ~/Library/Application\ Support/ntfy 
-cp ntfy_2.0.0_macOS_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
+cp ntfy_2.2.0_macOS_all/client/client.yml ~/Library/Application\ Support/ntfy/client.yml
 ntfy --help
 ```

@@ -212,7 +212,7 @@ ntfy --help

 ## Windows
 The [ntfy CLI](subscribe/cli.md) (`ntfy publish` and `ntfy subscribe` only) is supported on Windows as well.
-To install, please [download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.0.0/ntfy_2.0.0_windows_x86_64.zip),
+To install, please [download the latest ZIP](https://github.com/binwiederhier/ntfy/releases/download/v2.2.0/ntfy_2.2.0_windows_x86_64.zip),
 extract it and place the `ntfy.exe` binary somewhere in your `%Path%`. 

 The default path for the client config file is at `%AppData%\ntfy\client.yml` (not created automatically, sample in the ZIP file).
@@ -266,7 +266,7 @@ docker run \
  serve
 ```

-Using docker-compose with non-root user:
+Using docker-compose with non-root user and healthchecks enabled:
 ```yaml
 version: "2.1"

@@ -284,6 +284,12 @@ services:
      - /etc/ntfy:/etc/ntfy
    ports:
      - 80:80
+    healthcheck: # optional: remember to adapt the host:port to your environment
+        test: ["CMD-SHELL", "wget -q --tries=1 http://localhost:80/v1/health -O - | grep -Eo '\"healthy\"\\s*:\\s*true' || exit 1"]
+        interval: 60s
+        timeout: 10s
+        retries: 3
+        start_period: 40s
    restart: unless-stopped
 ```

--- a/docs/integrations.md
+++ b/docs/integrations.md
@@ -16,6 +16,7 @@ ntfy community. Thanks to everyone running a public server. **You guys rock!**
 | [ntfy.jae.fi](https://ntfy.jae.fi/)               | 🇫🇮 Finland       |
 | [ntfy.adminforge.de](https://ntfy.adminforge.de/) | 🇩🇪 Germany       |
 | [ntfy.envs.net](https://ntfy.envs.net)            | 🇩🇪 Germany       |
+| [ntfy.mzte.de](https://ntfy.mzte.de/)             | 🇩🇪 Germany       |

 Please be aware that **server operators can log your messages**. The project also cannot guarantee the reliability
 and uptime of third party servers, so use of each server is **at your own discretion**.
@@ -35,6 +36,8 @@ and uptime of third party servers, so use of each server is **at your own discre
 - [Shoutrrr](https://containrrr.dev/shoutrrr/v0.7/services/ntfy/) ⭐ - Notification library for gophers and their furry friends.
 - [Scrt.link](https://scrt.link/) - Share a secret
 - [Platypush](https://docs.platypush.tech/platypush/plugins/ntfy.html) - Automation platform aimed to run on any device that can run Python
+- [diun](https://crazymax.dev/diun/) - Docker Image Update Notifier
+- [Cloudron](https://www.cloudron.io/store/sh.ntfy.cloudronapp.html) - Platform that makes it easy to manage web apps on your server

 ## [UnifiedPush](https://unifiedpush.org/users/apps/) integrations

@@ -72,6 +75,8 @@ and uptime of third party servers, so use of each server is **at your own discre
 ## Projects + scripts 

 - [Grafana-to-ntfy](https://github.com/kittyandrew/grafana-to-ntfy) - Grafana-to-ntfy alerts channel (Rust)
+- [Grafana-ntfy-webhook-integration](https://github.com/academo/grafana-alerting-ntfy-webhook-integration) - Integrates Grafana alerts webhooks (Go)
+- [Grafana-to-ntfy](https://gitlab.com/Saibe1111/grafana-to-ntfy) - Grafana-to-ntfy alerts channel (Node Js)
 - [ntfy-long-zsh-command](https://github.com/robfox92/ntfy-long-zsh-command) - Notifies you once a long-running command completes (zsh)
 - [ntfy-shellscripts](https://github.com/nickexyz/ntfy-shellscripts) - A few scripts for the ntfy project (Shell)
 - [QuickStatus](https://github.com/corneliusroot/QuickStatus) - A shell script to alert to any immediate problems upon login (Shell)
@@ -110,10 +115,16 @@ and uptime of third party servers, so use of each server is **at your own discre
 - [ntfy-wrapper](https://github.com/vict0rsch/ntfy-wrapper) - Wrapper around ntfy (Python)
 - [nodebb-plugin-ntfy](https://github.com/NodeBB/nodebb-plugin-ntfy) - Push notifications for NodeBB forums
 - [n8n-ntfy](https://github.com/raghavanand98/n8n-ntfy.sh) - n8n community node that lets you use ntfy in your workflows
+- [nlog-ntfy](https://github.com/MichelMichels/nlog-ntfy) - Send NLog messages over ntfy (C# / .NET / NLog)

 ## Blog + forum posts

+- [Start-Job,Variables, and ntfy.sh](https://klingele.dev/2023/03/01/start-jobvariables-and-ntfy-sh/) - klingele.dev - 3/2023 
+- [enviar notificaciones automáticas usando ntfy.sh](https://osiux.com/2023-02-15-send-automatic-notifications-using-ntfy.html) - osiux.com - 2/2023 
+- [Carnet IP动态解析以及通过ntfy推送IP信息](https://blog.wslll.cn/index.php/archives/201/) - blog.wslll.cn - 2/2023 
+- [Open-Source-Brieftaube: ntfy verschickt Push-Meldungen auf Smartphone und PC](https://www.heise.de/news/Open-Source-Brieftaube-ntfy-verschickt-Push-Meldungen-auf-Smartphone-und-PC-7521583.html) ⭐ - heise.de - 2/2023 
 - [Video: Simple Push Notifications ntfy](https://www.youtube.com/watch?v=u9EcWrsjE20) ⭐ - youtube.com - 2/2023
+- [Use ntfy.sh with Home Assistant](https://diecknet.de/en/2023/02/12/ntfy-sh-with-homeassistant/) - diecknet.de - 2/2023 
 - [On installe Ntfy sur Synology Docker](https://www.maison-et-domotique.com/140356-serveur-notification-jeedom-ntfy-synology-docker/) - maison-et-domotique.co - 1/2023 
 - [January 2023 Developer Update](https://community.nodebb.org/topic/16908/january-2023-developer-update) - nodebb.org - 1/2023
 - [Comment envoyer des notifications push sur votre téléphone facilement et gratuitement?](https://korben.info/notifications-push-telephone.html) - 1/2023
--- a/docs/publish.md
+++ b/docs/publish.md
@@ -1292,7 +1292,7 @@ Alternatively, the same actions can be defined as **JSON array**, if the notific
    ```

 The required/optional fields for each action depend on the type of the action itself. Please refer to 
-[`view` action](#open-websiteapp), [`broadcasst` action](#send-android-broadcast), and [`http` action](#send-http-request) 
+[`view` action](#open-websiteapp), [`broadcast` action](#send-android-broadcast), and [`http` action](#send-http-request) 
 for details.

 ### Open website/app
@@ -2582,6 +2582,11 @@ format is:
 ntfy-$topic@ntfy.sh
 ```

+If [access control](config.md#access-control) is enabled, and the target topic does not support anonymous writes, e-mail publishing won't work without providing an authorized access token. That will change the format of the e-mail's recipient address to
+```
+ntfy-$topic+$token@ntfy.sh
+```
+
 As of today, e-mail publishing only supports adding a [message title](#message-title) (the e-mail subject). Tags, priority,
 delay and other features are not supported (yet). Here's an example that will publish a message with the 
 title `You've Got Mail` to topic `sometopic` (see [ntfy.sh/sometopic](https://ntfy.sh/sometopic)):
@@ -2930,7 +2935,7 @@ Here's an example using the `auth` query parameter:
    ]));
    ```

-To generate the value of the `auth` parameter, encode the value of the `Authorization` header (see anove) using 
+To generate the value of the `auth` parameter, encode the value of the `Authorization` header (see above) using 
 **raw base64 encoding** (like base64, but strip any trailing `=`). Here's some pseudo-code that hopefully 
 explains it better:

@@ -3156,22 +3161,27 @@ There are a few limitations to the API to prevent abuse and to keep the server h
 are configurable via the server side [rate limiting settings](config.md#rate-limiting). Most of these limits you won't run into,
 but just in case, let's list them all:

-| Limit                      | Description                                                                                                                                                              |
-|----------------------------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Message length**         | Each message can be up to 4,096 bytes long. Longer messages are treated as [attachments](#attachments).                                                                  |
-| **Requests**               | By default, the server is configured to allow 60 requests per visitor at once, and then refills the your allowed requests bucket at a rate of one request per 5 seconds. |
-| **E-mails**                | By default, the server is configured to allow sending 16 e-mails per visitor at once, and then refills the your allowed e-mail bucket at a rate of one per hour.         |
-| **Subscription limit**     | By default, the server allows each visitor to keep 30 connections to the server open.                                                                                    |
-| **Attachment size limit**  | By default, the server allows attachments up to 15 MB in size, up to 100 MB in total per visitor and up to 5 GB across all visitors.                                     |
-| **Attachment expiry**      | By default, the server deletes attachments after 3 hours and thereby frees up space from the total visitor attachment limit.                                             |
-| **Attachment bandwidth**   | By default, the server allows 500 MB of GET/PUT/POST traffic for attachments per visitor in a 24 hour period. Traffic exceeding that is rejected.                        |
-| **Total number of topics** | By default, the server is configured to allow 15,000 topics. The ntfy.sh server has higher limits though.                                                                |
+| Limit                           | Description                                                                                                                                                                                                             |
+|---------------------------------|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Message length**              | Each message can be up to 4,096 bytes long. Longer messages are treated as [attachments](#attachments).                                                                                                                 |
+| **Requests**                    | By default, the server is configured to allow 60 requests per visitor at once, and then refills the your allowed requests bucket at a rate of one request per 5 seconds.                                                |
+| **Daily messages**              | By default, the number of messages is governed by the request limits. This can be overridden. On ntfy.sh, the daily message limit is 1,000.                                                                             |
+| **E-mails**                     | By default, the server is configured to allow sending 16 e-mails per visitor at once, and then refills the your allowed e-mail bucket at a rate of one per hour. On ntfy.sh, the daily limit is 10.                     |
+| **Subscription limit**          | By default, the server allows each visitor to keep 30 connections to the server open.                                                                                                                                   |
+| **Attachment size limit**       | By default, the server allows attachments up to 15 MB in size, up to 100 MB in total per visitor and up to 5 GB across all visitors. On ntfy.sh, the attachment size limit is 5 MB, and the per-visitor total is 50 MB. |
+| **Attachment expiry**           | By default, the server deletes attachments after 3 hours and thereby frees up space from the total visitor attachment limit.                                                                                            |
+| **Attachment bandwidth**        | By default, the server allows 500 MB of GET/PUT/POST traffic for attachments per visitor in a 24 hour period. Traffic exceeding that is rejected. On ntfy.sh, the daily bandwidth limit is 200 MB.                      |
+| **Total number of topics**      | By default, the server is configured to allow 15,000 topics. The ntfy.sh server has higher limits though.                                                                                                               |
+
+These limits can be changed on a per-user basis using [tiers](config.md#tiers). If [payments](config.md#payments) are enabled, a user tier can be changed by purchasing
+a higher tier. ntfy.sh offers multiple paid tiers, which allows for much hier limits than the ones listed above. 

 ## List of all parameters
-The following is a list of all parameters that can be passed when publishing a message. Parameter names are **case-insensitive**,
-and can be passed as **HTTP headers** or **query parameters in the URL**. They are listed in the table in their canonical form.
+The following is a list of all parameters that can be passed when publishing a message. Parameter names are **case-insensitive**
+when used in **HTTP headers**, and must be **lowercase** when used as **query parameters in the URL**. They are listed in the 
+table in their canonical form.

-| Parameter       | Aliases (case-insensitive)                 | Description                                                                                   |
+| Parameter       | Aliases                                    | Description                                                                                   |
 |-----------------|--------------------------------------------|-----------------------------------------------------------------------------------------------|
 | `X-Message`     | `Message`, `m`                             | Main body of the message as shown in the notification                                         |
 | `X-Title`       | `Title`, `t`                               | [Message title](#message-title)                                                               |
--- a/docs/releases.md
+++ b/docs/releases.md
@@ -2,7 +2,134 @@
 Binaries for all releases can be found on the GitHub releases pages for the [ntfy server](https://github.com/binwiederhier/ntfy/releases)
 and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/releases).

-## ntfy server v2.0.0 (UNRELEASED)
+## ntfy server v2.2.0
+Released March 17, 2023
+
+With this release, ntfy is now able to expose metrics via a `/metrics` endpoint for [Prometheus](https://prometheus.io/), if enabled.
+The endpoint exposes about 20 different counters and gauges, from the number of published messages and emails, to active subscribers,
+visitors and topics. If you'd like more metrics, pop in the Discord/Matrix or file an issue on GitHub. 
+
+On top of this, you can now use access tokens in the ntfy CLI (defined in the `client.yml` file), fixed a bug in `ntfy subscribe`,
+removed the dependency on Google Fonts, and more.
+
+🔥 Reminder: Purchase one of three **ntfy Pro plans** for **50% off** for a limited time (if you use promo code `MYTOPIC`). 
+ntfy Pro gives you higher rate limits and lets you reserve topic names. [Buy through web app](https://ntfy.sh/app).
+
+❤️ If you don't need ntfy Pro, please consider sponsoring ntfy via [GitHub Sponsors](https://github.com/sponsors/binwiederhier)
+and [Liberapay](https://en.liberapay.com/ntfy/). ntfy will stay open source forever.
+
+**Features:**
+
+* Monitoring: ntfy now exposes a `/metrics` endpoint for [Prometheus](https://prometheus.io/) if [configured](config.md#monitoring) ([#210](https://github.com/binwiederhier/ntfy/issues/210), thanks to [@rogeliodh](https://github.com/rogeliodh) for reporting)
+* You can now use tokens in `client.yml` for publishing and subscribing ([#653](https://github.com/binwiederhier/ntfy/issues/653), thanks to [@wunter8](https://github.com/wunter8))
+
+**Bug fixes + maintenance:**
+
+* `ntfy sub --poll --from-config` will now include authentication headers from client.yml (if applicable) ([#658](https://github.com/binwiederhier/ntfy/issues/658), thanks to [@wunter8](https://github.com/wunter8))
+* Docs: Removed dependency on Google Fonts in docs ([#554](https://github.com/binwiederhier/ntfy/issues/554), thanks to [@bt90](https://github.com/bt90) for reporting, and [@ozskywalker](https://github.com/ozskywalker) for implementing)
+* Increase allowed auth failure attempts per IP address to 30 (no ticket)
+* Web app: Increase maximum incremental backoff retry interval to 2 minutes (no ticket)
+
+**Documentation:**
+
+* Make query parameter description more clear ([#630](https://github.com/binwiederhier/ntfy/issues/630), thanks to [@bbaa-bbaa](https://github.com/bbaa-bbaa) for reporting, and to [@wunter8](https://github.com/wunter8) for a fix)
+
+## ntfy server v2.1.2
+Released March 4, 2023
+
+This is a hotfix release, mostly to combat the ridiculous amount of Matrix requests with invalid/dead pushkeys, and the
+corresponding HTTP 507 responses the ntfy.sh server is sending out. We're up to >600k HTTP 507 responses per day 🤦. This 
+release solves this issue by rejecting Matrix pushkeys, if nobody has subscribed to the corresponding topic for 12 hours.
+
+The release furthermore reverts the default rate limiting behavior for UnifiedPush to be publisher-based, and introduces
+a flag to enable [subscriber-based rate limiting](config.md#subscriber-based-rate-limiting) for high volume servers.
+
+**Features:**
+
+* Support SMTP servers without auth ([#645](https://github.com/binwiederhier/ntfy/issues/645), thanks to [@Sharknoon](https://github.com/Sharknoon) for reporting)
+
+**Bug fixes + maintenance:**
+
+* Token auth doesn't work if default user credentials are defined in `client.yml` ([#650](https://github.com/binwiederhier/ntfy/issues/650), thanks to [@Xinayder](https://github.com/Xinayder))
+* Add `visitor-subscriber-rate-limiting` flag to allow enabling [subscriber-based rate limiting](config.md#subscriber-based-rate-limiting) (off by default now, [#649](https://github.com/binwiederhier/ntfy/issues/649)/[#655](https://github.com/binwiederhier/ntfy/pull/655), thanks to [@barathrm](https://github.com/barathrm) for reporting, and to [@karmanyaahm](https://github.com/karmanyaahm) and [@p1gp1g](https://github.com/p1gp1g) for help with the design)
+* Reject Matrix pushkey after 12 hours of inactivity on a topic, if `visitor-subscriber-rate-limiting` is enabled ([#643](https://github.com/binwiederhier/ntfy/pull/643), thanks to [@karmanyaahm](https://github.com/karmanyaahm) and [@p1gp1g](https://github.com/p1gp1g) for help with the design)  
+
+**Additional languages:**
+
+* Danish (thanks to [@Andersbiha](https://hosted.weblate.org/user/Andersbiha/))
+
+## ntfy server v2.1.1
+Released March 1, 2023
+
+This is a tiny release with a few bug fixes, but it's big for me personally. After almost three months of work, 
+**today I am finally launching the paid plans on ntfy.sh** 🥳 🎉. 
+
+You are now able to purchase one of three plans that'll give you **higher rate limits** (messages, emails, attachment sizes, ...), 
+as well as the ability to **reserve topic names** for your personal use, while at the same time supporting me and the
+ntfy open source project ❤️. You can check out the pricing, and [purchase plans through the web app](https://ntfy.sh/app) (use
+promo code `MYTOPIC` for a **50% discount**, limited time only).
+
+And as I've said many times: Do not worry. **ntfy will always stay open source**, and that includes all features. There
+are no closed-source features. So if you'd like to run your own server, you can!
+
+**Bug fixes + maintenance:**
+
+* Fix panic when using Firebase without users ([#641](https://github.com/binwiederhier/ntfy/issues/641), thanks to [u/heavybell](https://www.reddit.com/user/heavybell/) for reporting)
+* Remove health check from `Dockerfile` and [document it](config.md#health-checks) ([#635](https://github.com/binwiederhier/ntfy/issues/635), thanks to [@Andersbiha](https://github.com/Andersbiha)) 
+* Upgrade dialog: Disable submit button for free tier (no ticket)
+* Allow multiple `log-level-overrides` on the same field (no ticket)
+* Actually remove `ntfy publish --env-topic` flag (as per [deprecations](deprecations.md), no ticket)
+* Added `billing-contact` config option (no ticket)
+
+## ntfy server v2.1.0
+Released February 25, 2023
+
+This release changes the way UnifiedPush (UP) topics are rate limited from publisher-based rate limiting to subscriber-based
+rate limiting. This allows UP application servers to send higher volumes, since the subscribers carry the rate limits.
+However, it also means that UP clients have to subscribe to a topic first before they are allowed to publish. If they do
+no, clients will receive an HTTP 507 response from the server.
+
+We also fixed another issue with UnifiedPush: Some Mastodon servers were sending unsupported `Authorization` headers, 
+which ntfy rejected with an HTTP 401. We now ignore unsupported header values. 
+
+As of this release, ntfy also supports sending emails to protected topics, and it ships code to support annual billing
+cycles (not live yet).
+
+As part of this release, I also enabled sign-up and login (free accounts only), and I also started reducing the rate 
+limits for anonymous & free users a bit. With the next release and the launch of the paid plan, I'll reduce the limits
+a bit more. For 90% of users, you should not feel the difference.
+
+**Features:**
+
+* UnifiedPush: Subscriber-based rate limiting for `up*` topics ([#584](https://github.com/binwiederhier/ntfy/pull/584)/[#609](https://github.com/binwiederhier/ntfy/pull/609)/[#633](https://github.com/binwiederhier/ntfy/pull/633), thanks to [@karmanyaahm](https://github.com/karmanyaahm))
+* Support for publishing to protected topics via email with access tokens ([#612](https://github.com/binwiederhier/ntfy/pull/621), thanks to [@tamcore](https://github.com/tamcore))
+* Support for base64-encoded and nested multipart emails ([#610](https://github.com/binwiederhier/ntfy/issues/610), thanks to [@Robert-litts](https://github.com/Robert-litts))
+* Payments: Add support for annual billing intervals (no ticket)
+
+**Bug fixes + maintenance:**
+
+* Web: Do not disable "Reserve topic" checkbox for admins (no ticket, thanks to @xenrox for reporting)
+* UnifiedPush: Treat non-Basic/Bearer `Authorization` header like header was not sent ([#629](https://github.com/binwiederhier/ntfy/issues/629), thanks to [@Boebbele](https://github.com/Boebbele) and [@S1m](https://github.com/S1m) for reporting)
+
+**Documentation:**
+
+* Added example for [Traccar](https://ntfy.sh/docs/examples/#traccar) ([#631](https://github.com/binwiederhier/ntfy/pull/631), thanks to [tamcore](https://github.com/tamcore))
+
+**Additional languages:**
+
+* Arabic (thanks to [@ButterflyOfFire](https://hosted.weblate.org/user/ButterflyOfFire/))
+
+## ntfy server v2.0.1
+Released February 17, 2023
+
+This is a quick bugfix release to address a panic that happens when `attachment-cache-dir` is not set.
+
+**Bug fixes + maintenance:**
+
+* Avoid panic in manager when `attachment-cache-dir` is not set ([#617](https://github.com/binwiederhier/ntfy/issues/617), thanks to [@ksurl](https://github.com/ksurl))  
+* Ensure that calls to standard logger `log.Println` also output JSON (no ticket)
+
+## ntfy server v2.0.0
 Released February 16, 2023

 This is the biggest ntfy server release I've ever done 🥳 . Lots of new and exciting features. 
@@ -64,6 +191,11 @@ going. It'll only make ntfy better.
 * User account signup, login, topic reservations, access tokens, tiers etc. ([#522](https://github.com/binwiederhier/ntfy/issues/522))
 * `OPTIONS` method calls are not serviced when the UI is disabled ([#598](https://github.com/binwiederhier/ntfy/issues/598), thanks to [@enticedwanderer](https://github.com/enticedwanderer) for reporting)

+**Special thanks:**
+
+A big Thank-you goes to everyone who tested the user account and payments work. I very much appreciate all the feedback,
+suggestions, and bug reports. Thank you, @nwithan8, @deadcade, @xenrox, @cmeis, @wunter8 and the others who I forgot.
+
 ## ntfy server v1.31.0
 Released February 14, 2023

@@ -95,11 +227,6 @@ breaking-change upgrade, which required some work to get working again.

 * Portuguese (thanks to [@ssantos](https://hosted.weblate.org/user/ssantos/))

-**Special thanks:**
-
-A big Thank-you goes to everyone who tested the user account and payments work. I very much appreciate all the feedback,
-suggestions, and bug reports. Thank you, @nwithan8, @deadcade, and @xenrox.
-
 ## ntfy server v1.30.1
 Released December 23, 2022 🎅

@@ -991,3 +1118,20 @@ Released Dec 28, 2021
 ## Older releases
 For older releases, check out the GitHub releases pages for the [ntfy server](https://github.com/binwiederhier/ntfy/releases)
 and the [ntfy Android app](https://github.com/binwiederhier/ntfy-android/releases).
+
+## Not released yet
+
+### ntfy Android app v1.16.1 (UNRELEASED)
+
+**Features:**
+
+* You can now disable UnifiedPush so ntfy does not act as a UnifiedPush distributor ([#646](https://github.com/binwiederhier/ntfy/issues/646), thanks to [@ollien](https://github.com/ollien) for reporting and to [@wunter8](https://github.com/wunter8) for implementing)
+
+**Bug fixes + maintenance:**
+
+* UnifiedPush subscriptions now include the `Rate-Topics` header to facilitate subscriber-based billing ([#652](https://github.com/binwiederhier/ntfy/issues/652), thanks to [@wunter8](https://github.com/wunter8))
+* Subscriptions without icons no longer appear to use another subscription's icon ([#634](https://github.com/binwiederhier/ntfy/issues/634), thanks to [@topcaser](https://github.com/topcaser) for reporting and to [@wunter8](https://github.com/wunter8) for fixing)
+
+**Additional languages:**
+
+* Swedish (thanks to [@hellbown](https://hosted.weblate.org/user/hellbown/))
--- a/docs/static/css/extra.css
+++ b/docs/static/css/extra.css
@@ -2,13 +2,15 @@
    --md-primary-fg-color:        #338574;
    --md-primary-fg-color--light: #338574;
    --md-primary-fg-color--dark:  #338574;
+    --md-footer-bg-color:         #353744;
+    --md-text-font:               "Roboto";
+    --md-code-font:               "Roboto Mono";
 }

 .md-header__button.md-logo :is(img, svg) {
    width: unset !important;
 }

-
 .md-header__topic:first-child {
    font-weight: 400;
 }
@@ -147,3 +149,57 @@ figure video {
 .lightbox .close-lightbox:hover::before {
    background-color: #fff;
 }
+
+/* roboto-300 - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 300;
+    src: url('../fonts/roboto-v30-latin-300.woff2') format('woff2');
+}
+
+/* roboto-regular - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 400;
+    src: url('../fonts/roboto-v30-latin-regular.woff2') format('woff2');
+}
+
+/* roboto-italic - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto';
+    font-style: italic;
+    font-weight: 400;
+    src: url('../fonts/roboto-v30-latin-italic.woff2') format('woff2');
+}
+
+/* roboto-500 - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 500;
+    src: url('../fonts/roboto-v30-latin-500.woff2') format('woff2');
+}
+
+/* roboto-700 - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto';
+    font-style: normal;
+    font-weight: 700;
+    src: url('../fonts/roboto-v30-latin-700.woff2') format('woff2');
+}
+
+/* roboto-mono - latin */
+@font-face {
+    font-display: swap;
+    font-family: 'Roboto Mono';
+    font-style: normal;
+    font-weight: 400;
+    src: url('../fonts/roboto-mono-v22-latin-regular.woff2') format('woff2');
+}
--- a/docs/static/fonts/roboto-mono-v22-latin-regular.woff2
+++ b/docs/static/fonts/roboto-mono-v22-latin-regular.woff2
--- a/docs/static/fonts/roboto-v30-latin-300.woff2
+++ b/docs/static/fonts/roboto-v30-latin-300.woff2
--- a/docs/static/fonts/roboto-v30-latin-500.woff2
+++ b/docs/static/fonts/roboto-v30-latin-500.woff2
--- a/docs/static/fonts/roboto-v30-latin-700.woff2
+++ b/docs/static/fonts/roboto-v30-latin-700.woff2
--- a/docs/static/fonts/roboto-v30-latin-italic.woff2
+++ b/docs/static/fonts/roboto-v30-latin-italic.woff2
--- a/docs/static/fonts/roboto-v30-latin-regular.woff2
+++ b/docs/static/fonts/roboto-v30-latin-regular.woff2
--- a/docs/subscribe/api.md
+++ b/docs/subscribe/api.md
@@ -319,7 +319,7 @@ format of the message. It's very straight forward:
 |--------------|----------|---------------------------------------------------|-------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------------------------|
 | `id`         | ✔️       | *string*                                          | `hwQ2YpKdmg`                                          | Randomly chosen message identifier                                                                                                   |
 | `time`       | ✔️       | *number*                                          | `1635528741`                                          | Message date time, as Unix time stamp                                                                                                |  
-| `expires`    | ✔️       | *number*                                          | `1673542291`                                          | Unix time stamp indicating when the message will be deleted                                                                          |  
+| `expires`    | (✔)️     | *number*                                          | `1673542291`                                          | Unix time stamp indicating when the message will be deleted, not set if `Cache: no` is sent                                          |  
 | `event`      | ✔️       | `open`, `keepalive`, `message`, or `poll_request` | `message`                                             | Message type, typically you'd be only interested in `message`                                                                        |
 | `topic`      | ✔️       | *string*                                          | `topic1,topic2`                                       | Comma-separated list of topics the message is associated with; only one for all `message` events, but may be a list in `open` events |
 | `message`    | -        | *string*                                          | `Some message`                                        | Message body; always present in `message` events                                                                                     |
--- a/docs/subscribe/cli.md
+++ b/docs/subscribe/cli.md
@@ -254,13 +254,13 @@ I hope this shows how powerful this command is. Here's a short video that demons
  <figcaption>Execute all the things</figcaption>
 </figure>

-If most (or all) of your subscription usernames, passwords, and commands are the same, you can specify a `default-user`, `default-password`, and `default-command` at the top of the
-`client.yml`. If a subscription does not specify a username/password to use or does not have a command, the defaults will be used, otherwise, the subscription settings will
-override the defaults.
+If most (or all) of your subscriptions use the same credentials, you can set defaults in `client.yml`. Use `default-user` and `default-password` or `default-token` (but not both).
+You can also specify a `default-command` that will run when a message is received. If a subscription does not include credentials to use or does not have a command, the defaults
+will be used, otherwise, the subscription settings will override the defaults.

 !!! warning
-    Because the `default-user` and `default-password` will be sent for each topic that does not have its own username/password (even if the topic does not require authentication),
-    be sure that the servers/topics you subscribe to use HTTPS to prevent leaking the username and password.
+    Because the `default-user`, `default-password`, and `default-token` will be sent for each topic that does not have its own username/password (even if the topic does not
+    require authentication), be sure that the servers/topics you subscribe to use HTTPS to prevent leaking the username and password.

 ### Using the systemd service
 You can use the `ntfy-client` systemd service (see [ntfy-client.service](https://github.com/binwiederhier/ntfy/blob/main/client/ntfy-client.service))
--- a/go.mod
+++ b/go.mod
@@ -4,22 +4,22 @@ go 1.18

 require (
 	cloud.google.com/go/firestore v1.9.0 // indirect
-	cloud.google.com/go/storage v1.29.0 // indirect
+	cloud.google.com/go/storage v1.30.0 // indirect
 	github.com/BurntSushi/toml v1.2.1 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
 	github.com/emersion/go-smtp v0.16.0
-	github.com/gabriel-vasile/mimetype v1.4.1
+	github.com/gabriel-vasile/mimetype v1.4.2
 	github.com/gorilla/websocket v1.5.0
 	github.com/mattn/go-sqlite3 v1.14.16
 	github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8
 	github.com/stretchr/testify v1.8.1
-	github.com/urfave/cli/v2 v2.24.4
-	golang.org/x/crypto v0.6.0
-	golang.org/x/oauth2 v0.5.0 // indirect
+	github.com/urfave/cli/v2 v2.25.0
+	golang.org/x/crypto v0.7.0
+	golang.org/x/oauth2 v0.6.0 // indirect
 	golang.org/x/sync v0.1.0
-	golang.org/x/term v0.5.0
+	golang.org/x/term v0.6.0
 	golang.org/x/time v0.3.0
-	google.golang.org/api v0.110.0
+	google.golang.org/api v0.114.0
 	gopkg.in/yaml.v2 v2.4.0
 )

@@ -27,39 +27,47 @@ require github.com/pkg/errors v0.9.1 // indirect

 require (
 	firebase.google.com/go/v4 v4.10.0
-	github.com/stripe/stripe-go/v74 v74.7.0
+	github.com/prometheus/client_golang v1.14.0
+	github.com/stripe/stripe-go/v74 v74.12.0
 )

 require (
 	cloud.google.com/go v0.110.0 // indirect
 	cloud.google.com/go/compute v1.18.0 // indirect
 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
-	cloud.google.com/go/iam v0.10.0 // indirect
+	cloud.google.com/go/iam v0.13.0 // indirect
 	cloud.google.com/go/longrunning v0.4.1 // indirect
 	github.com/AlekSi/pointer v1.2.0 // indirect
 	github.com/MicahParks/keyfunc v1.9.0 // indirect
+	github.com/beorn7/perks v1.0.1 // indirect
+	github.com/cespare/xxhash/v2 v2.2.0 // indirect
 	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/emersion/go-sasl v0.0.0-20220912192320-0145f2c60ead // indirect
-	github.com/golang-jwt/jwt/v4 v4.4.3 // indirect
+	github.com/golang-jwt/jwt/v4 v4.5.0 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
-	github.com/golang/protobuf v1.5.2 // indirect
+	github.com/golang/protobuf v1.5.3 // indirect
 	github.com/google/go-cmp v0.5.9 // indirect
 	github.com/google/uuid v1.3.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.2.3 // indirect
-	github.com/googleapis/gax-go/v2 v2.7.0 // indirect
+	github.com/googleapis/gax-go/v2 v2.8.0 // indirect
+	github.com/kr/pretty v0.3.1 // indirect
+	github.com/matttproud/golang_protobuf_extensions v1.0.4 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/prometheus/client_model v0.3.0 // indirect
+	github.com/prometheus/common v0.42.0 // indirect
+	github.com/prometheus/procfs v0.9.0 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
 	github.com/stretchr/objx v0.5.0 // indirect
 	github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 // indirect
 	go.opencensus.io v0.24.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.5.0 // indirect
-	golang.org/x/text v0.7.0 // indirect
+	golang.org/x/net v0.8.0 // indirect
+	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/text v0.8.0 // indirect
 	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
 	google.golang.org/appengine/v2 v2.0.2 // indirect
-	google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc // indirect
+	google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 // indirect
 	google.golang.org/grpc v1.53.0 // indirect
-	google.golang.org/protobuf v1.28.1 // indirect
+	google.golang.org/protobuf v1.30.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
--- a/go.sum
+++ b/go.sum
@@ -7,12 +7,12 @@ cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGB
 cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 cloud.google.com/go/firestore v1.9.0 h1:IBlRyxgGySXu5VuW0RgGFlTtLukSnNkpDiEOMkQkmpA=
 cloud.google.com/go/firestore v1.9.0/go.mod h1:HMkjKHNTtRyZNiMzu7YAsLr9K3X2udY2AMwDaMEQiiE=
-cloud.google.com/go/iam v0.10.0 h1:fpP/gByFs6US1ma53v7VxhvbJpO2Aapng6wabJ99MuI=
-cloud.google.com/go/iam v0.10.0/go.mod h1:nXAECrMt2qHpF6RZUZseteD6QyanL68reN4OXPw0UWM=
+cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
+cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
 cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
 cloud.google.com/go/longrunning v0.4.1/go.mod h1:4iWDqhBZ70CvZ6BfETbvam3T8FMvLK+eFj0E6AaRQTo=
-cloud.google.com/go/storage v1.29.0 h1:6weCgzRvMg7lzuUurI4697AqIRPU1SvzHhynwpW31jI=
-cloud.google.com/go/storage v1.29.0/go.mod h1:4puEjyTKnku6gfKoTfNOU/W+a9JyuVNxjpS5GBrB8h4=
+cloud.google.com/go/storage v1.30.0 h1:g1yrbxAWOrvg/594228pETWkOi00MLTrOWfh56veU5o=
+cloud.google.com/go/storage v1.30.0/go.mod h1:xAVretHSROm1BQX4IIsoVgJqw0LqOyX+I/O2GzRAzdE=
 firebase.google.com/go/v4 v4.10.0 h1:dgK/8uwfJbzc5LZK/GyRRfIkZEDObN9q0kgEXsjlXN4=
 firebase.google.com/go/v4 v4.10.0/go.mod h1:m0gLwPY9fxKggizzglgCNWOGnFnVPifLpqZzo5u3e/A=
 github.com/AlekSi/pointer v1.2.0 h1:glcy/gc4h8HnG2Z3ZECSzZ1IX1x2JxRVuDzaJwQE0+w=
@@ -22,11 +22,16 @@ github.com/BurntSushi/toml v1.2.1 h1:9F2/+DoOYIOksmaJFPw1tGFy1eDnIJXg+UHjuD8lTak
 github.com/BurntSushi/toml v1.2.1/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ=
 github.com/MicahParks/keyfunc v1.9.0 h1:lhKd5xrFHLNOWrDc4Tyb/Q1AJ4LCzQ48GVJyVIID3+o=
 github.com/MicahParks/keyfunc v1.9.0/go.mod h1:IdnCilugA0O/99dW+/MkvlyrsX8+L8+x95xuVNtM5jw=
+github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
+github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/census-instrumentation/opencensus-proto v0.2.1/go.mod h1:f6KPmirojxKA12rnyqOA5BBL4O983OfeGPqjHWSTneU=
+github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44=
+github.com/cespare/xxhash/v2 v2.2.0/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=
 github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw=
 github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc=
 github.com/cpuguy83/go-md2man/v2 v2.0.2 h1:p1EgwI/C7NhT0JmVkwCD2ZBK8j4aeHQX2pMHHBfMQ6w=
 github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o=
+github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
@@ -39,11 +44,11 @@ github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymF
 github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4=
 github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98=
 github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c=
-github.com/gabriel-vasile/mimetype v1.4.1 h1:TRWk7se+TOjCYgRth7+1/OYLNiRNIotknkFtf/dnN7Q=
-github.com/gabriel-vasile/mimetype v1.4.1/go.mod h1:05Vi0w3Y9c/lNvJOdmIwvrrAhX3rYhfQQCaf9VJcv7M=
+github.com/gabriel-vasile/mimetype v1.4.2 h1:w5qFW6JKBz9Y393Y4q372O9A7cUSequkh1Q7OhCmWKU=
+github.com/gabriel-vasile/mimetype v1.4.2/go.mod h1:zApsH/mKG4w07erKIaJPFiX0Tsq9BFQgN3qGY5GnNgA=
 github.com/golang-jwt/jwt/v4 v4.4.2/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
-github.com/golang-jwt/jwt/v4 v4.4.3 h1:Hxl6lhQFj4AnOX6MLrsCb/+7tCj7DxP7VA+2rDIq5AU=
-github.com/golang-jwt/jwt/v4 v4.4.3/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
+github.com/golang-jwt/jwt/v4 v4.5.0 h1:7cYmW1XlMY7h7ii7UhUyChSgS5wUJEnm9uZVTGqOWzg=
+github.com/golang-jwt/jwt/v4 v4.5.0/go.mod h1:m21LjoU+eqJr34lmDMbreY2eSTRJ1cv77w39/MY0Ch0=
 github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
 github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
@@ -52,6 +57,7 @@ github.com/golang/mock v1.1.1/go.mod h1:oTYuIxOrZwtPieC+H1uAHpcLFnEyAGVDL/k47Jfb
 github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.3.5/go.mod h1:6O5/vntMXwX2lRkT1hjjk0nAC1IDOTvTlVgjlRvqsdk=
 github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
 github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
 github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
@@ -60,8 +66,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
 github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
 github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
-github.com/golang/protobuf v1.5.2 h1:ROPKBNFfQgOUMifHyP+KYbvpjbdoFNs+aK7DXlji0Tw=
-github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
+github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg=
+github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
@@ -77,19 +83,36 @@ github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
 github.com/googleapis/enterprise-certificate-proxy v0.2.3 h1:yk9/cqRKtT9wXZSsRH9aurXEpJX+U6FLtpYTdC3R06k=
 github.com/googleapis/enterprise-certificate-proxy v0.2.3/go.mod h1:AwSRAtLfXpU5Nm3pW+v7rGDHp09LsPtGY9MduiEsR9k=
-github.com/googleapis/gax-go/v2 v2.7.0 h1:IcsPKeInNvYi7eqSaDjiZqDDKu5rsmunY0Y1YupQSSQ=
-github.com/googleapis/gax-go/v2 v2.7.0/go.mod h1:TEop28CZZQ2y+c0VxMUmu1lV+fQx57QpBWsYpwqHJx8=
+github.com/googleapis/gax-go/v2 v2.8.0 h1:UBtEZqx1bjXtOQ5BVTkuYghXrr3N4V123VKJK67vJZc=
+github.com/googleapis/gax-go/v2 v2.8.0/go.mod h1:4orTrqY6hXxxaUL4LHIPl6lGo8vAE38/qKbhSAKP6QI=
 github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc=
 github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE=
+github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE=
+github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk=
+github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
+github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/mattn/go-sqlite3 v1.14.16 h1:yOQRA0RpS5PFz/oikGwBEqvAWhWg5ufRz4ETLjwpU1Y=
 github.com/mattn/go-sqlite3 v1.14.16/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
+github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo=
+github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
 github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8 h1:0uFGkScHef2Xd8g74BMHU1jFcnKEm0PzrPn4CluQ9FI=
 github.com/olebedev/when v0.0.0-20221205223600-4d190b02b8d8/go.mod h1:T0THb4kP9D3NNqlvCwIG4GyUioTAzEhB4RNVzig/43E=
+github.com/pkg/diff v0.0.0-20210226163009-20ebb0f2a09e/go.mod h1:pJLUxLENpZxwdsKMEsNbx1VGcRFpLqf3715MtcvvzbA=
 github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/prometheus/client_golang v1.14.0 h1:nJdhIvne2eSX/XRAFV9PcvFFRbrjbcTUj0VP62TMhnw=
+github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
+github.com/prometheus/client_model v0.3.0 h1:UBgGFHqYdG/TPFD1B1ogZywDqEkwp3fBMvqdiQ7Xew4=
+github.com/prometheus/client_model v0.3.0/go.mod h1:LDGWKZIo7rky3hgvBe+caln+Dr3dPggB5dvjtD7w9+w=
+github.com/prometheus/common v0.42.0 h1:EKsfXEYo4JpWMHH5cg+KOUWeuJSov1Id8zGR8eeI1YM=
+github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
+github.com/prometheus/procfs v0.9.0 h1:wzCHvIvM5SxWqYvwgVL7yJY8Lz3PKn49KQtpgMYJfhI=
+github.com/prometheus/procfs v0.9.0/go.mod h1:+pB4zwohETzFnmlpe6yd2lSc+0/46IYZRB/chUwxUZY=
+github.com/rogpeppe/go-internal v1.9.0 h1:73kH8U+JUqXU8lRuOHeVHaa/SZPifC7BkcraZVejAe8=
+github.com/rogpeppe/go-internal v1.9.0/go.mod h1:WtVeX8xhTBvf0smdhujwtBcq4Qrzq/fJaraNFVN+nFs=
 github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
@@ -101,18 +124,18 @@ github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
-github.com/stripe/stripe-go/v74 v74.7.0 h1:KHlyslQj9YOv62b1sycQ31LFj7KlqR+seHsSowAWrjc=
-github.com/stripe/stripe-go/v74 v74.7.0/go.mod h1:5PoXNp30AJ3tGq57ZcFuaMylzNi8KpwlrYAFmO1fHZw=
-github.com/urfave/cli/v2 v2.24.4 h1:0gyJJEBYtCV87zI/x2nZCPyDxD51K6xM8SkwjHFCNEU=
-github.com/urfave/cli/v2 v2.24.4/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
+github.com/stripe/stripe-go/v74 v74.12.0 h1:uakz8Ubngok3G6Pcwc1ssqI3msONE4tdeyi84UooLQk=
+github.com/stripe/stripe-go/v74 v74.12.0/go.mod h1:f9L6LvaXa35ja7eyvP6GQswoaIPaBRvGAimAO+udbBw=
+github.com/urfave/cli/v2 v2.25.0 h1:ykdZKuQey2zq0yin/l7JOm9Mh+pg72ngYMeB0ABn6q8=
+github.com/urfave/cli/v2 v2.25.0/go.mod h1:GHupkWPMM0M/sj1a2b4wUrWBPzazNrIjouW6fmdJLxc=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673 h1:bAn7/zixMGCfxrRTfdpNzjtPYqr8smhKouy9mxVdGPU=
 github.com/xrash/smetrics v0.0.0-20201216005158-039620a65673/go.mod h1:N3UwUGtsrSj3ccvlPHLoLsHnpR27oXr4ZE984MbSER8=
 go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
 go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
-golang.org/x/crypto v0.6.0 h1:qfktjS5LUO+fFKeJXZ+ikTRijMmljikvG68fpMMruSc=
-golang.org/x/crypto v0.6.0/go.mod h1:OFC/31mSvZgRz0V1QTNCzfAI1aIRzbiufJtkMIlEp58=
+golang.org/x/crypto v0.7.0 h1:AvwMYaRytfdeVt3u6mLaxYtErKYjxA2OXjJ1HHq6t3A=
+golang.org/x/crypto v0.7.0/go.mod h1:pYwdfH91IfpZVANVyUOhSIPZaFoJGxTFbZhFTx+dXZU=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
 golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
@@ -123,38 +146,41 @@ golang.org/x/net v0.0.0-20190213061140-3a22650c66bd/go.mod h1:mL1N/T3taQHkDXs73r
 golang.org/x/net v0.0.0-20190311183353-d8887717615a/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
 golang.org/x/net v0.0.0-20190603091049-60506f45cf65/go.mod h1:HSz+uSET+XFnRR8LxR5pz3Of3rY3CfYBVs4xY44aLks=
-golang.org/x/net v0.0.0-20200324143707-d3edc9973b7e/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
 golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
-golang.org/x/net v0.0.0-20220624214902-1bab6f366d9e/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
+golang.org/x/net v0.0.0-20210520170846-37e1c6afe023/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220708220712-1185a9018129/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
-golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.8.0 h1:Zrh2ngAOFYneWTAIAPethzeaQLuHwhuBkuV6ZiRnUaQ=
+golang.org/x/net v0.8.0/go.mod h1:QVkue5JL9kW//ek3r6jTKnTFis1tRmNAW2P1shuFdJc=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
-golang.org/x/oauth2 v0.5.0 h1:HuArIo48skDwlrvM3sEdHXElYslAMsf3KwRkkW4MC4s=
-golang.org/x/oauth2 v0.5.0/go.mod h1:9/XBHVqLaWO3/BRHs5jbpYCnOZVjj5V0ndyaAM7KB4I=
+golang.org/x/oauth2 v0.6.0 h1:Lh8GPgSKBfWSwFvtuWOfeI3aAAnbXTSutYxJiOJFgIw=
+golang.org/x/oauth2 v0.6.0/go.mod h1:ycmewcwgD4Rpr3eZJLSB4Kyyljb3qDh40vJ8STE5HKw=
 golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
+golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.1.0 h1:wsuoTGHzEhffawBOhz5CYhcrV4IdKZbEyZjBMuTp12o=
 golang.org/x/sync v0.1.0/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.5.0 h1:MUK/U/4lj1t1oPg0HfuXDN/Z1wv31ZJ/YcPiGccS4DU=
-golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
+golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
-golang.org/x/term v0.5.0 h1:n2a8QNdAb0sZNpU9R1ALUXBbY+w51fCQDN+7EdxNBsY=
-golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
+golang.org/x/term v0.6.0 h1:clScbb1cHjoCkyRbWwBEUZ5H/tIFu5TAXIqaZD0Gcjw=
+golang.org/x/term v0.6.0/go.mod h1:m6U89DPEgQRMq3DNkDClhWw02AUbt2daBVO4cn4Hv9U=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
 golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
+golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ=
-golang.org/x/text v0.7.0 h1:4BRB4x83lYWy72KwLD/qYDuTu7q9PjSagHvijDw7cLo=
-golang.org/x/text v0.7.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8=
+golang.org/x/text v0.8.0 h1:57P1ETyNKtuIjB4SRd15iJxuhj8Gc416Y78H3qgMh68=
+golang.org/x/text v0.8.0/go.mod h1:e1OnstbJyHTd6l/uOt8jFFHp6TRDWZR/bV3emEE/zU8=
 golang.org/x/time v0.3.0 h1:rg5rLMjNzMS1RkNLzCG38eapWhnYLFYXDXj2gOlr8j4=
 golang.org/x/time v0.3.0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
@@ -165,8 +191,10 @@ golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBn
 golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
 golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
-google.golang.org/api v0.110.0 h1:l+rh0KYUooe9JGbGVx71tbFo4SMbMTXK3I3ia2QSEeU=
-google.golang.org/api v0.110.0/go.mod h1:7FC4Vvx1Mooxh8C5HWjzZHcavuS2f6pmJpZx60ca7iI=
+google.golang.org/api v0.113.0 h1:3zLZyS9hgne8yoXUFy871yWdQcA2tA6wp59aaCT6Cp4=
+google.golang.org/api v0.113.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
+google.golang.org/api v0.114.0 h1:1xQPji6cO2E2vLiI+C/XiFAnsn1WV3mjaEwGLhi3grE=
+google.golang.org/api v0.114.0/go.mod h1:ifYI2ZsFK6/uGddGfAD5BMxlnkBqCmqHSDUVi45N5Yg=
 google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
 google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
 google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
@@ -176,8 +204,8 @@ google.golang.org/appengine/v2 v2.0.2/go.mod h1:PkgRUWz4o1XOvbqtWTkBtCitEJ5Tp4Ho
 google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
 google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
 google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
-google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc h1:ijGwO+0vL2hJt5gaygqP2j6PfflOBrRot0IczKbmtio=
-google.golang.org/genproto v0.0.0-20230209215440-0dfe4f8abfcc/go.mod h1:RGgjbofJ8xD9Sq1VVhDM1Vok1vRONV+rg+CjzG4SZKM=
+google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4 h1:DdoeryqhaXp1LtT/emMP1BRJPHHKFi5akj/nbx/zNTA=
+google.golang.org/genproto v0.0.0-20230306155012-7f2fa6fef1f4/go.mod h1:NWraEVixdDnqcqQ30jipen1STv2r/n24Wb7twVTGR4s=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.25.1/go.mod h1:c3i+UQWmh7LiEpx4sFZnkU36qjEYZ0imhYfXVyQciAY=
@@ -196,10 +224,10 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
 google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
 google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=
-google.golang.org/protobuf v1.28.1 h1:d0NfwRgPtno5B1Wa6L2DAG+KivqkdutMf1UhdNx175w=
-google.golang.org/protobuf v1.28.1/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
-gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM=
+google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng=
+google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
+gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk=
 gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
 gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
--- a/log/event.go
+++ b/log/event.go
@@ -3,6 +3,7 @@ package log
 import (
 	"encoding/json"
 	"fmt"
+	"heckel.io/ntfy/util"
 	"log"
 	"os"
 	"sort"
@@ -11,11 +12,11 @@ import (
 )

 const (
-	tagField        = "tag"
-	errorField      = "error"
-	timeTakenField  = "time_taken_ms"
-	exitCodeField   = "exit_code"
-	timestampFormat = "2006-01-02T15:04:05.999Z07:00"
+	fieldTag       = "tag"
+	fieldError     = "error"
+	fieldTimeTaken = "time_taken_ms"
+	fieldExitCode  = "exit_code"
+	tagStdLog      = "stdlog"
 )

 // Event represents a single log event
@@ -40,7 +41,7 @@ func newEvent() *Event {

 // Fatal logs the event as FATAL, and exits the program with exit code 1
 func (e *Event) Fatal(message string, v ...any) {
-	e.Field(exitCodeField, 1).maybeLog(FatalLevel, message, v...)
+	e.Field(fieldExitCode, 1).maybeLog(FatalLevel, message, v...)
 	fmt.Fprintf(os.Stderr, message+"\n", v...) // Always output error to stderr
 	os.Exit(1)
 }
@@ -72,7 +73,7 @@ func (e *Event) Trace(message string, v ...any) {

 // Tag adds a "tag" field to the log event
 func (e *Event) Tag(tag string) *Event {
-	return e.Field(tagField, tag)
+	return e.Field(fieldTag, tag)
 }

 // Time sets the time field
@@ -85,7 +86,7 @@ func (e *Event) Time(t time.Time) *Event {
 func (e *Event) Timing(f func()) *Event {
 	start := time.Now()
 	f()
-	return e.Field(timeTakenField, time.Since(start).Milliseconds())
+	return e.Field(fieldTimeTaken, time.Since(start).Milliseconds())
 }

 // Err adds an "error" field to the log event
@@ -95,7 +96,7 @@ func (e *Event) Err(err error) *Event {
 	} else if c, ok := err.(Contexter); ok {
 		return e.With(c)
 	}
-	return e.Field(errorField, err.Error())
+	return e.Field(fieldError, err.Error())
 }

 // Field adds a custom field and value to the log event
@@ -118,38 +119,44 @@ func (e *Event) Fields(fields Context) *Event {
 	return e
 }

-// With adds the fields of the given Contexter structs to the log event by calling their With method
-func (e *Event) With(contexts ...Contexter) *Event {
+// With adds the fields of the given Contexter structs to the log event by calling their Context method
+func (e *Event) With(contexters ...Contexter) *Event {
 	if e.contexters == nil {
-		e.contexters = contexts
+		e.contexters = contexters
 	} else {
-		e.contexters = append(e.contexters, contexts...)
+		e.contexters = append(e.contexters, contexters...)
 	}
 	return e
 }

-// maybeLog logs the event to the defined output. The event is only logged, if
-// either the global log level is >= l, or if the log level in one of the overrides matches
+// Render returns the rendered log event as a string, or an empty string. The event is only rendered,
+// if either the global log level is >= l, or if the log level in one of the overrides matches
 // the level.
 //
 // If no overrides are defined (default), the Contexter array is not applied unless the event
 // is actually logged. If overrides are defined, then Contexters have to be applied in any case
 // to determine if they match. This is super complicated, but required for efficiency.
-func (e *Event) maybeLog(l Level, message string, v ...any) {
+func (e *Event) Render(l Level, message string, v ...any) string {
 	appliedContexters := e.maybeApplyContexters()
 	if !e.shouldLog(l) {
-		return
+		return ""
 	}
 	e.Message = fmt.Sprintf(message, v...)
 	e.Level = l
-	e.Timestamp = e.time.Format(timestampFormat)
+	e.Timestamp = util.FormatTime(e.time)
 	if !appliedContexters {
 		e.applyContexters()
 	}
 	if CurrentFormat() == JSONFormat {
-		log.Println(e.JSON())
-	} else {
-		log.Println(e.String())
+		return e.JSON()
+	}
+	return e.String()
+}
+
+// maybeLog logs the event to the defined output, or does nothing if Render returns an empty string
+func (e *Event) maybeLog(l Level, message string, v ...any) {
+	if m := e.Render(l, message, v...); m != "" {
+		log.Println(m)
 	}
 }

@@ -203,11 +210,13 @@ func (e *Event) globalLevelWithOverride() Level {
 	if e.fields == nil {
 		return l
 	}
-	for field, override := range ov {
+	for field, fieldOverrides := range ov {
 		value, exists := e.fields[field]
 		if exists {
-			if override.value == "" || override.value == value || override.value == fmt.Sprintf("%v", value) {
-				return override.level
+			for _, o := range fieldOverrides {
+				if o.value == "" || o.value == value || o.value == fmt.Sprintf("%v", value) {
+					return o.level
+				}
 			}
 		}
 	}
--- a/log/log.go
+++ b/log/log.go
@@ -4,6 +4,7 @@ import (
 	"io"
 	"log"
 	"os"
+	"strings"
 	"sync"
 	"time"
 )
@@ -12,17 +13,26 @@ import (
 var (
 	DefaultLevel  = InfoLevel
 	DefaultFormat = TextFormat
-	DefaultOutput = os.Stderr
+	DefaultOutput = &peekLogWriter{os.Stderr}
 )

 var (
 	level               = DefaultLevel
 	format              = DefaultFormat
-	overrides           = make(map[string]*levelOverride)
+	overrides           = make(map[string][]*levelOverride)
 	output    io.Writer = DefaultOutput
+	filename            = ""
 	mu                  = &sync.RWMutex{}
 )

+// init sets the default log output (including log.SetOutput)
+//
+// This has to be explicitly called, because DefaultOutput is a peekLogWriter,
+// which wraps os.Stderr.
+func init() {
+	SetOutput(DefaultOutput)
+}
+
 // Fatal prints the given message, and exits the program
 func Fatal(message string, v ...any) {
 	newEvent().Fatal(message, v...)
@@ -101,14 +111,17 @@ func SetLevel(newLevel Level) {
 func SetLevelOverride(field string, value string, level Level) {
 	mu.Lock()
 	defer mu.Unlock()
-	overrides[field] = &levelOverride{value: value, level: level}
+	if _, ok := overrides[field]; !ok {
+		overrides[field] = make([]*levelOverride, 0)
+	}
+	overrides[field] = append(overrides[field], &levelOverride{value: value, level: level})
 }

 // ResetLevelOverrides removes all log level overrides
 func ResetLevelOverrides() {
 	mu.Lock()
 	defer mu.Unlock()
-	overrides = make(map[string]*levelOverride)
+	overrides = make(map[string][]*levelOverride)
 }

 // CurrentFormat returns the current log format
@@ -132,28 +145,27 @@ func SetFormat(newFormat Format) {
 func SetOutput(w io.Writer) {
 	mu.Lock()
 	defer mu.Unlock()
-	log.SetOutput(w)
-	output = w
+	output = &peekLogWriter{w}
+	if f, ok := w.(*os.File); ok {
+		filename = f.Name()
+	} else {
+		filename = ""
+	}
+	log.SetOutput(output)
 }

 // File returns the log file, if any, or an empty string otherwise
 func File() string {
 	mu.RLock()
 	defer mu.RUnlock()
-	if f, ok := output.(*os.File); ok {
-		return f.Name()
-	}
-	return ""
+	return filename
 }

 // IsFile returns true if the output is a non-default file
 func IsFile() bool {
 	mu.RLock()
 	defer mu.RUnlock()
-	if _, ok := output.(*os.File); ok && output != DefaultOutput {
-		return true
-	}
-	return false
+	return filename != ""
 }

 // DisableDates disables the date/time prefix
@@ -175,3 +187,20 @@ func IsTrace() bool {
 func IsDebug() bool {
 	return Loggable(DebugLevel)
 }
+
+// peekLogWriter is an io.Writer which will peek at the rendered log event,
+// and ensure that the rendered output is valid JSON. This is a hack!
+type peekLogWriter struct {
+	w io.Writer
+}
+
+func (w *peekLogWriter) Write(p []byte) (n int, err error) {
+	if len(p) == 0 || p[0] == '{' || CurrentFormat() == TextFormat {
+		return w.w.Write(p)
+	}
+	m := newEvent().Tag(tagStdLog).Render(InfoLevel, strings.TrimSpace(string(p)))
+	if m == "" {
+		return 0, nil
+	}
+	return w.w.Write([]byte(m + "\n"))
+}
--- a/log/log_test.go
+++ b/log/log_test.go
@@ -4,7 +4,10 @@ import (
 	"bytes"
 	"encoding/json"
 	"github.com/stretchr/testify/require"
+	"io"
+	"log"
 	"os"
+	"path/filepath"
 	"testing"
 	"time"
 )
@@ -170,6 +173,72 @@ func TestLog_LevelOverrideAny(t *testing.T) {
 {"time":"1970-01-01T00:00:14Z","level":"INFO","message":"this is also logged","time_taken_ms":0}
 `
 	require.Equal(t, expected, out.String())
+	require.False(t, IsFile())
+	require.Equal(t, "", File())
+}
+
+func TestLog_LevelOverride_ManyOnSameField(t *testing.T) {
+	t.Cleanup(resetState)
+
+	var out bytes.Buffer
+	SetOutput(&out)
+	SetFormat(JSONFormat)
+	SetLevelOverride("tag", "manager", DebugLevel)
+	SetLevelOverride("tag", "publish", DebugLevel)
+
+	Time(time.Unix(11, 0).UTC()).Field("tag", "manager").Debug("this is logged")
+	Time(time.Unix(12, 0).UTC()).Field("tag", "no-match").Debug("this is not logged")
+	Time(time.Unix(13, 0).UTC()).Field("tag", "publish").Info("this is also logged")
+
+	expected := `{"time":"1970-01-01T00:00:11Z","level":"DEBUG","message":"this is logged","tag":"manager"}
+{"time":"1970-01-01T00:00:13Z","level":"INFO","message":"this is also logged","tag":"publish"}
+`
+	require.Equal(t, expected, out.String())
+	require.False(t, IsFile())
+	require.Equal(t, "", File())
+}
+
+func TestLog_UsingStdLogger_JSON(t *testing.T) {
+	t.Cleanup(resetState)
+
+	var out bytes.Buffer
+	SetOutput(&out)
+	SetFormat(JSONFormat)
+
+	log.Println("Some other library is using the standard Go logger")
+	require.Contains(t, out.String(), `,"level":"INFO","message":"Some other library is using the standard Go logger","tag":"stdlog"}`+"\n")
+}
+
+func TestLog_UsingStdLogger_Text(t *testing.T) {
+	t.Cleanup(resetState)
+
+	var out bytes.Buffer
+	SetOutput(&out)
+
+	log.Println("Some other library is using the standard Go logger")
+	require.Contains(t, out.String(), `Some other library is using the standard Go logger`+"\n")
+	require.NotContains(t, out.String(), `{`)
+}
+
+func TestLog_File(t *testing.T) {
+	t.Cleanup(resetState)
+
+	logfile := filepath.Join(t.TempDir(), "ntfy.log")
+	f, err := os.OpenFile(logfile, os.O_CREATE|os.O_WRONLY, 0600)
+	require.Nil(t, err)
+	SetOutput(f)
+	SetFormat(JSONFormat)
+	require.True(t, IsFile())
+	require.Equal(t, logfile, File())
+
+	Time(time.Unix(11, 0).UTC()).Field("this_one", "11").Info("this is logged")
+	require.Nil(t, f.Close())
+
+	f, err = os.Open(logfile)
+	require.Nil(t, err)
+	contents, err := io.ReadAll(f)
+	require.Nil(t, err)
+	require.Equal(t, `{"time":"1970-01-01T00:00:11Z","level":"INFO","message":"this is logged","this_one":"11"}`+"\n", string(contents))
 }

 type fakeError struct {
--- a/log/types.go
+++ b/log/types.go
@@ -102,6 +102,13 @@ type Contexter interface {
 // Context represents an object's state in the form of key-value pairs
 type Context map[string]any

+// Merge merges other into this context
+func (c Context) Merge(other Context) {
+	for k, v := range other {
+		c[k] = v
+	}
+}
+
 type levelOverride struct {
 	value string
 	level Level
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -9,7 +9,9 @@ edit_uri: blob/main/docs/

 theme:
  name: material
+  font: false
  language: en
+  custom_dir: docs/_overrides
  logo: static/img/ntfy.png
  favicon: static/img/favicon.png
  include_search_page: false
@@ -69,6 +71,9 @@ plugins:
  - search
  - minify:
      minify_html: true
+  - mkdocs-simple-hooks:
+      hooks:
+        on_post_build: "docs.hooks:copy_fonts"

 nav:
 - "Getting started": index.md
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,3 +1,4 @@
 # The documentation uses 'mkdocs', which is written in Python
 mkdocs-material
 mkdocs-minify-plugin
+mkdocs-simple-hooks
--- a/server/config.go
+++ b/server/config.go
@@ -49,7 +49,7 @@ const (
 	DefaultVisitorEmailLimitReplenish           = time.Hour
 	DefaultVisitorAccountCreationLimitBurst     = 3
 	DefaultVisitorAccountCreationLimitReplenish = 24 * time.Hour
-	DefaultVisitorAuthFailureLimitBurst         = 10
+	DefaultVisitorAuthFailureLimitBurst         = 30
 	DefaultVisitorAuthFailureLimitReplenish     = time.Minute
 	DefaultVisitorAttachmentTotalSizeLimit      = 100 * 1024 * 1024 // 100 MB
 	DefaultVisitorAttachmentDailyBandwidthLimit = 500 * 1024 * 1024 // 500 MB
@@ -61,7 +61,7 @@ var (

 	// DefaultDisallowedTopics defines the topics that are forbidden, because they are used elsewhere. This array can be
 	// extended using the server.yml config. If updated, also update in Android and web app.
-	DefaultDisallowedTopics = []string{"docs", "static", "file", "app", "account", "settings", "signup", "login", "v1"}
+	DefaultDisallowedTopics = []string{"docs", "static", "file", "app", "metrics", "account", "settings", "signup", "login", "v1"}
 )

 // Config is the main config struct for the application. Use New to instantiate a default config struct.
@@ -105,6 +105,8 @@ type Config struct {
 	SMTPServerListen                     string
 	SMTPServerDomain                     string
 	SMTPServerAddrPrefix                 string
+	MetricsEnable                        bool
+	MetricsListenHTTP                    string
 	MessageLimit                         int
 	MinDelay                             time.Duration
 	MaxDelay                             time.Duration
@@ -124,14 +126,17 @@ type Config struct {
 	VisitorAuthFailureLimitBurst         int
 	VisitorAuthFailureLimitReplenish     time.Duration
 	VisitorStatsResetTime                time.Time // Time of the day at which to reset visitor stats
+	VisitorSubscriberRateLimiting        bool      // Enable subscriber-based rate limiting for UnifiedPush topics
 	BehindProxy                          bool
 	StripeSecretKey                      string
 	StripeWebhookKey                     string
 	StripePriceCacheDuration             time.Duration
+	BillingContact                       string
 	EnableWeb                            bool
 	EnableSignup                         bool // Enable creation of accounts via API and UI
 	EnableLogin                          bool
-	EnableReservations                   bool   // Allow users with role "user" to own/reserve topics
+	EnableReservations                   bool // Allow users with role "user" to own/reserve topics
+	EnableMetrics                        bool
 	AccessControlAllowOrigin             string // CORS header field to restrict access from web clients
 	Version                              string // injected by App
 }
@@ -197,10 +202,12 @@ func NewConfig() *Config {
 		VisitorAuthFailureLimitBurst:         DefaultVisitorAuthFailureLimitBurst,
 		VisitorAuthFailureLimitReplenish:     DefaultVisitorAuthFailureLimitReplenish,
 		VisitorStatsResetTime:                DefaultVisitorStatsResetTime,
+		VisitorSubscriberRateLimiting:        false,
 		BehindProxy:                          false,
 		StripeSecretKey:                      "",
 		StripeWebhookKey:                     "",
 		StripePriceCacheDuration:             DefaultStripePriceCacheDuration,
+		BillingContact:                       "",
 		EnableWeb:                            true,
 		EnableSignup:                         false,
 		EnableLogin:                          false,
--- a/server/errors.go
+++ b/server/errors.go
@@ -13,6 +13,7 @@ type errHTTP struct {
 	HTTPCode int    `json:"http"`
 	Message  string `json:"error"`
 	Link     string `json:"link,omitempty"`
+	context  log.Context
 }

 func (e errHTTP) Error() string {
@@ -25,71 +26,106 @@ func (e errHTTP) JSON() string {
 }

 func (e errHTTP) Context() log.Context {
-	return log.Context{
+	context := log.Context{
 		"error":       e.Message,
 		"error_code":  e.Code,
 		"http_status": e.HTTPCode,
 	}
+	for k, v := range e.context {
+		context[k] = v
+	}
+	return context
 }

-func wrapErrHTTP(err *errHTTP, message string, args ...any) *errHTTP {
-	return &errHTTP{
-		Code:     err.Code,
-		HTTPCode: err.HTTPCode,
-		Message:  fmt.Sprintf("%s, %s", err.Message, fmt.Sprintf(message, args...)),
-		Link:     err.Link,
+func (e errHTTP) Wrap(message string, args ...any) *errHTTP {
+	clone := e.clone()
+	clone.Message = fmt.Sprintf("%s; %s", clone.Message, fmt.Sprintf(message, args...))
+	return &clone
+}
+
+func (e errHTTP) With(contexters ...log.Contexter) *errHTTP {
+	c := e.clone()
+	if c.context == nil {
+		c.context = make(log.Context)
+	}
+	for _, contexter := range contexters {
+		c.context.Merge(contexter.Context())
+	}
+	return &c
+}
+
+func (e errHTTP) Fields(context log.Context) *errHTTP {
+	c := e.clone()
+	if c.context == nil {
+		c.context = make(log.Context)
+	}
+	c.context.Merge(context)
+	return &c
+}
+
+func (e errHTTP) clone() errHTTP {
+	context := make(log.Context)
+	for k, v := range e.context {
+		context[k] = v
+	}
+	return errHTTP{
+		Code:     e.Code,
+		HTTPCode: e.HTTPCode,
+		Message:  e.Message,
+		Link:     e.Link,
+		context:  context,
 	}
 }

 var (
-	errHTTPBadRequest                                = &errHTTP{40000, http.StatusBadRequest, "invalid request", ""}
-	errHTTPBadRequestEmailDisabled                   = &errHTTP{40001, http.StatusBadRequest, "e-mail notifications are not enabled", "https://ntfy.sh/docs/config/#e-mail-notifications"}
-	errHTTPBadRequestDelayNoCache                    = &errHTTP{40002, http.StatusBadRequest, "cannot disable cache for delayed message", ""}
-	errHTTPBadRequestDelayNoEmail                    = &errHTTP{40003, http.StatusBadRequest, "delayed e-mail notifications are not supported", ""}
-	errHTTPBadRequestDelayCannotParse                = &errHTTP{40004, http.StatusBadRequest, "invalid delay parameter: unable to parse delay", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
-	errHTTPBadRequestDelayTooSmall                   = &errHTTP{40005, http.StatusBadRequest, "invalid delay parameter: too small, please refer to the docs", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
-	errHTTPBadRequestDelayTooLarge                   = &errHTTP{40006, http.StatusBadRequest, "invalid delay parameter: too large, please refer to the docs", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
-	errHTTPBadRequestPriorityInvalid                 = &errHTTP{40007, http.StatusBadRequest, "invalid priority parameter", "https://ntfy.sh/docs/publish/#message-priority"}
-	errHTTPBadRequestSinceInvalid                    = &errHTTP{40008, http.StatusBadRequest, "invalid since parameter", "https://ntfy.sh/docs/subscribe/api/#fetch-cached-messages"}
-	errHTTPBadRequestTopicInvalid                    = &errHTTP{40009, http.StatusBadRequest, "invalid request: topic invalid", ""}
-	errHTTPBadRequestTopicDisallowed                 = &errHTTP{40010, http.StatusBadRequest, "invalid request: topic name is not allowed", ""}
-	errHTTPBadRequestMessageNotUTF8                  = &errHTTP{40011, http.StatusBadRequest, "invalid message: message must be UTF-8 encoded", ""}
-	errHTTPBadRequestAttachmentURLInvalid            = &errHTTP{40013, http.StatusBadRequest, "invalid request: attachment URL is invalid", "https://ntfy.sh/docs/publish/#attachments"}
-	errHTTPBadRequestAttachmentsDisallowed           = &errHTTP{40014, http.StatusBadRequest, "invalid request: attachments not allowed", "https://ntfy.sh/docs/config/#attachments"}
-	errHTTPBadRequestAttachmentsExpiryBeforeDelivery = &errHTTP{40015, http.StatusBadRequest, "invalid request: attachment expiry before delayed delivery date", "https://ntfy.sh/docs/publish/#scheduled-delivery"}
-	errHTTPBadRequestWebSocketsUpgradeHeaderMissing  = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", "https://ntfy.sh/docs/subscribe/api/#websockets"}
-	errHTTPBadRequestMessageJSONInvalid              = &errHTTP{40017, http.StatusBadRequest, "invalid request: request body must be message JSON", "https://ntfy.sh/docs/publish/#publish-as-json"}
-	errHTTPBadRequestActionsInvalid                  = &errHTTP{40018, http.StatusBadRequest, "invalid request: actions invalid", "https://ntfy.sh/docs/publish/#action-buttons"}
-	errHTTPBadRequestMatrixMessageInvalid            = &errHTTP{40019, http.StatusBadRequest, "invalid request: Matrix JSON invalid", "https://ntfy.sh/docs/publish/#matrix-gateway"}
-	errHTTPBadRequestMatrixPushkeyBaseURLMismatch    = &errHTTP{40020, http.StatusBadRequest, "invalid request: push key must be prefixed with base URL", "https://ntfy.sh/docs/publish/#matrix-gateway"}
-	errHTTPBadRequestIconURLInvalid                  = &errHTTP{40021, http.StatusBadRequest, "invalid request: icon URL is invalid", "https://ntfy.sh/docs/publish/#icons"}
-	errHTTPBadRequestSignupNotEnabled                = &errHTTP{40022, http.StatusBadRequest, "invalid request: signup not enabled", "https://ntfy.sh/docs/config"}
-	errHTTPBadRequestNoTokenProvided                 = &errHTTP{40023, http.StatusBadRequest, "invalid request: no token provided", ""}
-	errHTTPBadRequestJSONInvalid                     = &errHTTP{40024, http.StatusBadRequest, "invalid request: request body must be valid JSON", ""}
-	errHTTPBadRequestPermissionInvalid               = &errHTTP{40025, http.StatusBadRequest, "invalid request: incorrect permission string", ""}
-	errHTTPBadRequestIncorrectPasswordConfirmation   = &errHTTP{40026, http.StatusBadRequest, "invalid request: password confirmation is not correct", ""}
-	errHTTPBadRequestNotAPaidUser                    = &errHTTP{40027, http.StatusBadRequest, "invalid request: not a paid user", ""}
-	errHTTPBadRequestBillingRequestInvalid           = &errHTTP{40028, http.StatusBadRequest, "invalid request: not a valid billing request", ""}
-	errHTTPBadRequestBillingSubscriptionExists       = &errHTTP{40029, http.StatusBadRequest, "invalid request: billing subscription already exists", ""}
-	errHTTPNotFound                                  = &errHTTP{40401, http.StatusNotFound, "page not found", ""}
-	errHTTPUnauthorized                              = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", "https://ntfy.sh/docs/publish/#authentication"}
-	errHTTPForbidden                                 = &errHTTP{40301, http.StatusForbidden, "forbidden", "https://ntfy.sh/docs/publish/#authentication"}
-	errHTTPConflictUserExists                        = &errHTTP{40901, http.StatusConflict, "conflict: user already exists", ""}
-	errHTTPConflictTopicReserved                     = &errHTTP{40902, http.StatusConflict, "conflict: access control entry for topic or topic pattern already exists", ""}
-	errHTTPConflictSubscriptionExists                = &errHTTP{40903, http.StatusConflict, "conflict: topic subscription already exists", ""}
-	errHTTPEntityTooLargeAttachment                  = &errHTTP{41301, http.StatusRequestEntityTooLarge, "attachment too large, or bandwidth limit reached", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPEntityTooLargeMatrixRequest               = &errHTTP{41302, http.StatusRequestEntityTooLarge, "Matrix request is larger than the max allowed length", ""}
-	errHTTPEntityTooLargeJSONBody                    = &errHTTP{41303, http.StatusRequestEntityTooLarge, "JSON body too large", ""}
-	errHTTPTooManyRequestsLimitRequests              = &errHTTP{42901, http.StatusTooManyRequests, "limit reached: too many requests, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitEmails                = &errHTTP{42902, http.StatusTooManyRequests, "limit reached: too many emails, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitSubscriptions         = &errHTTP{42903, http.StatusTooManyRequests, "limit reached: too many active subscriptions, please be nice", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitTotalTopics           = &errHTTP{42904, http.StatusTooManyRequests, "limit reached: the total number of topics on the server has been reached, please contact the admin", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitAttachmentBandwidth   = &errHTTP{42905, http.StatusTooManyRequests, "limit reached: daily bandwidth reached", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitAccountCreation       = &errHTTP{42906, http.StatusTooManyRequests, "limit reached: too many accounts created", "https://ntfy.sh/docs/publish/#limitations"} // FIXME document limit
-	errHTTPTooManyRequestsLimitReservations          = &errHTTP{42907, http.StatusTooManyRequests, "limit reached: too many topic reservations for this user", ""}
-	errHTTPTooManyRequestsLimitMessages              = &errHTTP{42908, http.StatusTooManyRequests, "limit reached: daily message quota reached", "https://ntfy.sh/docs/publish/#limitations"}
-	errHTTPTooManyRequestsLimitAuthFailure           = &errHTTP{42909, http.StatusTooManyRequests, "limit reached: too many auth failures", "https://ntfy.sh/docs/publish/#limitations"} // FIXME document limit
-	errHTTPInternalError                             = &errHTTP{50001, http.StatusInternalServerError, "internal server error", ""}
-	errHTTPInternalErrorInvalidPath                  = &errHTTP{50002, http.StatusInternalServerError, "internal server error: invalid path", ""}
-	errHTTPInternalErrorMissingBaseURL               = &errHTTP{50003, http.StatusInternalServerError, "internal server error: base-url must be be configured for this feature", "https://ntfy.sh/docs/config/"}
+	errHTTPBadRequest                                = &errHTTP{40000, http.StatusBadRequest, "invalid request", "", nil}
+	errHTTPBadRequestEmailDisabled                   = &errHTTP{40001, http.StatusBadRequest, "e-mail notifications are not enabled", "https://ntfy.sh/docs/config/#e-mail-notifications", nil}
+	errHTTPBadRequestDelayNoCache                    = &errHTTP{40002, http.StatusBadRequest, "cannot disable cache for delayed message", "", nil}
+	errHTTPBadRequestDelayNoEmail                    = &errHTTP{40003, http.StatusBadRequest, "delayed e-mail notifications are not supported", "", nil}
+	errHTTPBadRequestDelayCannotParse                = &errHTTP{40004, http.StatusBadRequest, "invalid delay parameter: unable to parse delay", "https://ntfy.sh/docs/publish/#scheduled-delivery", nil}
+	errHTTPBadRequestDelayTooSmall                   = &errHTTP{40005, http.StatusBadRequest, "invalid delay parameter: too small, please refer to the docs", "https://ntfy.sh/docs/publish/#scheduled-delivery", nil}
+	errHTTPBadRequestDelayTooLarge                   = &errHTTP{40006, http.StatusBadRequest, "invalid delay parameter: too large, please refer to the docs", "https://ntfy.sh/docs/publish/#scheduled-delivery", nil}
+	errHTTPBadRequestPriorityInvalid                 = &errHTTP{40007, http.StatusBadRequest, "invalid priority parameter", "https://ntfy.sh/docs/publish/#message-priority", nil}
+	errHTTPBadRequestSinceInvalid                    = &errHTTP{40008, http.StatusBadRequest, "invalid since parameter", "https://ntfy.sh/docs/subscribe/api/#fetch-cached-messages", nil}
+	errHTTPBadRequestTopicInvalid                    = &errHTTP{40009, http.StatusBadRequest, "invalid request: topic invalid", "", nil}
+	errHTTPBadRequestTopicDisallowed                 = &errHTTP{40010, http.StatusBadRequest, "invalid request: topic name is not allowed", "", nil}
+	errHTTPBadRequestMessageNotUTF8                  = &errHTTP{40011, http.StatusBadRequest, "invalid message: message must be UTF-8 encoded", "", nil}
+	errHTTPBadRequestAttachmentURLInvalid            = &errHTTP{40013, http.StatusBadRequest, "invalid request: attachment URL is invalid", "https://ntfy.sh/docs/publish/#attachments", nil}
+	errHTTPBadRequestAttachmentsDisallowed           = &errHTTP{40014, http.StatusBadRequest, "invalid request: attachments not allowed", "https://ntfy.sh/docs/config/#attachments", nil}
+	errHTTPBadRequestAttachmentsExpiryBeforeDelivery = &errHTTP{40015, http.StatusBadRequest, "invalid request: attachment expiry before delayed delivery date", "https://ntfy.sh/docs/publish/#scheduled-delivery", nil}
+	errHTTPBadRequestWebSocketsUpgradeHeaderMissing  = &errHTTP{40016, http.StatusBadRequest, "invalid request: client not using the websocket protocol", "https://ntfy.sh/docs/subscribe/api/#websockets", nil}
+	errHTTPBadRequestMessageJSONInvalid              = &errHTTP{40017, http.StatusBadRequest, "invalid request: request body must be message JSON", "https://ntfy.sh/docs/publish/#publish-as-json", nil}
+	errHTTPBadRequestActionsInvalid                  = &errHTTP{40018, http.StatusBadRequest, "invalid request: actions invalid", "https://ntfy.sh/docs/publish/#action-buttons", nil}
+	errHTTPBadRequestMatrixMessageInvalid            = &errHTTP{40019, http.StatusBadRequest, "invalid request: Matrix JSON invalid", "https://ntfy.sh/docs/publish/#matrix-gateway", nil}
+	errHTTPBadRequestIconURLInvalid                  = &errHTTP{40021, http.StatusBadRequest, "invalid request: icon URL is invalid", "https://ntfy.sh/docs/publish/#icons", nil}
+	errHTTPBadRequestSignupNotEnabled                = &errHTTP{40022, http.StatusBadRequest, "invalid request: signup not enabled", "https://ntfy.sh/docs/config", nil}
+	errHTTPBadRequestNoTokenProvided                 = &errHTTP{40023, http.StatusBadRequest, "invalid request: no token provided", "", nil}
+	errHTTPBadRequestJSONInvalid                     = &errHTTP{40024, http.StatusBadRequest, "invalid request: request body must be valid JSON", "", nil}
+	errHTTPBadRequestPermissionInvalid               = &errHTTP{40025, http.StatusBadRequest, "invalid request: incorrect permission string", "", nil}
+	errHTTPBadRequestIncorrectPasswordConfirmation   = &errHTTP{40026, http.StatusBadRequest, "invalid request: password confirmation is not correct", "", nil}
+	errHTTPBadRequestNotAPaidUser                    = &errHTTP{40027, http.StatusBadRequest, "invalid request: not a paid user", "", nil}
+	errHTTPBadRequestBillingRequestInvalid           = &errHTTP{40028, http.StatusBadRequest, "invalid request: not a valid billing request", "", nil}
+	errHTTPBadRequestBillingSubscriptionExists       = &errHTTP{40029, http.StatusBadRequest, "invalid request: billing subscription already exists", "", nil}
+	errHTTPNotFound                                  = &errHTTP{40401, http.StatusNotFound, "page not found", "", nil}
+	errHTTPUnauthorized                              = &errHTTP{40101, http.StatusUnauthorized, "unauthorized", "https://ntfy.sh/docs/publish/#authentication", nil}
+	errHTTPForbidden                                 = &errHTTP{40301, http.StatusForbidden, "forbidden", "https://ntfy.sh/docs/publish/#authentication", nil}
+	errHTTPConflictUserExists                        = &errHTTP{40901, http.StatusConflict, "conflict: user already exists", "", nil}
+	errHTTPConflictTopicReserved                     = &errHTTP{40902, http.StatusConflict, "conflict: access control entry for topic or topic pattern already exists", "", nil}
+	errHTTPConflictSubscriptionExists                = &errHTTP{40903, http.StatusConflict, "conflict: topic subscription already exists", "", nil}
+	errHTTPEntityTooLargeAttachment                  = &errHTTP{41301, http.StatusRequestEntityTooLarge, "attachment too large, or bandwidth limit reached", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPEntityTooLargeMatrixRequest               = &errHTTP{41302, http.StatusRequestEntityTooLarge, "Matrix request is larger than the max allowed length", "", nil}
+	errHTTPEntityTooLargeJSONBody                    = &errHTTP{41303, http.StatusRequestEntityTooLarge, "JSON body too large", "", nil}
+	errHTTPTooManyRequestsLimitRequests              = &errHTTP{42901, http.StatusTooManyRequests, "limit reached: too many requests", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitEmails                = &errHTTP{42902, http.StatusTooManyRequests, "limit reached: too many emails", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitSubscriptions         = &errHTTP{42903, http.StatusTooManyRequests, "limit reached: too many active subscriptions", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitTotalTopics           = &errHTTP{42904, http.StatusTooManyRequests, "limit reached: the total number of topics on the server has been reached, please contact the admin", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitAttachmentBandwidth   = &errHTTP{42905, http.StatusTooManyRequests, "limit reached: daily bandwidth reached", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitAccountCreation       = &errHTTP{42906, http.StatusTooManyRequests, "limit reached: too many accounts created", "https://ntfy.sh/docs/publish/#limitations", nil} // FIXME document limit
+	errHTTPTooManyRequestsLimitReservations          = &errHTTP{42907, http.StatusTooManyRequests, "limit reached: too many topic reservations for this user", "", nil}
+	errHTTPTooManyRequestsLimitMessages              = &errHTTP{42908, http.StatusTooManyRequests, "limit reached: daily message quota reached", "https://ntfy.sh/docs/publish/#limitations", nil}
+	errHTTPTooManyRequestsLimitAuthFailure           = &errHTTP{42909, http.StatusTooManyRequests, "limit reached: too many auth failures", "https://ntfy.sh/docs/publish/#limitations", nil} // FIXME document limit
+	errHTTPInternalError                             = &errHTTP{50001, http.StatusInternalServerError, "internal server error", "", nil}
+	errHTTPInternalErrorInvalidPath                  = &errHTTP{50002, http.StatusInternalServerError, "internal server error: invalid path", "", nil}
+	errHTTPInternalErrorMissingBaseURL               = &errHTTP{50003, http.StatusInternalServerError, "internal server error: base-url must be be configured for this feature", "https://ntfy.sh/docs/config/", nil}
+	errHTTPInsufficientStorageUnifiedPush            = &errHTTP{50701, http.StatusInsufficientStorage, "cannot publish to UnifiedPush topic without previously active subscriber", "", nil}
 )
--- a/server/file_cache.go
+++ b/server/file_cache.go
@@ -67,6 +67,7 @@ func (c *fileCache) Write(id string, in io.Reader, limiters ...util.Limiter) (in
 	}
 	c.mu.Lock()
 	c.totalSizeCurrent += size
+	mset(metricAttachmentsTotalSize, c.totalSizeCurrent)
 	c.mu.Unlock()
 	return size, nil
 }
@@ -89,6 +90,7 @@ func (c *fileCache) Remove(ids ...string) error {
 	c.mu.Lock()
 	c.totalSizeCurrent = size
 	c.mu.Unlock()
+	mset(metricAttachmentsTotalSize, size)
 	return nil
 }

--- a/server/log.go
+++ b/server/log.go
@@ -30,6 +30,11 @@ const (
 	tagMatrix       = "matrix"
 )

+var (
+	normalErrorCodes       = []int{http.StatusNotFound, http.StatusBadRequest, http.StatusTooManyRequests, http.StatusUnauthorized, http.StatusForbidden, http.StatusInsufficientStorage}
+	rateLimitingErrorCodes = []int{http.StatusTooManyRequests, http.StatusRequestEntityTooLarge}
+)
+
 // logr creates a new log event with HTTP request fields
 func logr(r *http.Request) *log.Event {
 	return log.Tag(tagHTTP).Fields(httpContext(r)) // Tag may be overwritten
--- a/server/message_cache.go
+++ b/server/message_cache.go
@@ -536,7 +536,7 @@ func (c *messageCache) ExpireMessages(topics ...string) error {
 	}
 	defer tx.Rollback()
 	for _, t := range topics {
-		if _, err := tx.Exec(updateMessagesForTopicExpiryQuery, time.Now().Unix(), t); err != nil {
+		if _, err := tx.Exec(updateMessagesForTopicExpiryQuery, time.Now().Unix()-1, t); err != nil {
 			return err
 		}
 	}
--- a/server/server.go
+++ b/server/server.go
@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"github.com/emersion/go-smtp"
 	"github.com/gorilla/websocket"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
 	"golang.org/x/sync/errgroup"
 	"heckel.io/ntfy/log"
 	"heckel.io/ntfy/user"
@@ -37,6 +38,7 @@ type Server struct {
 	config            *Config
 	httpServer        *http.Server
 	httpsServer       *http.Server
+	httpMetricsServer *http.Server
 	unixListener      net.Listener
 	smtpServer        *smtp.Server
 	smtpServerBackend *smtpBackend
@@ -45,11 +47,12 @@ type Server struct {
 	visitors          map[string]*visitor // ip:<ip> or user:<user>
 	firebaseClient    *firebaseClient
 	messages          int64
-	userManager       *user.Manager                        // Might be nil!
-	messageCache      *messageCache                        // Database that stores the messages
-	fileCache         *fileCache                           // File system based cache that stores attachments
-	stripe            stripeAPI                            // Stripe API, can be replaced with a mock
-	priceCache        *util.LookupCache[map[string]string] // Stripe price ID -> formatted price
+	userManager       *user.Manager                       // Might be nil!
+	messageCache      *messageCache                       // Database that stores the messages
+	fileCache         *fileCache                          // File system based cache that stores attachments
+	stripe            stripeAPI                           // Stripe API, can be replaced with a mock
+	priceCache        *util.LookupCache[map[string]int64] // Stripe price ID -> price as cents (USD implied!)
+	metricsHandler    http.Handler                        // Handles /metrics if enable-metrics set, and listen-metrics-http not set
 	closeChan         chan bool
 	mu                sync.Mutex
 }
@@ -72,6 +75,7 @@ var (
 	webConfigPath                                        = "/config.js"
 	accountPath                                          = "/account"
 	matrixPushPath                                       = "/_matrix/push/v1/notify"
+	metricsPath                                          = "/metrics"
 	apiHealthPath                                        = "/v1/health"
 	apiTiers                                             = "/v1/tiers"
 	apiAccountPath                                       = "/v1/account"
@@ -111,6 +115,8 @@ const (
 	defaultAttachmentMessage = "You received a file: %s" // Used if message body is empty, and there is an attachment
 	encodingBase64           = "base64"                  // Used mainly for binary UnifiedPush messages
 	jsonBodyBytesLimit       = 16384
+	unifiedPushTopicPrefix   = "up" // Temporarily, we rate limit all "up*" topics based on the subscriber
+	unifiedPushTopicLength   = 14
 )

 // WebSocket constants
@@ -160,7 +166,13 @@ func New(conf *Config) (*Server, error) {
 		if err != nil {
 			return nil, err
 		}
-		firebaseClient = newFirebaseClient(sender, userManager)
+		// This awkward logic is required because Go is weird about nil types and interfaces.
+		// See issue #641, and https://go.dev/play/p/uur1flrv1t3 for an example
+		var auther user.Auther
+		if userManager != nil {
+			auther = userManager
+		}
+		firebaseClient = newFirebaseClient(sender, auther)
 	}
 	s := &Server{
 		config:         conf,
@@ -202,6 +214,9 @@ func (s *Server) Run() error {
 	if s.config.SMTPServerListen != "" {
 		listenStr += fmt.Sprintf(" %s[smtp]", s.config.SMTPServerListen)
 	}
+	if s.config.MetricsListenHTTP != "" {
+		listenStr += fmt.Sprintf(" %s[http/metrics]", s.config.MetricsListenHTTP)
+	}
 	log.Tag(tagStartup).Info("Listening on%s, ntfy %s, log level is %s", listenStr, s.config.Version, log.CurrentLevel().String())
 	if log.IsFile() {
 		fmt.Fprintf(os.Stderr, "Listening on%s, ntfy %s\n", listenStr, s.config.Version)
@@ -248,6 +263,16 @@ func (s *Server) Run() error {
 			errChan <- httpServer.Serve(s.unixListener)
 		}()
 	}
+	if s.config.MetricsListenHTTP != "" {
+		initMetrics()
+		s.httpMetricsServer = &http.Server{Addr: s.config.MetricsListenHTTP, Handler: promhttp.Handler()}
+		go func() {
+			errChan <- s.httpMetricsServer.ListenAndServe()
+		}()
+	} else if s.config.EnableMetrics {
+		initMetrics()
+		s.metricsHandler = promhttp.Handler()
+	}
 	if s.config.SMTPServerListen != "" {
 		go func() {
 			errChan <- s.runSMTPServer()
@@ -308,6 +333,9 @@ func (s *Server) handle(w http.ResponseWriter, r *http.Request) {
 				s.handleError(w, r, v, err)
 				return
 			}
+			if metricHTTPRequests != nil {
+				metricHTTPRequests.WithLabelValues("200", "20000", r.Method).Inc()
+			}
 		}).
 		Debug("HTTP request finished")
 }
@@ -317,25 +345,31 @@ func (s *Server) handleError(w http.ResponseWriter, r *http.Request, v *visitor,
 	if !ok {
 		httpErr = errHTTPInternalError
 	}
-	isNormalError := strings.Contains(err.Error(), "i/o timeout") || util.Contains([]int{http.StatusNotFound, http.StatusBadRequest, http.StatusTooManyRequests, http.StatusUnauthorized}, httpErr.HTTPCode)
+	if metricHTTPRequests != nil {
+		metricHTTPRequests.WithLabelValues(fmt.Sprintf("%d", httpErr.HTTPCode), fmt.Sprintf("%d", httpErr.Code), r.Method).Inc()
+	}
+	isRateLimiting := util.Contains(rateLimitingErrorCodes, httpErr.HTTPCode)
+	isNormalError := strings.Contains(err.Error(), "i/o timeout") || util.Contains(normalErrorCodes, httpErr.HTTPCode)
+	ev := logvr(v, r).Err(err)
 	if websocket.IsWebSocketUpgrade(r) {
+		ev.Tag(tagWebsocket).Fields(websocketErrorContext(err))
 		if isNormalError {
-			logvr(v, r).Tag(tagWebsocket).Err(err).Fields(websocketErrorContext(err)).Debug("WebSocket error (this error is okay, it happens a lot): %s", err.Error())
+			ev.Debug("WebSocket error (this error is okay, it happens a lot): %s", err.Error())
 		} else {
-			logvr(v, r).Tag(tagWebsocket).Err(err).Fields(websocketErrorContext(err)).Info("WebSocket error: %s", err.Error())
+			ev.Info("WebSocket error: %s", err.Error())
 		}
 		return // Do not attempt to write to upgraded connection
 	}
-	if matrixErr, ok := err.(*errMatrix); ok {
-		if err := writeMatrixError(w, r, v, matrixErr); err != nil {
-			logvr(v, r).Tag(tagMatrix).Err(err).Debug("Writing Matrix error failed")
-		}
-		return
-	}
 	if isNormalError {
-		logvr(v, r).Err(httpErr).Debug("Connection closed with HTTP %d (ntfy error %d)", httpErr.HTTPCode, httpErr.Code)
+		ev.Debug("Connection closed with HTTP %d (ntfy error %d)", httpErr.HTTPCode, httpErr.Code)
 	} else {
-		logvr(v, r).Err(httpErr).Info("Connection closed with HTTP %d (ntfy error %d)", httpErr.HTTPCode, httpErr.Code)
+		ev.Info("Connection closed with HTTP %d (ntfy error %d)", httpErr.HTTPCode, httpErr.Code)
+	}
+	if isRateLimiting && s.config.StripeSecretKey != "" {
+		u := v.User()
+		if u == nil || u.Tier == nil {
+			httpErr = httpErr.Wrap("increase your limits with a paid plan, see %s", s.config.BaseURL)
+		}
 	}
 	w.Header().Set("Content-Type", "application/json")
 	w.Header().Set("Access-Control-Allow-Origin", s.config.AccessControlAllowOrigin) // CORS, allow cross-origin requests
@@ -394,6 +428,8 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 		return s.ensurePaymentsEnabled(s.handleBillingTiersGet)(w, r, v)
 	} else if r.Method == http.MethodGet && r.URL.Path == matrixPushPath {
 		return s.handleMatrixDiscovery(w)
+	} else if r.Method == http.MethodGet && r.URL.Path == metricsPath && s.metricsHandler != nil {
+		return s.handleMetrics(w, r, v)
 	} else if r.Method == http.MethodGet && staticRegex.MatchString(r.URL.Path) {
 		return s.ensureWebEnabled(s.handleStatic)(w, r, v)
 	} else if r.Method == http.MethodGet && docsRegex.MatchString(r.URL.Path) {
@@ -403,13 +439,13 @@ func (s *Server) handleInternal(w http.ResponseWriter, r *http.Request, v *visit
 	} else if r.Method == http.MethodOptions {
 		return s.limitRequests(s.handleOptions)(w, r, v) // Should work even if the web app is not enabled, see #598
 	} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && r.URL.Path == "/" {
-		return s.limitRequests(s.transformBodyJSON(s.authorizeTopicWrite(s.handlePublish)))(w, r, v)
+		return s.transformBodyJSON(s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish)))(w, r, v)
 	} else if r.Method == http.MethodPost && r.URL.Path == matrixPushPath {
-		return s.limitRequests(s.transformMatrixJSON(s.authorizeTopicWrite(s.handlePublishMatrix)))(w, r, v)
+		return s.transformMatrixJSON(s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublishMatrix)))(w, r, v)
 	} else if (r.Method == http.MethodPut || r.Method == http.MethodPost) && topicPathRegex.MatchString(r.URL.Path) {
-		return s.limitRequests(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
+		return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
 	} else if r.Method == http.MethodGet && publishPathRegex.MatchString(r.URL.Path) {
-		return s.limitRequests(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
+		return s.limitRequestsWithTopic(s.authorizeTopicWrite(s.handlePublish))(w, r, v)
 	} else if r.Method == http.MethodGet && jsonPathRegex.MatchString(r.URL.Path) {
 		return s.limitRequests(s.authorizeTopicRead(s.handleSubscribeJSON))(w, r, v)
 	} else if r.Method == http.MethodGet && ssePathRegex.MatchString(r.URL.Path) {
@@ -474,6 +510,7 @@ func (s *Server) handleWebConfig(w http.ResponseWriter, _ *http.Request, _ *visi
 		EnableSignup:       s.config.EnableSignup,
 		EnablePayments:     s.config.StripeSecretKey != "",
 		EnableReservations: s.config.EnableReservations,
+		BillingContact:     s.config.BillingContact,
 		DisallowedTopics:   s.config.DisallowedTopics,
 	}
 	b, err := json.MarshalIndent(response, "", "  ")
@@ -485,6 +522,13 @@ func (s *Server) handleWebConfig(w http.ResponseWriter, _ *http.Request, _ *visi
 	return err
 }

+// handleMetrics returns Prometheus metrics. This endpoint is only called if enable-metrics is set,
+// and listen-metrics-http is not set.
+func (s *Server) handleMetrics(w http.ResponseWriter, r *http.Request, _ *visitor) error {
+	s.metricsHandler.ServeHTTP(w, r)
+	return nil
+}
+
 func (s *Server) handleStatic(w http.ResponseWriter, r *http.Request, _ *visitor) error {
 	r.URL.Path = webSiteDir + r.URL.Path
 	util.Gzip(http.FileServer(http.FS(webFsCached))).ServeHTTP(w, r)
@@ -511,7 +555,10 @@ func (s *Server) handleFile(w http.ResponseWriter, r *http.Request, v *visitor)
 	file := filepath.Join(s.config.AttachmentCacheDir, messageID)
 	stat, err := os.Stat(file)
 	if err != nil {
-		return errHTTPNotFound
+		return errHTTPNotFound.Fields(log.Context{
+			"message_id":    messageID,
+			"error_context": "filesystem",
+		})
 	}
 	w.Header().Set("Access-Control-Allow-Origin", s.config.AccessControlAllowOrigin) // CORS, allow cross-origin requests
 	w.Header().Set("Content-Length", fmt.Sprintf("%d", stat.Size()))
@@ -532,7 +579,10 @@ func (s *Server) handleFile(w http.ResponseWriter, r *http.Request, v *visitor)
 			}, s.config.CacheBatchTimeout, 100*time.Millisecond, 300*time.Millisecond, 600*time.Millisecond)
 		}
 		if err != nil {
-			return errHTTPNotFound
+			return errHTTPNotFound.Fields(log.Context{
+				"message_id":    messageID,
+				"error_context": "message_cache",
+			})
 		}
 	} else if err != nil {
 		return err
@@ -548,7 +598,7 @@ func (s *Server) handleFile(w http.ResponseWriter, r *http.Request, v *visitor)
 		bandwidthVisitor = s.visitor(m.Sender, nil)
 	}
 	if !bandwidthVisitor.BandwidthAllowed(stat.Size()) {
-		return errHTTPTooManyRequestsLimitAttachmentBandwidth
+		return errHTTPTooManyRequestsLimitAttachmentBandwidth.With(m)
 	}
 	// Actually send file
 	f, err := os.Open(file)
@@ -567,29 +617,44 @@ func (s *Server) handleMatrixDiscovery(w http.ResponseWriter) error {
 	return writeMatrixDiscoveryResponse(w)
 }

-func (s *Server) handlePublishWithoutResponse(r *http.Request, v *visitor) (*message, error) {
-	t, err := s.topicFromPath(r.URL.Path)
+func (s *Server) handlePublishInternal(r *http.Request, v *visitor) (*message, error) {
+	start := time.Now()
+	t, err := fromContext[*topic](r, contextTopic)
 	if err != nil {
 		return nil, err
 	}
-	if !v.MessageAllowed() {
-		return nil, errHTTPTooManyRequestsLimitMessages
+	vrate, err := fromContext[*visitor](r, contextRateVisitor)
+	if err != nil {
+		return nil, err
 	}
 	body, err := util.Peek(r.Body, s.config.MessageLimit)
 	if err != nil {
 		return nil, err
 	}
 	m := newDefaultMessage(t.ID, "")
-	cache, firebase, email, unifiedpush, err := s.parsePublishParams(r, v, m)
-	if err != nil {
-		return nil, err
+	cache, firebase, email, unifiedpush, e := s.parsePublishParams(r, m)
+	if e != nil {
+		return nil, e.With(t)
+	}
+	if unifiedpush && s.config.VisitorSubscriberRateLimiting && t.RateVisitor() == nil {
+		// UnifiedPush clients must subscribe before publishing to allow proper subscriber-based rate limiting (see
+		// Rate-Topics header). The 5xx response is because some app servers (in particular Mastodon) will remove
+		// the subscription as invalid if any 400-499 code (except 429/408) is returned.
+		// See https://github.com/mastodon/mastodon/blob/730bb3e211a84a2f30e3e2bbeae3f77149824a68/app/workers/web/push_notification_worker.rb#L35-L46
+		return nil, errHTTPInsufficientStorageUnifiedPush.With(t)
+	} else if !util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) && !vrate.MessageAllowed() {
+		return nil, errHTTPTooManyRequestsLimitMessages.With(t)
+	} else if email != "" && !vrate.EmailAllowed() {
+		return nil, errHTTPTooManyRequestsLimitEmails.With(t)
 	}
 	if m.PollID != "" {
 		m = newPollRequestMessage(t.ID, m.PollID)
 	}
 	m.Sender = v.IP()
 	m.User = v.MaybeUserID()
-	m.Expires = time.Unix(m.Time, 0).Add(v.Limits().MessageExpiryDuration).Unix()
+	if cache {
+		m.Expires = time.Unix(m.Time, 0).Add(v.Limits().MessageExpiryDuration).Unix()
+	}
 	if err := s.handlePublishBody(r, v, m, body, unifiedpush); err != nil {
 		return nil, err
 	}
@@ -599,6 +664,7 @@ func (s *Server) handlePublishWithoutResponse(r *http.Request, v *visitor) (*mes
 	delayed := m.Time > time.Now().Unix()
 	ev := logvrm(v, r, m).
 		Tag(tagPublish).
+		With(t).
 		Fields(log.Context{
 			"message_delayed":     delayed,
 			"message_firebase":    firebase,
@@ -639,41 +705,70 @@ func (s *Server) handlePublishWithoutResponse(r *http.Request, v *visitor) (*mes
 	s.mu.Lock()
 	s.messages++
 	s.mu.Unlock()
+	if unifiedpush {
+		minc(metricUnifiedPushPublishedSuccess)
+	}
+	mset(metricMessagePublishDurationMillis, time.Since(start).Milliseconds())
 	return m, nil
 }

 func (s *Server) handlePublish(w http.ResponseWriter, r *http.Request, v *visitor) error {
-	m, err := s.handlePublishWithoutResponse(r, v)
+	m, err := s.handlePublishInternal(r, v)
 	if err != nil {
+		minc(metricMessagesPublishedFailure)
 		return err
 	}
+	minc(metricMessagesPublishedSuccess)
 	return s.writeJSON(w, m)
 }

 func (s *Server) handlePublishMatrix(w http.ResponseWriter, r *http.Request, v *visitor) error {
-	_, err := s.handlePublishWithoutResponse(r, v)
+	_, err := s.handlePublishInternal(r, v)
 	if err != nil {
-		return &errMatrix{pushKey: r.Header.Get(matrixPushKeyHeader), err: err}
+		minc(metricMessagesPublishedFailure)
+		minc(metricMatrixPublishedFailure)
+		if e, ok := err.(*errHTTP); ok && e.HTTPCode == errHTTPInsufficientStorageUnifiedPush.HTTPCode {
+			topic, err := fromContext[*topic](r, contextTopic)
+			if err != nil {
+				return err
+			}
+			pushKey, err := fromContext[string](r, contextMatrixPushKey)
+			if err != nil {
+				return err
+			}
+			if time.Since(topic.LastAccess()) > matrixRejectPushKeyForUnifiedPushTopicWithoutRateVisitorAfter {
+				return writeMatrixResponse(w, pushKey)
+			}
+		}
+		return err
 	}
+	minc(metricMessagesPublishedSuccess)
+	minc(metricMatrixPublishedSuccess)
 	return writeMatrixSuccess(w)
 }

 func (s *Server) sendToFirebase(v *visitor, m *message) {
 	logvm(v, m).Tag(tagFirebase).Debug("Publishing to Firebase")
 	if err := s.firebaseClient.Send(v, m); err != nil {
+		minc(metricFirebasePublishedFailure)
 		if err == errFirebaseTemporarilyBanned {
 			logvm(v, m).Tag(tagFirebase).Err(err).Debug("Unable to publish to Firebase: %v", err.Error())
 		} else {
 			logvm(v, m).Tag(tagFirebase).Err(err).Warn("Unable to publish to Firebase: %v", err.Error())
 		}
+		return
 	}
+	minc(metricFirebasePublishedSuccess)
 }

 func (s *Server) sendEmail(v *visitor, m *message, email string) {
 	logvm(v, m).Tag(tagEmail).Field("email", email).Debug("Sending email to %s", email)
 	if err := s.smtpSender.Send(v, m, email); err != nil {
 		logvm(v, m).Tag(tagEmail).Field("email", email).Err(err).Warn("Unable to send email to %s: %v", email, err.Error())
+		minc(metricEmailsPublishedFailure)
+		return
 	}
+	minc(metricEmailsPublishedSuccess)
 }

 func (s *Server) forwardPollRequest(v *visitor, m *message) {
@@ -700,7 +795,7 @@ func (s *Server) forwardPollRequest(v *visitor, m *message) {
 	}
 }

-func (s *Server) parsePublishParams(r *http.Request, v *visitor, m *message) (cache bool, firebase bool, email string, unifiedpush bool, err error) {
+func (s *Server) parsePublishParams(r *http.Request, m *message) (cache bool, firebase bool, email string, unifiedpush bool, err *errHTTP) {
 	cache = readBoolParam(r, true, "x-cache", "cache")
 	firebase = readBoolParam(r, true, "x-firebase", "firebase")
 	m.Title = readParam(r, "x-title", "title", "t")
@@ -739,11 +834,6 @@ func (s *Server) parsePublishParams(r *http.Request, v *visitor, m *message) (ca
 		m.Icon = icon
 	}
 	email = readParam(r, "x-email", "x-e-mail", "email", "e-mail", "mail", "e")
-	if email != "" {
-		if !v.EmailAllowed() {
-			return false, false, "", false, errHTTPTooManyRequestsLimitEmails
-		}
-	}
 	if s.smtpSender == nil && email != "" {
 		return false, false, "", false, errHTTPBadRequestEmailDisabled
 	}
@@ -751,17 +841,12 @@ func (s *Server) parsePublishParams(r *http.Request, v *visitor, m *message) (ca
 	if messageStr != "" {
 		m.Message = messageStr
 	}
-	m.Priority, err = util.ParsePriority(readParam(r, "x-priority", "priority", "prio", "p"))
-	if err != nil {
+	var e error
+	m.Priority, e = util.ParsePriority(readParam(r, "x-priority", "priority", "prio", "p"))
+	if e != nil {
 		return false, false, "", false, errHTTPBadRequestPriorityInvalid
 	}
-	tagsStr := readParam(r, "x-tags", "tags", "tag", "ta")
-	if tagsStr != "" {
-		m.Tags = make([]string, 0)
-		for _, s := range util.SplitNoEmpty(tagsStr, ",") {
-			m.Tags = append(m.Tags, strings.TrimSpace(s))
-		}
-	}
+	m.Tags = readCommaSeparatedParam(r, "x-tags", "tags", "tag", "ta")
 	delayStr := readParam(r, "x-delay", "delay", "x-at", "at", "x-in", "in")
 	if delayStr != "" {
 		if !cache {
@@ -782,9 +867,9 @@ func (s *Server) parsePublishParams(r *http.Request, v *visitor, m *message) (ca
 	}
 	actionsStr := readParam(r, "x-actions", "actions", "action")
 	if actionsStr != "" {
-		m.Actions, err = parseActions(actionsStr)
-		if err != nil {
-			return false, false, "", false, wrapErrHTTP(errHTTPBadRequestActionsInvalid, err.Error())
+		m.Actions, e = parseActions(actionsStr)
+		if e != nil {
+			return false, false, "", false, errHTTPBadRequestActionsInvalid.Wrap(e.Error())
 		}
 	}
 	unifiedpush = readBoolParam(r, false, "x-unifiedpush", "unifiedpush", "up") // see GET too!
@@ -848,7 +933,7 @@ func (s *Server) handleBodyAsMessageAutoDetect(m *message, body *util.PeekedRead

 func (s *Server) handleBodyAsTextMessage(m *message, body *util.PeekedReadCloser) error {
 	if !utf8.Valid(body.PeekedBytes) {
-		return errHTTPBadRequestMessageNotUTF8
+		return errHTTPBadRequestMessageNotUTF8.With(m)
 	}
 	if len(body.PeekedBytes) > 0 { // Empty body should not override message (publish via GET!)
 		m.Message = strings.TrimSpace(string(body.PeekedBytes)) // Truncates the message to the peek limit if required
@@ -861,7 +946,7 @@ func (s *Server) handleBodyAsTextMessage(m *message, body *util.PeekedReadCloser

 func (s *Server) handleBodyAsAttachment(r *http.Request, v *visitor, m *message, body *util.PeekedReadCloser) error {
 	if s.fileCache == nil || s.config.BaseURL == "" || s.config.AttachmentCacheDir == "" {
-		return errHTTPBadRequestAttachmentsDisallowed
+		return errHTTPBadRequestAttachmentsDisallowed.With(m)
 	}
 	vinfo, err := v.Info()
 	if err != nil {
@@ -869,13 +954,17 @@ func (s *Server) handleBodyAsAttachment(r *http.Request, v *visitor, m *message,
 	}
 	attachmentExpiry := time.Now().Add(vinfo.Limits.AttachmentExpiryDuration).Unix()
 	if m.Time > attachmentExpiry {
-		return errHTTPBadRequestAttachmentsExpiryBeforeDelivery
+		return errHTTPBadRequestAttachmentsExpiryBeforeDelivery.With(m)
 	}
 	contentLengthStr := r.Header.Get("Content-Length")
 	if contentLengthStr != "" { // Early "do-not-trust" check, hard limit see below
 		contentLength, err := strconv.ParseInt(contentLengthStr, 10, 64)
 		if err == nil && (contentLength > vinfo.Stats.AttachmentTotalSizeRemaining || contentLength > vinfo.Limits.AttachmentFileSizeLimit) {
-			return errHTTPEntityTooLargeAttachment
+			return errHTTPEntityTooLargeAttachment.With(m).Fields(log.Context{
+				"message_content_length":          contentLength,
+				"attachment_total_size_remaining": vinfo.Stats.AttachmentTotalSizeRemaining,
+				"attachment_file_size_limit":      vinfo.Limits.AttachmentFileSizeLimit,
+			})
 		}
 	}
 	if m.Attachment == nil {
@@ -898,7 +987,7 @@ func (s *Server) handleBodyAsAttachment(r *http.Request, v *visitor, m *message,
 	}
 	m.Attachment.Size, err = s.fileCache.Write(m.ID, body, limiters...)
 	if err == util.ErrLimitReached {
-		return errHTTPEntityTooLargeAttachment
+		return errHTTPEntityTooLargeAttachment.With(m)
 	} else if err != nil {
 		return err
 	}
@@ -951,7 +1040,7 @@ func (s *Server) handleSubscribeHTTP(w http.ResponseWriter, r *http.Request, v *
 	if err != nil {
 		return err
 	}
-	poll, since, scheduled, filters, err := parseSubscribeParams(r)
+	poll, since, scheduled, filters, rateTopics, err := parseSubscribeParams(r)
 	if err != nil {
 		return err
 	}
@@ -981,9 +1070,15 @@ func (s *Server) handleSubscribeHTTP(w http.ResponseWriter, r *http.Request, v *
 		}
 		return nil
 	}
+	if err := s.maybeSetRateVisitors(r, v, topics, rateTopics); err != nil {
+		return err
+	}
 	w.Header().Set("Access-Control-Allow-Origin", s.config.AccessControlAllowOrigin) // CORS, allow cross-origin requests
 	w.Header().Set("Content-Type", contentType+"; charset=utf-8")                    // Android/Volley client needs charset!
 	if poll {
+		for _, t := range topics {
+			t.Keepalive()
+		}
 		return s.sendOldMessages(topics, since, scheduled, v, sub)
 	}
 	ctx, cancel := context.WithCancel(context.Background())
@@ -1010,8 +1105,16 @@ func (s *Server) handleSubscribeHTTP(w http.ResponseWriter, r *http.Request, v *
 		case <-r.Context().Done():
 			return nil
 		case <-time.After(s.config.KeepaliveInterval):
-			logvr(v, r).Tag(tagSubscribe).Trace("Sending keepalive message")
+			ev := logvr(v, r).Tag(tagSubscribe)
+			if len(topics) == 1 {
+				ev.With(topics[0]).Trace("Sending keepalive message to %s", topics[0].ID)
+			} else {
+				ev.Trace("Sending keepalive message to %d topics", len(topics))
+			}
 			v.Keepalive()
+			for _, t := range topics {
+				t.Keepalive()
+			}
 			if err := sub(v, newKeepaliveMessage(topicsStr)); err != nil { // Send keepalive message
 				return err
 			}
@@ -1033,7 +1136,7 @@ func (s *Server) handleSubscribeWS(w http.ResponseWriter, r *http.Request, v *vi
 	if err != nil {
 		return err
 	}
-	poll, since, scheduled, filters, err := parseSubscribeParams(r)
+	poll, since, scheduled, filters, rateTopics, err := parseSubscribeParams(r)
 	if err != nil {
 		return err
 	}
@@ -1099,6 +1202,9 @@ func (s *Server) handleSubscribeWS(w http.ResponseWriter, r *http.Request, v *vi
 				return &websocket.CloseError{Code: websocket.CloseNormalClosure, Text: "subscription was canceled"}
 			case <-time.After(s.config.KeepaliveInterval):
 				v.Keepalive()
+				for _, t := range topics {
+					t.Keepalive()
+				}
 				if err := ping(); err != nil {
 					return err
 				}
@@ -1116,8 +1222,14 @@ func (s *Server) handleSubscribeWS(w http.ResponseWriter, r *http.Request, v *vi
 		}
 		return conn.WriteJSON(msg)
 	}
+	if err := s.maybeSetRateVisitors(r, v, topics, rateTopics); err != nil {
+		return err
+	}
 	w.Header().Set("Access-Control-Allow-Origin", s.config.AccessControlAllowOrigin) // CORS, allow cross-origin requests
 	if poll {
+		for _, t := range topics {
+			t.Keepalive()
+		}
 		return s.sendOldMessages(topics, since, scheduled, v, sub)
 	}
 	subscriberIDs := make([]int, 0)
@@ -1143,7 +1255,7 @@ func (s *Server) handleSubscribeWS(w http.ResponseWriter, r *http.Request, v *vi
 	return err
 }

-func parseSubscribeParams(r *http.Request) (poll bool, since sinceMarker, scheduled bool, filters *queryFilter, err error) {
+func parseSubscribeParams(r *http.Request) (poll bool, since sinceMarker, scheduled bool, filters *queryFilter, rateTopics []string, err error) {
 	poll = readBoolParam(r, false, "x-poll", "poll", "po")
 	scheduled = readBoolParam(r, false, "x-scheduled", "scheduled", "sched")
 	since, err = parseSince(r, poll)
@@ -1154,9 +1266,73 @@ func parseSubscribeParams(r *http.Request) (poll bool, since sinceMarker, schedu
 	if err != nil {
 		return
 	}
+	rateTopics = readCommaSeparatedParam(r, "x-rate-topics", "rate-topics")
 	return
 }

+// maybeSetRateVisitors sets the rate visitor on a topic (v.SetRateVisitor), indicating that all messages published
+// to that topic will be rate limited against the rate visitor instead of the publishing visitor.
+//
+// Setting the rate visitor is ony allowed if the `visitor-subscriber-rate-limiting` setting is enabled, AND
+// - auth-file is not set (everything is open by default)
+// - or the topic is reserved, and v.user is the owner
+// - or the topic is not reserved, and v.user has write access
+//
+// Note: This TEMPORARILY also registers all topics starting with "up" (= UnifiedPush). This is to ease the transition
+// until the Android app will send the "Rate-Topics" header.
+func (s *Server) maybeSetRateVisitors(r *http.Request, v *visitor, topics []*topic, rateTopics []string) error {
+	// Bail out if not enabled
+	if !s.config.VisitorSubscriberRateLimiting {
+		return nil
+	}
+
+	// Make a list of topics that we'll actually set the RateVisitor on
+	eligibleRateTopics := make([]*topic, 0)
+	for _, t := range topics {
+		if (strings.HasPrefix(t.ID, unifiedPushTopicPrefix) && len(t.ID) == unifiedPushTopicLength) || util.Contains(rateTopics, t.ID) {
+			eligibleRateTopics = append(eligibleRateTopics, t)
+		}
+	}
+	if len(eligibleRateTopics) == 0 {
+		return nil
+	}
+
+	// If access controls are turned off, v has access to everything, and we can set the rate visitor
+	if s.userManager == nil {
+		return s.setRateVisitors(r, v, eligibleRateTopics)
+	}
+
+	// If access controls are enabled, only set rate visitor if
+	// - topic is reserved, and v.user is the owner
+	// - topic is not reserved, and v.user has write access
+	writableRateTopics := make([]*topic, 0)
+	for _, t := range topics {
+		ownerUserID, err := s.userManager.ReservationOwner(t.ID)
+		if err != nil {
+			return err
+		}
+		if ownerUserID == "" {
+			if err := s.userManager.Authorize(v.User(), t.ID, user.PermissionWrite); err == nil {
+				writableRateTopics = append(writableRateTopics, t)
+			}
+		} else if ownerUserID == v.MaybeUserID() {
+			writableRateTopics = append(writableRateTopics, t)
+		}
+	}
+	return s.setRateVisitors(r, v, writableRateTopics)
+}
+
+func (s *Server) setRateVisitors(r *http.Request, v *visitor, rateTopics []*topic) error {
+	for _, t := range rateTopics {
+		logvr(v, r).
+			Tag(tagSubscribe).
+			With(t).
+			Debug("Setting visitor as rate visitor for topic %s", t.ID)
+		t.SetRateVisitor(v)
+	}
+	return nil
+}
+
 // sendOldMessages selects old messages from the messageCache and calls sub for each of them. It uses since as the
 // marker, returning only messages that are newer than the marker.
 func (s *Server) sendOldMessages(topics []*topic, since sinceMarker, scheduled bool, v *visitor, sub subscriber) error {
@@ -1462,11 +1638,15 @@ func (s *Server) transformMatrixJSON(next handleFunc) handleFunc {
 	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
 		newRequest, err := newRequestFromMatrixJSON(r, s.config.BaseURL, s.config.MessageLimit)
 		if err != nil {
-			logvr(v, r).Tag(tagMatrix).Err(err).Trace("Invalid Matrix request")
+			logvr(v, r).Tag(tagMatrix).Err(err).Debug("Invalid Matrix request")
+			if e, ok := err.(*errMatrixPushkeyRejected); ok {
+				return writeMatrixResponse(w, e.rejectedPushKey)
+			}
 			return err
 		}
 		if err := next(w, newRequest, v); err != nil {
-			return &errMatrix{pushKey: newRequest.Header.Get(matrixPushKeyHeader), err: err}
+			logvr(v, r).Tag(tagMatrix).Err(err).Debug("Error handling Matrix request")
+			return err
 		}
 		return nil
 	}
@@ -1492,8 +1672,8 @@ func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc
 		u := v.User()
 		for _, t := range topics {
 			if err := s.userManager.Authorize(u, t.ID, perm); err != nil {
-				logvr(v, r).Err(err).Field("message_topic", t.ID).Debug("Access to topic %s not authorized", t.ID)
-				return errHTTPForbidden
+				logvr(v, r).With(t).Err(err).Debug("Access to topic %s not authorized", t.ID)
+				return errHTTPForbidden.With(t)
 			}
 		}
 		return next(w, r, v)
@@ -1503,7 +1683,9 @@ func (s *Server) autorizeTopic(next handleFunc, perm user.Permission) handleFunc
 // maybeAuthenticate reads the "Authorization" header and will try to authenticate the user
 // if it is set.
 //
-//   - If the header is not set, an IP-based visitor is returned
+//   - If auth-file is not configured, immediately return an IP-based visitor
+//   - If the header is not set or not supported (anything non-Basic and non-Bearer),
+//     an IP-based visitor is returned
 //   - If the header is set, authenticate will be called to check the username/password (Basic auth),
 //     or the token (Bearer auth), and read the user from the database
 //
@@ -1513,13 +1695,14 @@ func (s *Server) maybeAuthenticate(r *http.Request) (*visitor, error) {
 	// Read "Authorization" header value, and exit out early if it's not set
 	ip := extractIPAddress(r, s.config.BehindProxy)
 	vip := s.visitor(ip, nil)
+	if s.userManager == nil {
+		return vip, nil
+	}
 	header, err := readAuthHeader(r)
 	if err != nil {
 		return vip, err
-	} else if header == "" {
+	} else if !supportedAuthHeader(header) {
 		return vip, nil
-	} else if s.userManager == nil {
-		return vip, errHTTPUnauthorized
 	}
 	// If we're trying to auth, check the rate limiter first
 	if !vip.AuthAllowed() {
@@ -1561,6 +1744,14 @@ func readAuthHeader(r *http.Request) (string, error) {
 	return value, nil
 }

+// supportedAuthHeader returns true only if the Authorization header value starts
+// with "Basic" or "Bearer". In particular, an empty value is not supported, and neither
+// are things like "WebPush", or "vapid" (see #629).
+func supportedAuthHeader(value string) bool {
+	value = strings.ToLower(value)
+	return strings.HasPrefix(value, "basic ") || strings.HasPrefix(value, "bearer ")
+}
+
 func (s *Server) authenticateBasicAuth(r *http.Request, value string) (user *user.User, err error) {
 	r.Header.Set("Authorization", value)
 	username, password, ok := r.BasicAuth()
--- a/server/server.yml
+++ b/server/server.yml
@@ -117,18 +117,19 @@
 # attachment-expiry-duration: "3h"

 # If enabled, allow outgoing e-mail notifications via the 'X-Email' header. If this header is set,
-# messages will additionally be sent out as e-mail using an external SMTP server. As of today, only
-# SMTP servers with plain text auth and STARTLS are supported. Please also refer to the rate limiting settings
-# below (visitor-email-limit-burst & visitor-email-limit-burst).
+# messages will additionally be sent out as e-mail using an external SMTP server.
+#
+# As of today, only SMTP servers with plain text auth (or no auth at all), and STARTLS are supported.
+# Please also refer to the rate limiting settings below (visitor-email-limit-burst & visitor-email-limit-burst).
 #
 # - smtp-sender-addr is the hostname:port of the SMTP server
-# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user
 # - smtp-sender-from is the e-mail address of the sender
+# - smtp-sender-user/smtp-sender-pass are the username and password of the SMTP user (leave blank for no auth)
 #
 # smtp-sender-addr:
+# smtp-sender-from:
 # smtp-sender-user:
 # smtp-sender-pass:
-# smtp-sender-from:

 # If enabled, ntfy will launch a lightweight SMTP server for incoming messages. Once configured, users can send
 # emails to a topic e-mail address to publish messages to a topic.
@@ -234,15 +235,46 @@
 # visitor-attachment-total-size-limit: "100M"
 # visitor-attachment-daily-bandwidth-limit: "500M"

+# Rate limiting: Enable subscriber-based rate limiting (mostly used for UnifiedPush)
+#
+# If enabled, subscribers may opt to have published messages counted against their own rate limits, as opposed
+# to the publisher's rate limits. This is especially useful to increase the amount of messages that high-volume
+# publishers (e.g. Matrix/Mastodon servers) are allowed to send.
+#
+# Once enabled, a client may send a "Rate-Topics: <topic1>,<topic2>,..." header when subscribing to topics via
+# HTTP stream, or websockets, thereby registering itself as the "rate visitor", i.e. the visitor whose rate limits
+# to use when publishing on this topic. Note: Setting the rate visitor requires READ-WRITE permission on the topic.
+#
+# UnifiedPush only: If this setting is enabled, publishing to UnifiedPush topics will lead to a HTTP 507 response if
+# no "rate visitor" has been previously registered. This is to avoid burning the publisher's "visitor-message-daily-limit".
+#
+# visitor-subscriber-rate-limiting: false
+
 # Payments integration via Stripe
 #
 # - stripe-secret-key is the key used for the Stripe API communication. Setting this values
 #   enables payments in the ntfy web app (e.g. Upgrade dialog). See https://dashboard.stripe.com/apikeys.
 # - stripe-webhook-key is the key required to validate the authenticity of incoming webhooks from Stripe.
 #   Webhooks are essential up keep the local database in sync with the payment provider. See https://dashboard.stripe.com/webhooks.
+# - billing-contact is an email address or website displayed in the "Upgrade tier" dialog to let people reach
+#   out with billing questions. If unset, nothing will be displayed.
 #
 # stripe-secret-key:
 # stripe-webhook-key:
+# billing-contact:
+
+# Metrics
+#
+# ntfy can expose Prometheus-style metrics via a /metrics endpoint, or on a dedicated listen IP/port.
+# Metrics may be considered sensitive information, so before you enable them, be sure you know what you are
+# doing, and/or secure access to the endpoint in your reverse proxy.
+#
+# - enable-metrics enables the /metrics endpoint for the default ntfy server (i.e. HTTP, HTTPS and/or Unix socket)
+# - metrics-listen-http exposes the metrics endpoint via a dedicated [IP]:port. If set, this option implicitly
+#   enables metrics as well, e.g. "10.0.1.1:9090" or ":9090"
+#
+# enable-metrics: false
+# metrics-listen-http:

 # Logging options
 #
--- a/server/server_account.go
+++ b/server/server_account.go
@@ -100,6 +100,7 @@ func (s *Server) handleAccountGet(w http.ResponseWriter, r *http.Request, v *vis
 				Customer:     true,
 				Subscription: u.Billing.StripeSubscriptionID != "",
 				Status:       string(u.Billing.StripeSubscriptionStatus),
+				Interval:     string(u.Billing.StripeSubscriptionInterval),
 				PaidUntil:    u.Billing.StripeSubscriptionPaidUntil.Unix(),
 				CancelAt:     u.Billing.StripeSubscriptionCancelAt.Unix(),
 			}
@@ -506,6 +507,7 @@ func (s *Server) maybeRemoveMessagesAndExcessReservations(r *http.Request, v *vi
 	if err := s.messageCache.ExpireMessages(topics...); err != nil {
 		return err
 	}
+	go s.pruneMessages()
 	return nil
 }

--- a/server/server_account_test.go
+++ b/server/server_account_test.go
@@ -290,6 +290,7 @@ func TestAccount_ChangePassword_NoAccount(t *testing.T) {
 }

 func TestAccount_ExtendToken(t *testing.T) {
+	t.Parallel()
 	s := newTestServer(t, newTestConfigWithAuthFile(t))
 	defer s.closeDatabases()

@@ -611,6 +612,7 @@ func TestAccount_Reservation_PublishByAnonymousFails(t *testing.T) {
 }

 func TestAccount_Reservation_Delete_Messages_And_Attachments(t *testing.T) {
+	t.Parallel()
 	conf := newTestConfigWithAuthFile(t)
 	conf.AuthDefault = user.PermissionReadWrite
 	s := newTestServer(t, conf)
@@ -655,6 +657,17 @@ func TestAccount_Reservation_Delete_Messages_And_Attachments(t *testing.T) {
 	m2 := toMessage(t, rr.Body.String())
 	require.FileExists(t, filepath.Join(s.config.AttachmentCacheDir, m2.ID))

+	// Pre-verify message count and file
+	ms, err := s.messageCache.Messages("mytopic1", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(ms))
+	require.FileExists(t, filepath.Join(s.config.AttachmentCacheDir, m1.ID))
+
+	ms, err = s.messageCache.Messages("mytopic2", sinceAllMessages, false)
+	require.Nil(t, err)
+	require.Equal(t, 1, len(ms))
+	require.FileExists(t, filepath.Join(s.config.AttachmentCacheDir, m2.ID))
+
 	// Delete reservation
 	rr = request(t, s, "DELETE", "/v1/account/reservation/mytopic1", ``, map[string]string{
 		"X-Delete-Messages": "true",
@@ -670,9 +683,13 @@ func TestAccount_Reservation_Delete_Messages_And_Attachments(t *testing.T) {

 	// Verify that messages and attachments were deleted
 	// This does not explicitly call the manager!
-	time.Sleep(time.Second)
+	waitFor(t, func() bool {
+		ms, err := s.messageCache.Messages("mytopic1", sinceAllMessages, false)
+		require.Nil(t, err)
+		return len(ms) == 0 && !util.FileExists(filepath.Join(s.config.AttachmentCacheDir, m1.ID))
+	})

-	ms, err := s.messageCache.Messages("mytopic1", sinceAllMessages, false)
+	ms, err = s.messageCache.Messages("mytopic1", sinceAllMessages, false)
 	require.Nil(t, err)
 	require.Equal(t, 0, len(ms))
 	require.NoFileExists(t, filepath.Join(s.config.AttachmentCacheDir, m1.ID))
@@ -684,91 +701,11 @@ func TestAccount_Reservation_Delete_Messages_And_Attachments(t *testing.T) {
 	require.FileExists(t, filepath.Join(s.config.AttachmentCacheDir, m2.ID))
 }

-func TestAccount_Reservation_Add_Kills_Other_Subscribers(t *testing.T) {
-	conf := newTestConfigWithAuthFile(t)
-	conf.AuthDefault = user.PermissionReadWrite
-	conf.EnableSignup = true
-	s := newTestServer(t, conf)
-	defer s.closeDatabases()
-
-	// Create user with tier
-	rr := request(t, s, "POST", "/v1/account", `{"username":"phil", "password":"mypass"}`, nil)
-	require.Equal(t, 200, rr.Code)
-
-	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		Code:             "pro",
-		MessageLimit:     20,
-		ReservationLimit: 2,
-	}))
-	require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
-
-	// Subscribe anonymously
-	anonCh, userCh := make(chan bool), make(chan bool)
-	go func() {
-		rr := request(t, s, "GET", "/mytopic/json", ``, nil) // This blocks until it's killed!
-		require.Equal(t, 200, rr.Code)
-		messages := toMessages(t, rr.Body.String())
-		require.Equal(t, 2, len(messages)) // This is the meat. We should NOT receive the second message!
-		require.Equal(t, "open", messages[0].Event)
-		require.Equal(t, "message before reservation", messages[1].Message)
-		anonCh <- true
-		log.Info("Anonymous subscription ended")
-	}()
-
-	// Subscribe with user
-	go func() {
-		rr := request(t, s, "GET", "/mytopic/json", ``, map[string]string{ // Blocks!
-			"Authorization": util.BasicAuth("phil", "mypass"),
-		})
-		require.Equal(t, 200, rr.Code)
-		messages := toMessages(t, rr.Body.String())
-		require.Equal(t, 3, len(messages))
-		require.Equal(t, "open", messages[0].Event)
-		require.Equal(t, "message before reservation", messages[1].Message)
-		require.Equal(t, "message after reservation", messages[2].Message)
-		userCh <- true
-		log.Info("User subscription ended")
-	}()
-
-	// Publish message (before reservation)
-	time.Sleep(2 * time.Second) // Wait for subscribers
-	rr = request(t, s, "POST", "/mytopic", "message before reservation", nil)
-	require.Equal(t, 200, rr.Code)
-	time.Sleep(2 * time.Second) // Wait for subscribers to receive message
-
-	// Reserve a topic
-	rr = request(t, s, "POST", "/v1/account/reservation", `{"topic": "mytopic", "everyone":"deny-all"}`, map[string]string{
-		"Authorization": util.BasicAuth("phil", "mypass"),
-	})
-	require.Equal(t, 200, rr.Code)
-
-	// Everyone but phil should be killed
-	select {
-	case <-anonCh:
-	case <-time.After(5 * time.Second):
-		t.Fatal("Waiting for anonymous subscription to be killed failed")
-	}
-
-	// Publish a message
-	rr = request(t, s, "POST", "/mytopic", "message after reservation", map[string]string{
-		"Authorization": util.BasicAuth("phil", "mypass"),
-	})
-	require.Equal(t, 200, rr.Code)
-
-	// Kill user Go routine
-	s.topics["mytopic"].CancelSubscribers("<invalid>")
-
-	select {
-	case <-userCh:
-	case <-time.After(5 * time.Second):
-		t.Fatal("Waiting for user subscription to be killed failed")
-	}
-}
-
 func TestAccount_Persist_UserStats_After_Tier_Change(t *testing.T) {
+	t.Parallel()
 	conf := newTestConfigWithAuthFile(t)
 	conf.AuthDefault = user.PermissionReadWrite
-	conf.AuthStatsQueueWriterInterval = 200 * time.Millisecond
+	conf.AuthStatsQueueWriterInterval = 300 * time.Millisecond
 	s := newTestServer(t, conf)
 	defer s.closeDatabases()

@@ -790,13 +727,12 @@ func TestAccount_Persist_UserStats_After_Tier_Change(t *testing.T) {
 	})
 	require.Equal(t, 200, rr.Code)

-	// Wait for stats queue writer
-	time.Sleep(300 * time.Millisecond)
-
-	// Verify that message stats were persisted
-	u, err := s.userManager.User("phil")
-	require.Nil(t, err)
-	require.Equal(t, int64(1), u.Stats.Messages)
+	// Wait for stats queue writer, verify that message stats were persisted
+	waitFor(t, func() bool {
+		u, err := s.userManager.User("phil")
+		require.Nil(t, err)
+		return int64(1) == u.Stats.Messages
+	})

 	// Change tier, make a request (to reset limiters)
 	require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
@@ -814,10 +750,11 @@ func TestAccount_Persist_UserStats_After_Tier_Change(t *testing.T) {
 	require.Equal(t, 200, rr.Code)

 	// Verify that message stats were persisted
-	time.Sleep(300 * time.Millisecond)
-	u, err = s.userManager.User("phil")
-	require.Nil(t, err)
-	require.Equal(t, int64(2), u.Stats.Messages) // v.EnqueueUserStats had run!
+	waitFor(t, func() bool {
+		u, err := s.userManager.User("phil")
+		require.Nil(t, err)
+		return int64(2) == u.Stats.Messages // v.EnqueueUserStats had run!
+	})

 	// Stats keep counting
 	rr = request(t, s, "GET", "/v1/account", "", map[string]string{
@@ -826,5 +763,4 @@ func TestAccount_Persist_UserStats_After_Tier_Change(t *testing.T) {
 	require.Equal(t, 200, rr.Code)
 	account, _ = util.UnmarshalJSON[apiAccountResponse](io.NopCloser(rr.Body))
 	require.Equal(t, int64(2), account.Stats.Messages) // Is not reset!
-
 }
--- a/server/server_manager.go
+++ b/server/server_manager.go
@@ -2,6 +2,7 @@ package server

 import (
 	"heckel.io/ntfy/log"
+	"heckel.io/ntfy/util"
 	"strings"
 )

@@ -34,16 +35,20 @@ func (s *Server) execManager() {
 			s.mu.Lock()
 			defer s.mu.Unlock()
 			for _, t := range s.topics {
-				subs := t.SubscribersCount()
-				log.Tag(tagManager).Trace("- topic %s: %d subscribers", t.ID, subs)
-				msgs, exists := messageCounts[t.ID]
-				if subs == 0 && (!exists || msgs == 0) {
-					log.Tag(tagManager).Trace("Deleting empty topic %s", t.ID)
+				subs, lastAccess := t.Stats()
+				ev := log.Tag(tagManager).With(t)
+				if t.Stale() {
+					if ev.IsTrace() {
+						ev.Trace("- topic %s: Deleting stale topic (%d subscribers, accessed %s)", t.ID, subs, util.FormatTime(lastAccess))
+					}
 					emptyTopics++
 					delete(s.topics, t.ID)
-					continue
+				} else {
+					if ev.IsTrace() {
+						ev.Trace("- topic %s: %d subscribers, accessed %s", t.ID, subs, util.FormatTime(lastAccess))
+					}
+					subscribers += subs
 				}
-				subscribers += subs
 			}
 		}).
 		Debug("Removed %d empty topic(s)", emptyTopics)
@@ -58,6 +63,15 @@ func (s *Server) execManager() {
 		sentMailTotal, sentMailSuccess, sentMailFailure = s.smtpSender.Counts()
 	}

+	// Users
+	var usersCount int64
+	if s.userManager != nil {
+		usersCount, err = s.userManager.UsersCount()
+		if err != nil {
+			log.Tag(tagManager).Err(err).Warn("Error counting users")
+		}
+	}
+
 	// Print stats
 	s.mu.Lock()
 	messagesCount, topicsCount, visitorsCount := s.messages, len(s.topics), len(s.visitors)
@@ -70,6 +84,7 @@ func (s *Server) execManager() {
 			"topics_active":           topicsCount,
 			"subscribers":             subscribers,
 			"visitors":                visitorsCount,
+			"users":                   usersCount,
 			"emails_received":         receivedMailTotal,
 			"emails_received_success": receivedMailSuccess,
 			"emails_received_failure": receivedMailFailure,
@@ -78,6 +93,11 @@ func (s *Server) execManager() {
 			"emails_sent_failure":     sentMailFailure,
 		}).
 		Info("Server stats")
+	mset(metricMessagesCached, messagesCached)
+	mset(metricVisitors, visitorsCount)
+	mset(metricUsers, usersCount)
+	mset(metricSubscribers, subscribers)
+	mset(metricTopics, topicsCount)
 }

 func (s *Server) pruneVisitors() {
@@ -116,29 +136,30 @@ func (s *Server) pruneTokens() {
 }

 func (s *Server) pruneAttachments() {
-	if s.fileCache != nil {
-		log.
-			Tag(tagManager).
-			Timing(func() {
-				ids, err := s.messageCache.AttachmentsExpired()
-				if err != nil {
-					log.Tag(tagManager).Err(err).Warn("Error retrieving expired attachments")
-				} else if len(ids) > 0 {
-					if log.Tag(tagManager).IsDebug() {
-						log.Tag(tagManager).Debug("Deleting attachments %s", strings.Join(ids, ", "))
-					}
-					if err := s.fileCache.Remove(ids...); err != nil {
-						log.Tag(tagManager).Err(err).Warn("Error deleting attachments")
-					}
-					if err := s.messageCache.MarkAttachmentsDeleted(ids...); err != nil {
-						log.Tag(tagManager).Err(err).Warn("Error marking attachments deleted")
-					}
-				} else {
-					log.Tag(tagManager).Debug("No expired attachments to delete")
-				}
-			}).
-			Debug("Deleted expired attachments")
+	if s.fileCache == nil {
+		return
 	}
+	log.
+		Tag(tagManager).
+		Timing(func() {
+			ids, err := s.messageCache.AttachmentsExpired()
+			if err != nil {
+				log.Tag(tagManager).Err(err).Warn("Error retrieving expired attachments")
+			} else if len(ids) > 0 {
+				if log.Tag(tagManager).IsDebug() {
+					log.Tag(tagManager).Debug("Deleting attachments %s", strings.Join(ids, ", "))
+				}
+				if err := s.fileCache.Remove(ids...); err != nil {
+					log.Tag(tagManager).Err(err).Warn("Error deleting attachments")
+				}
+				if err := s.messageCache.MarkAttachmentsDeleted(ids...); err != nil {
+					log.Tag(tagManager).Err(err).Warn("Error marking attachments deleted")
+				}
+			} else {
+				log.Tag(tagManager).Debug("No expired attachments to delete")
+			}
+		}).
+		Debug("Deleted expired attachments")
 }

 func (s *Server) pruneMessages() {
@@ -149,8 +170,10 @@ func (s *Server) pruneMessages() {
 			if err != nil {
 				log.Tag(tagManager).Err(err).Warn("Error retrieving expired messages")
 			} else if len(expiredMessageIDs) > 0 {
-				if err := s.fileCache.Remove(expiredMessageIDs...); err != nil {
-					log.Tag(tagManager).Err(err).Warn("Error deleting attachments for expired messages")
+				if s.fileCache != nil {
+					if err := s.fileCache.Remove(expiredMessageIDs...); err != nil {
+						log.Tag(tagManager).Err(err).Warn("Error deleting attachments for expired messages")
+					}
 				}
 				if err := s.messageCache.DeleteMessages(expiredMessageIDs...); err != nil {
 					log.Tag(tagManager).Err(err).Warn("Error marking attachments deleted")
--- a/server/server_manager_test.go
+++ b/server/server_manager_test.go
@@ -0,0 +1,28 @@
+package server
+
+import (
+	"github.com/stretchr/testify/require"
+	"testing"
+)
+
+func TestServer_Manager_Prune_Messages_Without_Attachments_DoesNotPanic(t *testing.T) {
+	// Tests that the manager runs without attachment-cache-dir set, see #617
+	c := newTestConfig(t)
+	c.AttachmentCacheDir = ""
+	s := newTestServer(t, c)
+
+	// Publish a message
+	rr := request(t, s, "POST", "/mytopic", "hi", nil)
+	require.Equal(t, 200, rr.Code)
+	m := toMessage(t, rr.Body.String())
+
+	// Expire message
+	require.Nil(t, s.messageCache.ExpireMessages("mytopic"))
+
+	// Does not panic
+	s.pruneMessages()
+
+	// Actually deleted
+	_, err := s.messageCache.Message(m.ID)
+	require.Equal(t, errMessageNotFound, err)
+}
--- a/server/server_matrix.go
+++ b/server/server_matrix.go
@@ -8,6 +8,7 @@ import (
 	"io"
 	"net/http"
 	"strings"
+	"time"
 )

 // Matrix Push Gateway / UnifiedPush / ntfy integration:
@@ -71,25 +72,27 @@ type matrixResponse struct {
 	Rejected []string `json:"rejected"`
 }

-// errMatrix represents an error when handing Matrix gateway messages
-type errMatrix struct {
-	pushKey string
-	err     error
-}
-
-func (e errMatrix) Error() string {
-	if e.err != nil {
-		return fmt.Sprintf("message with push key %s rejected: %s", e.pushKey, e.err.Error())
-	}
-	return fmt.Sprintf("message with push key %s rejected", e.pushKey)
-}
-
 const (
-	// matrixPushKeyHeader is a header that's used internally to pass the Matrix push key (from the matrixRequest)
-	// along with the request. The push key is only used if an error occurs down the line.
-	matrixPushKeyHeader = "X-Matrix-Pushkey"
+	// matrixRejectPushKeyForUnifiedPushTopicWithoutRateVisitorAfter is the time after which a Matrix response
+	// will return an HTTP 200 with the push key (i.e. "rejected":["<pushkey>"]}), if no rate visitor has been set on
+	// the topic. Rejecting the push key will instruct the Matrix server to invalidate the pushkey and stop sending
+	// messages to it. This must be longer than topicExpungeAfter. See https://spec.matrix.org/v1.6/push-gateway-api/
+	matrixRejectPushKeyForUnifiedPushTopicWithoutRateVisitorAfter = 12 * time.Hour
 )

+// errMatrixPushkeyRejected represents an error when handing Matrix gateway messages
+//
+// If the push key is set, the app server will remove it and will never send messages using the same
+// push key again, until the user repairs it.
+type errMatrixPushkeyRejected struct {
+	rejectedPushKey   string
+	configuredBaseURL string
+}
+
+func (e errMatrixPushkeyRejected) Error() string {
+	return fmt.Sprintf("push key must be prefixed with base URL, received push key: %s, configured base URL: %s", e.rejectedPushKey, e.configuredBaseURL)
+}
+
 // newRequestFromMatrixJSON reads the request body as a Matrix JSON message, parses the "pushkey", and creates a new
 // HTTP request that looks like a normal ntfy request from it.
 //
@@ -122,17 +125,19 @@ func newRequestFromMatrixJSON(r *http.Request, baseURL string, messageLimit int)
 	}
 	pushKey := m.Notification.Devices[0].PushKey // We ignore other devices for now, see discussion in #316
 	if !strings.HasPrefix(pushKey, baseURL+"/") {
-		return nil, &errMatrix{pushKey: pushKey, err: wrapErrHTTP(errHTTPBadRequestMatrixPushkeyBaseURLMismatch, "received push key: %s, configured base URL: %s", pushKey, baseURL)}
+		return nil, &errMatrixPushkeyRejected{rejectedPushKey: pushKey, configuredBaseURL: baseURL}
 	}
 	newRequest, err := http.NewRequest(http.MethodPost, pushKey, io.NopCloser(bytes.NewReader(body.PeekedBytes)))
 	if err != nil {
-		return nil, &errMatrix{pushKey: pushKey, err: err}
+		return nil, err
 	}
 	newRequest.RemoteAddr = r.RemoteAddr // Not strictly necessary, since visitor was already extracted
 	if r.Header.Get("X-Forwarded-For") != "" {
 		newRequest.Header.Set("X-Forwarded-For", r.Header.Get("X-Forwarded-For"))
 	}
-	newRequest.Header.Set(matrixPushKeyHeader, pushKey)
+	newRequest = withContext(newRequest, map[contextKey]any{
+		contextMatrixPushKey: pushKey,
+	})
 	return newRequest, nil
 }

@@ -144,12 +149,6 @@ func writeMatrixDiscoveryResponse(w http.ResponseWriter) error {
 	return err
 }

-// writeMatrixError logs and writes the errMatrix to the given http.ResponseWriter as a matrixResponse
-func writeMatrixError(w http.ResponseWriter, r *http.Request, v *visitor, err *errMatrix) error {
-	logvr(v, r).Tag(tagMatrix).Err(err).Debug("Matrix gateway error")
-	return writeMatrixResponse(w, err.pushKey)
-}
-
 // writeMatrixSuccess writes a successful matrixResponse (no rejected push key) to the given http.ResponseWriter
 func writeMatrixSuccess(w http.ResponseWriter) error {
 	return writeMatrixResponse(w, "")
--- a/server/server_matrix_test.go
+++ b/server/server_matrix_test.go
@@ -3,7 +3,6 @@ package server
 import (
 	"net/http"
 	"net/http/httptest"
-	"net/netip"
 	"strings"
 	"testing"

@@ -19,7 +18,6 @@ func TestMatrix_NewRequestFromMatrixJSON_Success(t *testing.T) {
 	require.Nil(t, err)
 	require.Equal(t, "POST", newRequest.Method)
 	require.Equal(t, "https://ntfy.sh/upABCDEFGHI?up=1", newRequest.URL.String())
-	require.Equal(t, "https://ntfy.sh/upABCDEFGHI?up=1", newRequest.Header.Get("X-Matrix-Pushkey"))
 	require.Equal(t, body, readAll(t, newRequest.Body))
 }

@@ -56,10 +54,10 @@ func TestMatrix_NewRequestFromMatrixJSON_MismatchingPushKey(t *testing.T) {
 	body := `{"notification":{"content":{"body":"I'm floating in a most peculiar way.","msgtype":"m.text"},"counts":{"missed_calls":1,"unread":2},"devices":[{"app_id":"org.matrix.matrixConsole.ios","data":{},"pushkey":"https://ntfy.example.com/upABCDEFGHI?up=1","pushkey_ts":12345678,"tweaks":{"sound":"bing"}}],"event_id":"$3957tyerfgewrf384","prio":"high","room_alias":"#exampleroom:matrix.org","room_id":"!slw48wfj34rtnrf:example.com","room_name":"Mission Control","sender":"@exampleuser:matrix.org","sender_display_name":"Major Tom","type":"m.room.message"}}`
 	r, _ := http.NewRequest("POST", "http://ntfy.example.com/_matrix/push/v1/notify", strings.NewReader(body))
 	_, err := newRequestFromMatrixJSON(r, baseURL, maxLength)
-	matrixErr, ok := err.(*errMatrix)
+	matrixErr, ok := err.(*errMatrixPushkeyRejected)
 	require.True(t, ok)
-	require.Equal(t, "invalid request: push key must be prefixed with base URL, received push key: https://ntfy.example.com/upABCDEFGHI?up=1, configured base URL: https://ntfy.sh", matrixErr.err.Error())
-	require.Equal(t, "https://ntfy.example.com/upABCDEFGHI?up=1", matrixErr.pushKey)
+	require.Equal(t, "push key must be prefixed with base URL, received push key: https://ntfy.example.com/upABCDEFGHI?up=1, configured base URL: https://ntfy.sh", matrixErr.Error())
+	require.Equal(t, "https://ntfy.example.com/upABCDEFGHI?up=1", matrixErr.rejectedPushKey)
 }

 func TestMatrix_WriteMatrixDiscoveryResponse(t *testing.T) {
@@ -71,9 +69,7 @@ func TestMatrix_WriteMatrixDiscoveryResponse(t *testing.T) {

 func TestMatrix_WriteMatrixError(t *testing.T) {
 	w := httptest.NewRecorder()
-	r, _ := http.NewRequest("POST", "http://ntfy.example.com/_matrix/push/v1/notify", nil)
-	v := newVisitor(newTestConfig(t), nil, nil, netip.MustParseAddr("1.2.3.4"), nil)
-	require.Nil(t, writeMatrixError(w, r, v, &errMatrix{"https://ntfy.example.com/upABCDEFGHI?up=1", errHTTPBadRequestMatrixPushkeyBaseURLMismatch}))
+	require.Nil(t, writeMatrixResponse(w, "https://ntfy.example.com/upABCDEFGHI?up=1"))
 	require.Equal(t, 200, w.Result().StatusCode)
 	require.Equal(t, `{"rejected":["https://ntfy.example.com/upABCDEFGHI?up=1"]}`+"\n", w.Body.String())
 }
--- a/server/server_metrics.go
+++ b/server/server_metrics.go
@@ -0,0 +1,122 @@
+package server
+
+import (
+	"github.com/prometheus/client_golang/prometheus"
+)
+
+var (
+	metricMessagesPublishedSuccess     prometheus.Counter
+	metricMessagesPublishedFailure     prometheus.Counter
+	metricMessagesCached               prometheus.Gauge
+	metricMessagePublishDurationMillis prometheus.Gauge
+	metricFirebasePublishedSuccess     prometheus.Counter
+	metricFirebasePublishedFailure     prometheus.Counter
+	metricEmailsPublishedSuccess       prometheus.Counter
+	metricEmailsPublishedFailure       prometheus.Counter
+	metricEmailsReceivedSuccess        prometheus.Counter
+	metricEmailsReceivedFailure        prometheus.Counter
+	metricUnifiedPushPublishedSuccess  prometheus.Counter
+	metricMatrixPublishedSuccess       prometheus.Counter
+	metricMatrixPublishedFailure       prometheus.Counter
+	metricAttachmentsTotalSize         prometheus.Gauge
+	metricVisitors                     prometheus.Gauge
+	metricSubscribers                  prometheus.Gauge
+	metricTopics                       prometheus.Gauge
+	metricUsers                        prometheus.Gauge
+	metricHTTPRequests                 *prometheus.CounterVec
+)
+
+func initMetrics() {
+	metricMessagesPublishedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_messages_published_success",
+	})
+	metricMessagesPublishedFailure = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_messages_published_failure",
+	})
+	metricMessagesCached = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_messages_cached_total",
+	})
+	metricMessagePublishDurationMillis = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_message_publish_duration_ms",
+	})
+	metricFirebasePublishedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_firebase_published_success",
+	})
+	metricFirebasePublishedFailure = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_firebase_published_failure",
+	})
+	metricEmailsPublishedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_emails_sent_success",
+	})
+	metricEmailsPublishedFailure = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_emails_sent_failure",
+	})
+	metricEmailsReceivedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_emails_received_success",
+	})
+	metricEmailsReceivedFailure = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_emails_received_failure",
+	})
+	metricUnifiedPushPublishedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_unifiedpush_published_success",
+	})
+	metricMatrixPublishedSuccess = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_matrix_published_success",
+	})
+	metricMatrixPublishedFailure = prometheus.NewCounter(prometheus.CounterOpts{
+		Name: "ntfy_matrix_published_failure",
+	})
+	metricAttachmentsTotalSize = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_attachments_total_size",
+	})
+	metricVisitors = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_visitors_total",
+	})
+	metricUsers = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_users_total",
+	})
+	metricSubscribers = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_subscribers_total",
+	})
+	metricTopics = prometheus.NewGauge(prometheus.GaugeOpts{
+		Name: "ntfy_topics_total",
+	})
+	metricHTTPRequests = prometheus.NewCounterVec(prometheus.CounterOpts{
+		Name: "ntfy_http_requests_total",
+	}, []string{"http_code", "ntfy_code", "http_method"})
+	prometheus.MustRegister(
+		metricMessagesPublishedSuccess,
+		metricMessagesPublishedFailure,
+		metricMessagesCached,
+		metricMessagePublishDurationMillis,
+		metricFirebasePublishedSuccess,
+		metricFirebasePublishedFailure,
+		metricEmailsPublishedSuccess,
+		metricEmailsPublishedFailure,
+		metricEmailsReceivedSuccess,
+		metricEmailsReceivedFailure,
+		metricUnifiedPushPublishedSuccess,
+		metricMatrixPublishedSuccess,
+		metricMatrixPublishedFailure,
+		metricAttachmentsTotalSize,
+		metricVisitors,
+		metricUsers,
+		metricSubscribers,
+		metricTopics,
+		metricHTTPRequests,
+	)
+}
+
+// minc increments a prometheus.Counter if it is non-nil
+func minc(counter prometheus.Counter) {
+	if counter != nil {
+		counter.Inc()
+	}
+}
+
+// mset sets a prometheus.Gauge if it is non-nil
+func mset[T int | int64 | float64](gauge prometheus.Gauge, value T) {
+	if gauge != nil {
+		gauge.Set(float64(value))
+	}
+}
--- a/server/server_middleware.go
+++ b/server/server_middleware.go
@@ -1,8 +1,17 @@
 package server

 import (
-	"heckel.io/ntfy/util"
 	"net/http"
+
+	"heckel.io/ntfy/util"
+)
+
+type contextKey int
+
+const (
+	contextRateVisitor contextKey = iota + 2586
+	contextTopic
+	contextMatrixPushKey
 )

 func (s *Server) limitRequests(next handleFunc) handleFunc {
@@ -16,6 +25,30 @@ func (s *Server) limitRequests(next handleFunc) handleFunc {
 	}
 }

+// limitRequestsWithTopic limits requests with a topic and stores the rate-limiting-subscriber and topic into request.Context
+func (s *Server) limitRequestsWithTopic(next handleFunc) handleFunc {
+	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
+		t, err := s.topicFromPath(r.URL.Path)
+		if err != nil {
+			return err
+		}
+		vrate := v
+		if rateVisitor := t.RateVisitor(); rateVisitor != nil {
+			vrate = rateVisitor
+		}
+		r = withContext(r, map[contextKey]any{
+			contextRateVisitor: vrate,
+			contextTopic:       t,
+		})
+		if util.ContainsIP(s.config.VisitorRequestExemptIPAddrs, v.ip) {
+			return next(w, r, v)
+		} else if !vrate.RequestAllowed() {
+			return errHTTPTooManyRequestsLimitRequests
+		}
+		return next(w, r, v)
+	}
+}
+
 func (s *Server) ensureWebEnabled(next handleFunc) handleFunc {
 	return func(w http.ResponseWriter, r *http.Request, v *visitor) error {
 		if !s.config.EnableWeb {
--- a/server/server_payments.go
+++ b/server/server_payments.go
@@ -80,14 +80,17 @@ func (s *Server) handleBillingTiersGet(w http.ResponseWriter, _ *http.Request, _
 		return err
 	}
 	for _, tier := range tiers {
-		priceStr, ok := prices[tier.StripePriceID]
-		if tier.StripePriceID == "" || !ok {
+		priceMonth, priceYear := prices[tier.StripeMonthlyPriceID], prices[tier.StripeYearlyPriceID]
+		if priceMonth == 0 || priceYear == 0 { // Only allow tiers that have both prices!
 			continue
 		}
 		response = append(response, &apiAccountBillingTier{
-			Code:  tier.Code,
-			Name:  tier.Name,
-			Price: priceStr,
+			Code: tier.Code,
+			Name: tier.Name,
+			Prices: &apiAccountBillingPrices{
+				Month: priceMonth,
+				Year:  priceYear,
+			},
 			Limits: &apiAccountLimits{
 				Basis:                    string(visitorLimitBasisTier),
 				Messages:                 tier.MessageLimit,
@@ -117,11 +120,21 @@ func (s *Server) handleAccountBillingSubscriptionCreate(w http.ResponseWriter, r
 	tier, err := s.userManager.Tier(req.Tier)
 	if err != nil {
 		return err
-	} else if tier.StripePriceID == "" {
+	}
+	var priceID string
+	if req.Interval == string(stripe.PriceRecurringIntervalMonth) && tier.StripeMonthlyPriceID != "" {
+		priceID = tier.StripeMonthlyPriceID
+	} else if req.Interval == string(stripe.PriceRecurringIntervalYear) && tier.StripeYearlyPriceID != "" {
+		priceID = tier.StripeYearlyPriceID
+	} else {
 		return errNotAPaidTier
 	}
 	logvr(v, r).
 		With(tier).
+		Fields(log.Context{
+			"stripe_price_id":              priceID,
+			"stripe_subscription_interval": req.Interval,
+		}).
 		Tag(tagStripe).
 		Info("Creating Stripe checkout flow")
 	var stripeCustomerID *string
@@ -143,7 +156,7 @@ func (s *Server) handleAccountBillingSubscriptionCreate(w http.ResponseWriter, r
 		AllowPromotionCodes: stripe.Bool(true),
 		LineItems: []*stripe.CheckoutSessionLineItemParams{
 			{
-				Price:    stripe.String(tier.StripePriceID),
+				Price:    stripe.String(priceID),
 				Quantity: stripe.Int64(1),
 			},
 		},
@@ -175,15 +188,16 @@ func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWr
 	if err != nil {
 		return err
 	} else if sess.Customer == nil || sess.Subscription == nil || sess.ClientReferenceID == "" {
-		return wrapErrHTTP(errHTTPBadRequestBillingRequestInvalid, "customer or subscription not found")
+		return errHTTPBadRequestBillingRequestInvalid.Wrap("customer or subscription not found")
 	}
 	sub, err := s.stripe.GetSubscription(sess.Subscription.ID)
 	if err != nil {
 		return err
-	} else if sub.Items == nil || len(sub.Items.Data) != 1 || sub.Items.Data[0].Price == nil {
-		return wrapErrHTTP(errHTTPBadRequestBillingRequestInvalid, "more than one line item in existing subscription")
+	} else if sub.Items == nil || len(sub.Items.Data) != 1 || sub.Items.Data[0].Price == nil || sub.Items.Data[0].Price.Recurring == nil {
+		return errHTTPBadRequestBillingRequestInvalid.Wrap("more than one line item in existing subscription")
 	}
-	tier, err := s.userManager.TierByStripePrice(sub.Items.Data[0].Price.ID)
+	priceID, interval := sub.Items.Data[0].Price.ID, sub.Items.Data[0].Price.Recurring.Interval
+	tier, err := s.userManager.TierByStripePrice(priceID)
 	if err != nil {
 		return err
 	}
@@ -197,8 +211,10 @@ func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWr
 		Tag(tagStripe).
 		Fields(log.Context{
 			"stripe_customer_id":             sess.Customer.ID,
+			"stripe_price_id":                priceID,
 			"stripe_subscription_id":         sub.ID,
 			"stripe_subscription_status":     string(sub.Status),
+			"stripe_subscription_interval":   string(interval),
 			"stripe_subscription_paid_until": sub.CurrentPeriodEnd,
 		}).
 		Info("Stripe checkout flow succeeded, updating user tier and subscription")
@@ -213,7 +229,7 @@ func (s *Server) handleAccountBillingSubscriptionCreateSuccess(w http.ResponseWr
 	if _, err := s.stripe.UpdateCustomer(sess.Customer.ID, customerParams); err != nil {
 		return err
 	}
-	if err := s.updateSubscriptionAndTier(r, v, u, tier, sess.Customer.ID, sub.ID, string(sub.Status), sub.CurrentPeriodEnd, sub.CancelAt); err != nil {
+	if err := s.updateSubscriptionAndTier(r, v, u, tier, sess.Customer.ID, sub.ID, string(sub.Status), string(interval), sub.CurrentPeriodEnd, sub.CancelAt); err != nil {
 		return err
 	}
 	http.Redirect(w, r, s.config.BaseURL+accountPath, http.StatusSeeOther)
@@ -235,28 +251,37 @@ func (s *Server) handleAccountBillingSubscriptionUpdate(w http.ResponseWriter, r
 	if err != nil {
 		return err
 	}
+	var priceID string
+	if req.Interval == string(stripe.PriceRecurringIntervalMonth) && tier.StripeMonthlyPriceID != "" {
+		priceID = tier.StripeMonthlyPriceID
+	} else if req.Interval == string(stripe.PriceRecurringIntervalYear) && tier.StripeYearlyPriceID != "" {
+		priceID = tier.StripeYearlyPriceID
+	} else {
+		return errNotAPaidTier
+	}
 	logvr(v, r).
 		Tag(tagStripe).
 		Fields(log.Context{
-			"new_tier_id":              tier.ID,
-			"new_tier_name":            tier.Name,
-			"new_tier_stripe_price_id": tier.StripePriceID,
+			"new_tier_id":                           tier.ID,
+			"new_tier_code":                         tier.Code,
+			"new_tier_stripe_price_id":              priceID,
+			"new_tier_stripe_subscription_interval": req.Interval,
 			// Other stripe_* fields filled by visitor context
 		}).
-		Info("Changing Stripe subscription and billing tier to %s/%s (price %s)", tier.ID, tier.Name, tier.StripePriceID)
+		Info("Changing Stripe subscription and billing tier to %s/%s (price %s, %s)", tier.ID, tier.Name, priceID, req.Interval)
 	sub, err := s.stripe.GetSubscription(u.Billing.StripeSubscriptionID)
 	if err != nil {
 		return err
 	} else if sub.Items == nil || len(sub.Items.Data) != 1 {
-		return wrapErrHTTP(errHTTPBadRequestBillingRequestInvalid, "no items, or more than one item")
+		return errHTTPBadRequestBillingRequestInvalid.Wrap("no items, or more than one item")
 	}
 	params := &stripe.SubscriptionParams{
 		CancelAtPeriodEnd: stripe.Bool(false),
-		ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorCreateProrations)),
+		ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorAlwaysInvoice)),
 		Items: []*stripe.SubscriptionItemsParams{
 			{
 				ID:    stripe.String(sub.Items.Data[0].ID),
-				Price: stripe.String(tier.StripePriceID),
+				Price: stripe.String(priceID),
 			},
 		},
 	}
@@ -345,20 +370,22 @@ func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(r *http.Request,
 	ev, err := util.UnmarshalJSON[apiStripeSubscriptionUpdatedEvent](io.NopCloser(bytes.NewReader(event.Data.Raw)))
 	if err != nil {
 		return err
-	} else if ev.ID == "" || ev.Customer == "" || ev.Status == "" || ev.CurrentPeriodEnd == 0 || ev.Items == nil || len(ev.Items.Data) != 1 || ev.Items.Data[0].Price == nil || ev.Items.Data[0].Price.ID == "" {
+	} else if ev.ID == "" || ev.Customer == "" || ev.Status == "" || ev.CurrentPeriodEnd == 0 || ev.Items == nil || len(ev.Items.Data) != 1 || ev.Items.Data[0].Price == nil || ev.Items.Data[0].Price.ID == "" || ev.Items.Data[0].Price.Recurring == nil {
+		logvr(v, r).Tag(tagStripe).Field("stripe_request", fmt.Sprintf("%#v", ev)).Warn("Unexpected request from Stripe")
 		return errHTTPBadRequestBillingRequestInvalid
 	}
-	subscriptionID, priceID := ev.ID, ev.Items.Data[0].Price.ID
+	subscriptionID, priceID, interval := ev.ID, ev.Items.Data[0].Price.ID, ev.Items.Data[0].Price.Recurring.Interval
 	logvr(v, r).
 		Tag(tagStripe).
 		Fields(log.Context{
 			"stripe_webhook_type":            event.Type,
 			"stripe_customer_id":             ev.Customer,
+			"stripe_price_id":                priceID,
 			"stripe_subscription_id":         ev.ID,
 			"stripe_subscription_status":     ev.Status,
+			"stripe_subscription_interval":   interval,
 			"stripe_subscription_paid_until": ev.CurrentPeriodEnd,
 			"stripe_subscription_cancel_at":  ev.CancelAt,
-			"stripe_price_id":                priceID,
 		}).
 		Info("Updating subscription to status %s, with price %s", ev.Status, priceID)
 	userFn := func() (*user.User, error) {
@@ -376,7 +403,7 @@ func (s *Server) handleAccountBillingWebhookSubscriptionUpdated(r *http.Request,
 	if err != nil {
 		return err
 	}
-	if err := s.updateSubscriptionAndTier(r, v, u, tier, ev.Customer, subscriptionID, ev.Status, ev.CurrentPeriodEnd, ev.CancelAt); err != nil {
+	if err := s.updateSubscriptionAndTier(r, v, u, tier, ev.Customer, subscriptionID, ev.Status, string(interval), ev.CurrentPeriodEnd, ev.CancelAt); err != nil {
 		return err
 	}
 	s.publishSyncEventAsync(s.visitor(netip.IPv4Unspecified(), u))
@@ -399,14 +426,14 @@ func (s *Server) handleAccountBillingWebhookSubscriptionDeleted(r *http.Request,
 		Tag(tagStripe).
 		Field("stripe_webhook_type", event.Type).
 		Info("Subscription deleted, downgrading to unpaid tier")
-	if err := s.updateSubscriptionAndTier(r, v, u, nil, ev.Customer, "", "", 0, 0); err != nil {
+	if err := s.updateSubscriptionAndTier(r, v, u, nil, ev.Customer, "", "", "", 0, 0); err != nil {
 		return err
 	}
 	s.publishSyncEventAsync(s.visitor(netip.IPv4Unspecified(), u))
 	return nil
 }

-func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.User, tier *user.Tier, customerID, subscriptionID, status string, paidUntil, cancelAt int64) error {
+func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.User, tier *user.Tier, customerID, subscriptionID, status, interval string, paidUntil, cancelAt int64) error {
 	reservationsLimit := visitorDefaultReservationsLimit
 	if tier != nil {
 		reservationsLimit = tier.ReservationLimit
@@ -423,9 +450,8 @@ func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.
 		logvr(v, r).
 			Tag(tagStripe).
 			Fields(log.Context{
-				"new_tier_id":              tier.ID,
-				"new_tier_name":            tier.Name,
-				"new_tier_stripe_price_id": tier.StripePriceID,
+				"new_tier_id":   tier.ID,
+				"new_tier_code": tier.Code,
 			}).
 			Info("Changing tier to tier %s (%s) for user %s", tier.ID, tier.Name, u.Name)
 		if err := s.userManager.ChangeTier(u.Name, tier.Code); err != nil {
@@ -437,6 +463,7 @@ func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.
 		StripeCustomerID:            customerID,
 		StripeSubscriptionID:        subscriptionID,
 		StripeSubscriptionStatus:    stripe.SubscriptionStatus(status),
+		StripeSubscriptionInterval:  stripe.PriceRecurringInterval(interval),
 		StripeSubscriptionPaidUntil: time.Unix(paidUntil, 0),
 		StripeSubscriptionCancelAt:  time.Unix(cancelAt, 0),
 	}
@@ -448,20 +475,16 @@ func (s *Server) updateSubscriptionAndTier(r *http.Request, v *visitor, u *user.

 // fetchStripePrices contacts the Stripe API to retrieve all prices. This is used by the server to cache the prices
 // in memory, and ultimately for the web app to display the price table.
-func (s *Server) fetchStripePrices() (map[string]string, error) {
+func (s *Server) fetchStripePrices() (map[string]int64, error) {
 	log.Debug("Caching prices from Stripe API")
-	priceMap := make(map[string]string)
+	priceMap := make(map[string]int64)
 	prices, err := s.stripe.ListPrices(&stripe.PriceListParams{Active: stripe.Bool(true)})
 	if err != nil {
 		log.Warn("Fetching Stripe prices failed: %s", err.Error())
 		return nil, err
 	}
 	for _, p := range prices {
-		if p.UnitAmount%100 == 0 {
-			priceMap[p.ID] = fmt.Sprintf("$%d", p.UnitAmount/100)
-		} else {
-			priceMap[p.ID] = fmt.Sprintf("$%.2f", float64(p.UnitAmount)/100)
-		}
+		priceMap[p.ID] = p.UnitAmount
 		log.Trace("- Caching price %s = %v", p.ID, priceMap[p.ID])
 	}
 	return priceMap, nil
--- a/server/server_payments_test.go
+++ b/server/server_payments_test.go
@@ -37,7 +37,9 @@ func TestPayments_Tiers(t *testing.T) {
 		On("ListPrices", mock.Anything).
 		Return([]*stripe.Price{
 			{ID: "price_123", UnitAmount: 500},
+			{ID: "price_124", UnitAmount: 5000},
 			{ID: "price_456", UnitAmount: 1000},
+			{ID: "price_457", UnitAmount: 10000},
 			{ID: "price_999", UnitAmount: 9999},
 		}, nil)

@@ -58,7 +60,8 @@ func TestPayments_Tiers(t *testing.T) {
 		AttachmentFileSizeLimit:  999,
 		AttachmentTotalSizeLimit: 888,
 		AttachmentExpiryDuration: time.Minute,
-		StripePriceID:            "price_123",
+		StripeMonthlyPriceID:     "price_123",
+		StripeYearlyPriceID:      "price_124",
 	}))
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
 		ID:                       "ti_444",
@@ -71,7 +74,8 @@ func TestPayments_Tiers(t *testing.T) {
 		AttachmentFileSizeLimit:  999111,
 		AttachmentTotalSizeLimit: 888111,
 		AttachmentExpiryDuration: time.Hour,
-		StripePriceID:            "price_456",
+		StripeMonthlyPriceID:     "price_456",
+		StripeYearlyPriceID:      "price_457",
 	}))
 	response := request(t, s, "GET", "/v1/tiers", "", nil)
 	require.Equal(t, 200, response.Code)
@@ -98,6 +102,8 @@ func TestPayments_Tiers(t *testing.T) {
 	require.Equal(t, "pro", tier.Code)
 	require.Equal(t, "Pro", tier.Name)
 	require.Equal(t, "tier", tier.Limits.Basis)
+	require.Equal(t, int64(500), tier.Prices.Month)
+	require.Equal(t, int64(5000), tier.Prices.Year)
 	require.Equal(t, int64(777), tier.Limits.Reservations)
 	require.Equal(t, int64(1000), tier.Limits.Messages)
 	require.Equal(t, int64(3600), tier.Limits.MessagesExpiryDuration)
@@ -109,6 +115,8 @@ func TestPayments_Tiers(t *testing.T) {
 	tier = tiers[2]
 	require.Equal(t, "business", tier.Code)
 	require.Equal(t, "Business", tier.Name)
+	require.Equal(t, int64(1000), tier.Prices.Month)
+	require.Equal(t, int64(10000), tier.Prices.Year)
 	require.Equal(t, "tier", tier.Limits.Basis)
 	require.Equal(t, int64(777333), tier.Limits.Reservations)
 	require.Equal(t, int64(2000), tier.Limits.Messages)
@@ -136,14 +144,14 @@ func TestPayments_SubscriptionCreate_NotAStripeCustomer_Success(t *testing.T) {

 	// Create tier and user
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:            "ti_123",
-		Code:          "pro",
-		StripePriceID: "price_123",
+		ID:                   "ti_123",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_123",
 	}))
 	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))

 	// Create subscription
-	response := request(t, s, "POST", "/v1/account/billing/subscription", `{"tier": "pro"}`, map[string]string{
+	response := request(t, s, "POST", "/v1/account/billing/subscription", `{"tier": "pro", "interval": "month"}`, map[string]string{
 		"Authorization": util.BasicAuth("phil", "phil"),
 	})
 	require.Equal(t, 200, response.Code)
@@ -172,9 +180,9 @@ func TestPayments_SubscriptionCreate_StripeCustomer_Success(t *testing.T) {

 	// Create tier and user
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:            "ti_123",
-		Code:          "pro",
-		StripePriceID: "price_123",
+		ID:                   "ti_123",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_123",
 	}))
 	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))

@@ -187,7 +195,7 @@ func TestPayments_SubscriptionCreate_StripeCustomer_Success(t *testing.T) {
 	require.Nil(t, s.userManager.ChangeBilling(u.Name, billing))

 	// Create subscription
-	response := request(t, s, "POST", "/v1/account/billing/subscription", `{"tier": "pro"}`, map[string]string{
+	response := request(t, s, "POST", "/v1/account/billing/subscription", `{"tier": "pro", "interval": "month"}`, map[string]string{
 		"Authorization": util.BasicAuth("phil", "phil"),
 	})
 	require.Equal(t, 200, response.Code)
@@ -214,9 +222,9 @@ func TestPayments_AccountDelete_Cancels_Subscription(t *testing.T) {

 	// Create tier and user
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:            "ti_123",
-		Code:          "pro",
-		StripePriceID: "price_123",
+		ID:                   "ti_123",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_123",
 	}))
 	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))

@@ -267,7 +275,7 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
 		ID:                    "ti_123",
 		Code:                  "starter",
-		StripePriceID:         "price_1234",
+		StripeMonthlyPriceID:  "price_1234",
 		ReservationLimit:      1,
 		MessageLimit:          220, // 220 * 5% = 11 requests before rate limiting kicks in
 		MessageExpiryDuration: time.Hour,
@@ -298,7 +306,12 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
 			Items: &stripe.SubscriptionItemList{
 				Data: []*stripe.SubscriptionItem{
 					{
-						Price: &stripe.Price{ID: "price_1234"},
+						Price: &stripe.Price{
+							ID: "price_1234",
+							Recurring: &stripe.PriceRecurring{
+								Interval: stripe.PriceRecurringIntervalMonth,
+							},
+						},
 					},
 				},
 			},
@@ -333,6 +346,7 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
 	require.Equal(t, "", u.Billing.StripeCustomerID)
 	require.Equal(t, "", u.Billing.StripeSubscriptionID)
 	require.Equal(t, stripe.SubscriptionStatus(""), u.Billing.StripeSubscriptionStatus)
+	require.Equal(t, stripe.PriceRecurringInterval(""), u.Billing.StripeSubscriptionInterval)
 	require.Equal(t, int64(0), u.Billing.StripeSubscriptionPaidUntil.Unix())
 	require.Equal(t, int64(0), u.Billing.StripeSubscriptionCancelAt.Unix())
 	require.Equal(t, int64(0), u.Stats.Messages) // Messages and emails are not persisted for no-tier users!
@@ -349,6 +363,7 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
 	require.Equal(t, "acct_5555", u.Billing.StripeCustomerID)
 	require.Equal(t, "sub_1234", u.Billing.StripeSubscriptionID)
 	require.Equal(t, stripe.SubscriptionStatusActive, u.Billing.StripeSubscriptionStatus)
+	require.Equal(t, stripe.PriceRecurringIntervalMonth, u.Billing.StripeSubscriptionInterval)
 	require.Equal(t, int64(123456789), u.Billing.StripeSubscriptionPaidUntil.Unix())
 	require.Equal(t, int64(0), u.Billing.StripeSubscriptionCancelAt.Unix())
 	require.Equal(t, int64(0), u.Stats.Messages)
@@ -400,6 +415,8 @@ func TestPayments_Checkout_Success_And_Increase_Rate_Limits_Reset_Visitor(t *tes
 }

 func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(t *testing.T) {
+	t.Parallel()
+
 	// This tests incoming webhooks from Stripe to update a subscription:
 	// - All Stripe columns are updated in the user table
 	// - When downgrading, excess reservations are deleted, including messages and attachments in
@@ -423,7 +440,7 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
 		ID:                       "ti_1",
 		Code:                     "starter",
-		StripePriceID:            "price_1234", // !
+		StripeMonthlyPriceID:     "price_1234", // !
 		ReservationLimit:         1,            // !
 		MessageLimit:             100,
 		MessageExpiryDuration:    time.Hour,
@@ -435,7 +452,7 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
 		ID:                       "ti_2",
 		Code:                     "pro",
-		StripePriceID:            "price_1111", // !
+		StripeMonthlyPriceID:     "price_1111", // !
 		ReservationLimit:         3,            // !
 		MessageLimit:             200,
 		MessageExpiryDuration:    time.Hour,
@@ -457,6 +474,7 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
 		StripeCustomerID:            "acct_5555",
 		StripeSubscriptionID:        "sub_1234",
 		StripeSubscriptionStatus:    stripe.SubscriptionStatusPastDue,
+		StripeSubscriptionInterval:  stripe.PriceRecurringIntervalMonth,
 		StripeSubscriptionPaidUntil: time.Unix(123, 0),
 		StripeSubscriptionCancelAt:  time.Unix(456, 0),
 	}
@@ -499,9 +517,10 @@ func TestPayments_Webhook_Subscription_Updated_Downgrade_From_PastDue_To_Active(
 	require.Equal(t, "starter", u.Tier.Code) // Not "pro"
 	require.Equal(t, "acct_5555", u.Billing.StripeCustomerID)
 	require.Equal(t, "sub_1234", u.Billing.StripeSubscriptionID)
-	require.Equal(t, stripe.SubscriptionStatusActive, u.Billing.StripeSubscriptionStatus) // Not "past_due"
-	require.Equal(t, int64(1674268231), u.Billing.StripeSubscriptionPaidUntil.Unix())     // Updated
-	require.Equal(t, int64(1674299999), u.Billing.StripeSubscriptionCancelAt.Unix())      // Updated
+	require.Equal(t, stripe.SubscriptionStatusActive, u.Billing.StripeSubscriptionStatus)     // Not "past_due"
+	require.Equal(t, stripe.PriceRecurringIntervalYear, u.Billing.StripeSubscriptionInterval) // Not "month"
+	require.Equal(t, int64(1674268231), u.Billing.StripeSubscriptionPaidUntil.Unix())         // Updated
+	require.Equal(t, int64(1674299999), u.Billing.StripeSubscriptionCancelAt.Unix())          // Updated

 	// Verify that reservations were deleted
 	r, err := s.userManager.Reservations("phil")
@@ -546,10 +565,10 @@ func TestPayments_Webhook_Subscription_Deleted(t *testing.T) {

 	// Create a user with a Stripe subscription and 3 reservations
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:               "ti_1",
-		Code:             "pro",
-		StripePriceID:    "price_1234",
-		ReservationLimit: 1,
+		ID:                   "ti_1",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_1234",
+		ReservationLimit:     1,
 	}))
 	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
 	require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
@@ -562,6 +581,7 @@ func TestPayments_Webhook_Subscription_Deleted(t *testing.T) {
 		StripeCustomerID:            "acct_5555",
 		StripeSubscriptionID:        "sub_1234",
 		StripeSubscriptionStatus:    stripe.SubscriptionStatusPastDue,
+		StripeSubscriptionInterval:  stripe.PriceRecurringIntervalMonth,
 		StripeSubscriptionPaidUntil: time.Unix(123, 0),
 		StripeSubscriptionCancelAt:  time.Unix(0, 0),
 	}))
@@ -615,11 +635,11 @@ func TestPayments_Subscription_Update_Different_Tier(t *testing.T) {
 	stripeMock.
 		On("UpdateSubscription", "sub_123", &stripe.SubscriptionParams{
 			CancelAtPeriodEnd: stripe.Bool(false),
-			ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorCreateProrations)),
+			ProrationBehavior: stripe.String(string(stripe.SubscriptionSchedulePhaseProrationBehaviorAlwaysInvoice)),
 			Items: []*stripe.SubscriptionItemsParams{
 				{
 					ID:    stripe.String("someid_123"),
-					Price: stripe.String("price_456"),
+					Price: stripe.String("price_457"),
 				},
 			},
 		}).
@@ -627,14 +647,16 @@ func TestPayments_Subscription_Update_Different_Tier(t *testing.T) {

 	// Create tier and user
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:            "ti_123",
-		Code:          "pro",
-		StripePriceID: "price_123",
+		ID:                   "ti_123",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_123",
+		StripeYearlyPriceID:  "price_124",
 	}))
 	require.Nil(t, s.userManager.AddTier(&user.Tier{
-		ID:            "ti_456",
-		Code:          "business",
-		StripePriceID: "price_456",
+		ID:                   "ti_456",
+		Code:                 "business",
+		StripeMonthlyPriceID: "price_456",
+		StripeYearlyPriceID:  "price_457",
 	}))
 	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
 	require.Nil(t, s.userManager.ChangeTier("phil", "pro"))
@@ -644,7 +666,7 @@ func TestPayments_Subscription_Update_Different_Tier(t *testing.T) {
 	}))

 	// Call endpoint to change subscription
-	rr := request(t, s, "PUT", "/v1/account/billing/subscription", `{"tier":"business"}`, map[string]string{
+	rr := request(t, s, "PUT", "/v1/account/billing/subscription", `{"tier":"business","interval":"year"}`, map[string]string{
 		"Authorization": util.BasicAuth("phil", "phil"),
 	})
 	require.Equal(t, 200, rr.Code)
@@ -795,7 +817,10 @@ const subscriptionUpdatedEventJSON = `
 				"data": [
 					{
 						"price": {
-							"id": "price_1234"
+							"id": "price_1234",
+							"recurring": {
+								"interval": "year"
+							}
 						}
 					}
 				]
@@ -818,7 +843,10 @@ const subscriptionDeletedEventJSON = `
 				"data": [
 					{
 						"price": {
-							"id": "price_1234"
+							"id": "price_1234",
+							"recurring": {
+								"interval": "month"
+							}
 						}
 					}
 				]
--- a/server/server_test.go
+++ b/server/server_test.go
@@ -15,6 +15,7 @@ import (
 	"net/netip"
 	"os"
 	"path/filepath"
+	"runtime/debug"
 	"strings"
 	"sync"
 	"testing"
@@ -83,7 +84,34 @@ func TestServer_PublishWithFirebase(t *testing.T) {
 	require.Equal(t, "my first message", sender.Messages()[0].APNS.Payload.CustomData["message"])
 }

+func TestServer_PublishWithFirebase_WithoutUsers_AndWithoutPanic(t *testing.T) {
+	// This tests issue #641, which used to panic before the fix
+
+	firebaseKeyFile := filepath.Join(t.TempDir(), "firebase.json")
+	contents := `{
+  "type": "service_account",
+  "project_id": "ntfy-test",
+  "private_key_id": "fsfhskjdfhskdhfskdjfhsdf",
+  "private_key": "lalala",
+  "client_email": "firebase-adminsdk-muv04@ntfy-test.iam.gserviceaccount.com",
+  "client_id": "123123213",
+  "auth_uri": "https://accounts.google.com/o/oauth2/auth",
+  "token_uri": "https://oauth2.googleapis.com/token",
+  "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
+  "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/firebase-adminsdk-muv04%40ntfy-test.iam.gserviceaccount.com"
+}
+`
+	require.Nil(t, os.WriteFile(firebaseKeyFile, []byte(contents), 0600))
+	c := newTestConfig(t)
+	c.FirebaseKeyFile = firebaseKeyFile
+	s := newTestServer(t, c)
+
+	response := request(t, s, "PUT", "/mytopic", "my first message", nil)
+	require.Equal(t, "my first message", toMessage(t, response.Body.String()).Message)
+}
+
 func TestServer_SubscribeOpenAndKeepalive(t *testing.T) {
+	t.Parallel()
 	c := newTestConfig(t)
 	c.KeepaliveInterval = time.Second
 	s := newTestServer(t, c)
@@ -122,6 +150,7 @@ func TestServer_SubscribeOpenAndKeepalive(t *testing.T) {
 }

 func TestServer_PublishAndSubscribe(t *testing.T) {
+	t.Parallel()
 	s := newTestServer(t, newTestConfig(t))

 	subscribeRR := httptest.NewRecorder()
@@ -149,6 +178,8 @@ func TestServer_PublishAndSubscribe(t *testing.T) {
 	require.Equal(t, "", messages[1].Title)
 	require.Equal(t, 0, messages[1].Priority)
 	require.Nil(t, messages[1].Tags)
+	require.True(t, time.Now().Add(12*time.Hour-5*time.Second).Unix() < messages[1].Expires)
+	require.True(t, time.Now().Add(12*time.Hour+5*time.Second).Unix() > messages[1].Expires)

 	require.Equal(t, messageEvent, messages[2].Event)
 	require.Equal(t, "mytopic", messages[2].Topic)
@@ -287,6 +318,7 @@ func TestServer_PublishNoCache(t *testing.T) {
 	msg := toMessage(t, response.Body.String())
 	require.NotEmpty(t, msg.ID)
 	require.Equal(t, "this message is not cached", msg.Message)
+	require.Equal(t, int64(0), msg.Expires)

 	response = request(t, s, "GET", "/mytopic/json?poll=1", "", nil)
 	messages := toMessages(t, response.Body.String())
@@ -294,6 +326,7 @@ func TestServer_PublishNoCache(t *testing.T) {
 }

 func TestServer_PublishAt(t *testing.T) {
+	t.Parallel()
 	c := newTestConfig(t)
 	c.MinDelay = time.Second
 	c.DelayedSenderInterval = 100 * time.Millisecond
@@ -449,6 +482,7 @@ func TestServer_PublishWithNopCache(t *testing.T) {
 }

 func TestServer_PublishAndPollSince(t *testing.T) {
+	t.Parallel()
 	s := newTestServer(t, newTestConfig(t))

 	request(t, s, "PUT", "/mytopic", "test 1", nil)
@@ -629,6 +663,7 @@ func TestServer_PollWithQueryFilters(t *testing.T) {
 }

 func TestServer_SubscribeWithQueryFilters(t *testing.T) {
+	t.Parallel()
 	c := newTestConfig(t)
 	c.KeepaliveInterval = 800 * time.Millisecond
 	s := newTestServer(t, c)
@@ -761,6 +796,7 @@ func TestServer_Auth_Fail_CannotPublish(t *testing.T) {

 func TestServer_Auth_Fail_Rate_Limiting(t *testing.T) {
 	c := newTestConfigWithAuthFile(t)
+	c.VisitorAuthFailureLimitBurst = 10
 	s := newTestServer(t, c)

 	for i := 0; i < 10; i++ {
@@ -793,7 +829,27 @@ func TestServer_Auth_ViaQuery(t *testing.T) {
 	require.Equal(t, 401, response.Code)
 }

+func TestServer_Auth_NonBasicHeader(t *testing.T) {
+	s := newTestServer(t, newTestConfigWithAuthFile(t))
+
+	response := request(t, s, "PUT", "/mytopic", "test", map[string]string{
+		"Authorization": "WebPush not-supported",
+	})
+	require.Equal(t, 200, response.Code)
+
+	response = request(t, s, "PUT", "/mytopic", "test", map[string]string{
+		"Authorization": "Bearer supported",
+	})
+	require.Equal(t, 401, response.Code)
+
+	response = request(t, s, "PUT", "/mytopic", "test", map[string]string{
+		"Authorization": "basic supported",
+	})
+	require.Equal(t, 401, response.Code)
+}
+
 func TestServer_StatsResetter(t *testing.T) {
+	t.Parallel()
 	// This tests the stats resetter for
 	// - an anonymous user
 	// - a user without a tier (treated like the same as the anonymous user)
@@ -860,7 +916,15 @@ func TestServer_StatsResetter(t *testing.T) {
 	require.Equal(t, int64(2), account.Stats.Messages)

 	// Wait for stats resetter to run
-	time.Sleep(2200 * time.Millisecond)
+	waitFor(t, func() bool {
+		response = request(t, s, "GET", "/v1/account", "", map[string]string{
+			"Authorization": util.BasicAuth("phil", "phil"),
+		})
+		require.Equal(t, 200, response.Code)
+		account, err = util.UnmarshalJSON[apiAccountResponse](io.NopCloser(response.Body))
+		require.Nil(t, err)
+		return account.Stats.Messages == 0
+	})

 	// User stats show 0 messages now!
 	response = request(t, s, "GET", "/v1/account", "", map[string]string{
@@ -934,6 +998,8 @@ func TestServer_StatsResetter_MessageLimiter_EmailsLimiter(t *testing.T) {
 }

 func TestServer_DailyMessageQuotaFromDatabase(t *testing.T) {
+	t.Parallel()
+
 	// This tests that the daily message quota is prefilled originally from the database,
 	// if the visitor is unknown

@@ -1006,15 +1072,29 @@ func TestServer_PublishTooRequests_Defaults(t *testing.T) {

 func TestServer_PublishTooRequests_Defaults_ExemptHosts(t *testing.T) {
 	c := newTestConfig(t)
+	c.VisitorRequestLimitBurst = 3
 	c.VisitorRequestExemptIPAddrs = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
 	s := newTestServer(t, c)
-	for i := 0; i < 65; i++ { // > 60
+	for i := 0; i < 5; i++ { // > 3
 		response := request(t, s, "PUT", "/mytopic", fmt.Sprintf("message %d", i), nil)
 		require.Equal(t, 200, response.Code)
 	}
 }

+func TestServer_PublishTooRequests_Defaults_ExemptHosts_MessageDailyLimit(t *testing.T) {
+	c := newTestConfig(t)
+	c.VisitorRequestLimitBurst = 10
+	c.VisitorMessageDailyLimit = 4
+	c.VisitorRequestExemptIPAddrs = []netip.Prefix{netip.MustParsePrefix("9.9.9.9/32")} // see request()
+	s := newTestServer(t, c)
+	for i := 0; i < 8; i++ { // 4
+		response := request(t, s, "PUT", "/mytopic", "message", nil)
+		require.Equal(t, 200, response.Code)
+	}
+}
+
 func TestServer_PublishTooRequests_ShortReplenish(t *testing.T) {
+	t.Parallel()
 	c := newTestConfig(t)
 	c.VisitorRequestLimitBurst = 60
 	c.VisitorRequestLimitReplenish = time.Second
@@ -1047,6 +1127,7 @@ func TestServer_PublishTooManyEmails_Defaults(t *testing.T) {
 }

 func TestServer_PublishTooManyEmails_Replenish(t *testing.T) {
+	t.Parallel()
 	c := newTestConfig(t)
 	c.VisitorEmailLimitReplenish = 500 * time.Millisecond
 	s := newTestServer(t, c)
@@ -1092,6 +1173,63 @@ func TestServer_PublishEmailNoMailer_Fail(t *testing.T) {
 	require.Equal(t, 400, response.Code)
 }

+func TestServer_PublishAndExpungeTopicAfter16Hours(t *testing.T) {
+	t.Parallel()
+	s := newTestServer(t, newTestConfig(t))
+
+	subFn := func(v *visitor, msg *message) error {
+		return nil
+	}
+
+	// Publish and check last access
+	response := request(t, s, "POST", "/mytopic", "test", map[string]string{
+		"Cache": "no",
+	})
+	require.Equal(t, 200, response.Code)
+	waitFor(t, func() bool {
+		// .lastAccess set in t.Publish() -> t.Keepalive() in Goroutine
+		s.topics["mytopic"].mu.RLock()
+		defer s.topics["mytopic"].mu.RUnlock()
+		return s.topics["mytopic"].lastAccess.Unix() >= time.Now().Unix()-2 &&
+			s.topics["mytopic"].lastAccess.Unix() <= time.Now().Unix()+2
+	})
+
+	// Topic won't get pruned
+	s.execManager()
+	require.NotNil(t, s.topics["mytopic"])
+
+	// Fudge with last access, but subscribe, and see that it won't get pruned (because of subscriber)
+	subID := s.topics["mytopic"].Subscribe(subFn, "", func() {})
+	s.topics["mytopic"].mu.Lock()
+	s.topics["mytopic"].lastAccess = time.Now().Add(-17 * time.Hour)
+	s.topics["mytopic"].mu.Unlock()
+	s.execManager()
+	require.NotNil(t, s.topics["mytopic"])
+
+	// It'll finally get pruned now that there are no subscribers and last access is 17 hours ago
+	s.topics["mytopic"].Unsubscribe(subID)
+	s.execManager()
+	require.Nil(t, s.topics["mytopic"])
+}
+
+func TestServer_TopicKeepaliveOnPoll(t *testing.T) {
+	t.Parallel()
+	s := newTestServer(t, newTestConfig(t))
+
+	// Create topic by polling once
+	response := request(t, s, "GET", "/mytopic/json?poll=1", "", nil)
+	require.Equal(t, 200, response.Code)
+
+	// Mess with last access time
+	s.topics["mytopic"].lastAccess = time.Now().Add(-17 * time.Hour)
+
+	// Poll again and check keepalive time
+	response = request(t, s, "GET", "/mytopic/json?poll=1", "", nil)
+	require.Equal(t, 200, response.Code)
+	require.True(t, s.topics["mytopic"].lastAccess.Unix() >= time.Now().Unix()-2)
+	require.True(t, s.topics["mytopic"].lastAccess.Unix() <= time.Now().Unix()+2)
+}
+
 func TestServer_UnifiedPushDiscovery(t *testing.T) {
 	s := newTestServer(t, newTestConfig(t))
 	response := request(t, s, "GET", "/mytopic?up=1", "", nil)
@@ -1105,7 +1243,15 @@ func TestServer_PublishUnifiedPushBinary_AndPoll(t *testing.T) {
 	require.Nil(t, err)

 	s := newTestServer(t, newTestConfig(t))
-	response := request(t, s, "PUT", "/mytopic?up=1", string(b), nil)
+
+	// Register a UnifiedPush subscriber
+	response := request(t, s, "GET", "/up123456789012/json?poll=1", "", map[string]string{
+		"Rate-Topics": "up123456789012",
+	})
+	require.Equal(t, 200, response.Code)
+
+	// Publish message to topic
+	response = request(t, s, "PUT", "/up123456789012?up=1", string(b), nil)
 	require.Equal(t, 200, response.Code)

 	m := toMessage(t, response.Body.String())
@@ -1114,7 +1260,8 @@ func TestServer_PublishUnifiedPushBinary_AndPoll(t *testing.T) {
 	require.Nil(t, err)
 	require.Equal(t, b, b2)

-	response = request(t, s, "GET", "/mytopic/json?poll=1", string(b), nil)
+	// Retrieve and check published message
+	response = request(t, s, "GET", "/up123456789012/json?poll=1", string(b), nil)
 	require.Equal(t, 200, response.Code)
 	m = toMessage(t, response.Body.String())
 	require.Equal(t, "base64", m.Encoding)
@@ -1129,7 +1276,15 @@ func TestServer_PublishUnifiedPushBinary_Truncated(t *testing.T) {
 	require.Nil(t, err)

 	s := newTestServer(t, newTestConfig(t))
-	response := request(t, s, "PUT", "/mytopic?up=1", string(b), nil)
+
+	// Register a UnifiedPush subscriber
+	response := request(t, s, "GET", "/mytopic/json?poll=1", "", map[string]string{
+		"Rate-Topics": "mytopic",
+	})
+	require.Equal(t, 200, response.Code)
+
+	// Publish message to topic
+	response = request(t, s, "PUT", "/mytopic?up=1", string(b), nil)
 	require.Equal(t, 200, response.Code)

 	m := toMessage(t, response.Body.String())
@@ -1142,7 +1297,15 @@ func TestServer_PublishUnifiedPushBinary_Truncated(t *testing.T) {

 func TestServer_PublishUnifiedPushText(t *testing.T) {
 	s := newTestServer(t, newTestConfig(t))
-	response := request(t, s, "PUT", "/mytopic?up=1", "this is a unifiedpush text message", nil)
+
+	// Register a UnifiedPush subscriber
+	response := request(t, s, "GET", "/mytopic/json?poll=1", "", map[string]string{
+		"Rate-Topics": "mytopic",
+	})
+	require.Equal(t, 200, response.Code)
+
+	// Publish UnifiedPush text message
+	response = request(t, s, "PUT", "/mytopic?up=1", "this is a unifiedpush text message", nil)
 	require.Equal(t, 200, response.Code)

 	m := toMessage(t, response.Body.String())
@@ -1169,8 +1332,14 @@ func TestServer_MatrixGateway_Discovery_Failure_Unconfigured(t *testing.T) {

 func TestServer_MatrixGateway_Push_Success(t *testing.T) {
 	s := newTestServer(t, newTestConfig(t))
+
+	response := request(t, s, "GET", "/mytopic/json?poll=1", "", map[string]string{
+		"Rate-Topics": "mytopic", // Register first!
+	})
+	require.Equal(t, 200, response.Code)
+
 	notification := `{"notification":{"devices":[{"pushkey":"http://127.0.0.1:12345/mytopic?up=1"}]}}`
-	response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+	response = request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
 	require.Equal(t, 200, response.Code)
 	require.Equal(t, `{"rejected":[]}`+"\n", response.Body.String())

@@ -1180,6 +1349,42 @@ func TestServer_MatrixGateway_Push_Success(t *testing.T) {
 	require.Equal(t, notification, m.Message)
 }

+func TestServer_MatrixGateway_Push_Failure_NoSubscriber(t *testing.T) {
+	c := newTestConfig(t)
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+	notification := `{"notification":{"devices":[{"pushkey":"http://127.0.0.1:12345/mytopic?up=1"}]}}`
+	response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+	require.Equal(t, 507, response.Code)
+	require.Equal(t, 50701, toHTTPError(t, response.Body.String()).Code)
+}
+
+func TestServer_MatrixGateway_Push_Failure_NoSubscriber_After13Hours(t *testing.T) {
+	c := newTestConfig(t)
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+	notification := `{"notification":{"devices":[{"pushkey":"http://127.0.0.1:12345/mytopic?up=1"}]}}`
+
+	// No success if no rate visitor set (this also creates the topic in memory)
+	response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+	require.Equal(t, 507, response.Code)
+	require.Equal(t, 50701, toHTTPError(t, response.Body.String()).Code)
+	require.Nil(t, s.topics["mytopic"].rateVisitor)
+
+	// Fake: This topic has been around for 13 hours without a rate visitor
+	s.topics["mytopic"].lastAccess = time.Now().Add(-13 * time.Hour)
+
+	// Same request should now return HTTP 200 with a rejected pushkey
+	response = request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+	require.Equal(t, 200, response.Code)
+	require.Equal(t, `{"rejected":["http://127.0.0.1:12345/mytopic?up=1"]}`, strings.TrimSpace(response.Body.String()))
+
+	// Slightly unrelated: Test that topic is pruned after 16 hours
+	s.topics["mytopic"].lastAccess = time.Now().Add(-17 * time.Hour)
+	s.execManager()
+	require.Nil(t, s.topics["mytopic"])
+}
+
 func TestServer_MatrixGateway_Push_Failure_InvalidPushkey(t *testing.T) {
 	s := newTestServer(t, newTestConfig(t))
 	notification := `{"notification":{"devices":[{"pushkey":"http://wrong-base-url.com/mytopic?up=1"}]}}`
@@ -1197,9 +1402,12 @@ func TestServer_MatrixGateway_Push_Failure_EverythingIsWrong(t *testing.T) {
 	notification := `{"message":"this is not really a Matrix message"}`
 	response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
 	require.Equal(t, 400, response.Code)
-	err := toHTTPError(t, response.Body.String())
-	require.Equal(t, 40019, err.Code)
-	require.Equal(t, 400, err.HTTPCode)
+	require.Equal(t, 40019, toHTTPError(t, response.Body.String()).Code)
+
+	notification = `this isn't even JSON'`
+	response = request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+	require.Equal(t, 400, response.Code)
+	require.Equal(t, 40019, toHTTPError(t, response.Body.String()).Code)
 }

 func TestServer_MatrixGateway_Push_Failure_Unconfigured(t *testing.T) {
@@ -1209,9 +1417,7 @@ func TestServer_MatrixGateway_Push_Failure_Unconfigured(t *testing.T) {
 	notification := `{"notification":{"devices":[{"pushkey":"http://127.0.0.1:12345/mytopic?up=1"}]}}`
 	response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
 	require.Equal(t, 500, response.Code)
-	err := toHTTPError(t, response.Body.String())
-	require.Equal(t, 50003, err.Code)
-	require.Equal(t, 500, err.HTTPCode)
+	require.Equal(t, 50003, toHTTPError(t, response.Body.String()).Code)
 }

 func TestServer_PublishActions_AndPoll(t *testing.T) {
@@ -1257,7 +1463,24 @@ func TestServer_PublishAsJSON(t *testing.T) {
 	require.True(t, m.Time < time.Now().Unix()+31*60)
 }

+func TestServer_PublishAsJSON_RateLimit_MessageDailyLimit(t *testing.T) {
+	// Publishing as JSON follows a different path. This ensures that rate
+	// limiting works for this endpoint as well
+	c := newTestConfig(t)
+	c.VisitorMessageDailyLimit = 3
+	s := newTestServer(t, c)
+
+	for i := 0; i < 3; i++ {
+		response := request(t, s, "PUT", "/", `{"topic":"mytopic","message":"A message"}`, nil)
+		require.Equal(t, 200, response.Code)
+	}
+	response := request(t, s, "PUT", "/", `{"topic":"mytopic","message":"A message"}`, nil)
+	require.Equal(t, 429, response.Code)
+	require.Equal(t, 42908, toHTTPError(t, response.Body.String()).Code)
+}
+
 func TestServer_PublishAsJSON_WithEmail(t *testing.T) {
+	t.Parallel()
 	mailer := &testMailer{}
 	s := newTestServer(t, newTestConfig(t))
 	s.smtpSender = mailer
@@ -1498,7 +1721,7 @@ func TestServer_PublishAttachmentTooLargeBodyVisitorAttachmentTotalSizeLimit(t *
 	c.VisitorAttachmentTotalSizeLimit = 10000
 	s := newTestServer(t, c)

-	response := request(t, s, "PUT", "/mytopic", util.RandomString(5000), nil)
+	response := request(t, s, "PUT", "/mytopic", "text file!"+util.RandomString(4990), nil)
 	msg := toMessage(t, response.Body.String())
 	require.Equal(t, 200, response.Code)
 	require.Equal(t, "You received a file: attachment.txt", msg.Message)
@@ -1513,6 +1736,7 @@ func TestServer_PublishAttachmentTooLargeBodyVisitorAttachmentTotalSizeLimit(t *
 }

 func TestServer_PublishAttachmentAndExpire(t *testing.T) {
+	t.Parallel()
 	content := util.RandomString(5000) // > 4096

 	c := newTestConfig(t)
@@ -1532,14 +1756,16 @@ func TestServer_PublishAttachmentAndExpire(t *testing.T) {
 	require.Equal(t, content, response.Body.String())

 	// Prune and makes sure it's gone
-	time.Sleep(time.Second) // Sigh ...
-	s.execManager()
-	require.NoFileExists(t, file)
+	waitFor(t, func() bool {
+		s.execManager() // May run many times
+		return !util.FileExists(file)
+	})
 	response = request(t, s, "GET", path, "", nil)
 	require.Equal(t, 404, response.Code)
 }

 func TestServer_PublishAttachmentWithTierBasedExpiry(t *testing.T) {
+	t.Parallel()
 	content := util.RandomString(5000) // > 4096

 	c := newTestConfigWithAuthFile(t)
@@ -1807,6 +2033,7 @@ func TestServer_Visitor_XForwardedFor_Multiple(t *testing.T) {
 }

 func TestServer_PublishWhileUpdatingStatsWithLotsOfMessages(t *testing.T) {
+	t.Parallel()
 	count := 50000
 	c := newTestConfig(t)
 	c.TotalTopicLimit = 50001
@@ -1886,6 +2113,255 @@ func TestServer_AnonymousUser_And_NonTierUser_Are_Same_Visitor(t *testing.T) {
 	require.Equal(t, int64(2), account.Stats.Messages)
 }

+func TestServer_SubscriberRateLimiting_Success(t *testing.T) {
+	c := newTestConfigWithAuthFile(t)
+	c.VisitorRequestLimitBurst = 3
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// "Register" visitor 1.2.3.4 to topic "subscriber1topic" as a rate limit visitor
+	subscriber1Fn := func(r *http.Request) {
+		r.RemoteAddr = "1.2.3.4"
+	}
+	rr := request(t, s, "GET", "/subscriber1topic/json?poll=1", "", map[string]string{
+		"Rate-Topics": "subscriber1topic",
+	}, subscriber1Fn)
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "", rr.Body.String())
+	require.Equal(t, "1.2.3.4", s.topics["subscriber1topic"].rateVisitor.ip.String())
+
+	// "Register" visitor 8.7.7.1 to topic "up012345678912" as a rate limit visitor (implicitly via topic name)
+	subscriber2Fn := func(r *http.Request) {
+		r.RemoteAddr = "8.7.7.1"
+	}
+	rr = request(t, s, "GET", "/up012345678912/json?poll=1", "", nil, subscriber2Fn)
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "", rr.Body.String())
+	require.Equal(t, "8.7.7.1", s.topics["up012345678912"].rateVisitor.ip.String())
+
+	// Publish 2 messages to "subscriber1topic" as visitor 9.9.9.9. It'd be 3 normally, but the
+	// GET request before is also counted towards the request limiter.
+	for i := 0; i < 2; i++ {
+		rr := request(t, s, "PUT", "/subscriber1topic", "some message", nil)
+		require.Equal(t, 200, rr.Code)
+	}
+	rr = request(t, s, "PUT", "/subscriber1topic", "some message", nil)
+	require.Equal(t, 429, rr.Code)
+
+	// Publish another 2 messages to "up012345678912" as visitor 9.9.9.9
+	for i := 0; i < 2; i++ {
+		rr := request(t, s, "PUT", "/up012345678912", "some message", nil)
+		require.Equal(t, 200, rr.Code) // If we fail here, handlePublish is using the wrong visitor!
+	}
+	rr = request(t, s, "PUT", "/up012345678912", "some message", nil)
+	require.Equal(t, 429, rr.Code)
+
+	// Hurray! At this point, visitor 9.9.9.9 has published 4 messages, even though
+	// VisitorRequestLimitBurst is 3. That means it's working.
+
+	// Now let's confirm that so far we haven't used up any of visitor 9.9.9.9's request limiter
+	// by publishing another 3 requests from it.
+	for i := 0; i < 3; i++ {
+		rr := request(t, s, "PUT", "/some-other-topic", "some message", nil)
+		require.Equal(t, 200, rr.Code)
+	}
+	rr = request(t, s, "PUT", "/some-other-topic", "some message", nil)
+	require.Equal(t, 429, rr.Code)
+}
+
+func TestServer_SubscriberRateLimiting_NotEnabled_Failed(t *testing.T) {
+	c := newTestConfigWithAuthFile(t)
+	c.VisitorRequestLimitBurst = 3
+	c.VisitorSubscriberRateLimiting = false
+	s := newTestServer(t, c)
+
+	// Subscriber rate limiting is disabled!
+
+	// Registering visitor 1.2.3.4 to topic has no effect
+	rr := request(t, s, "GET", "/subscriber1topic/json?poll=1", "", map[string]string{
+		"Rate-Topics": "subscriber1topic",
+	}, func(r *http.Request) {
+		r.RemoteAddr = "1.2.3.4"
+	})
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "", rr.Body.String())
+	require.Nil(t, s.topics["subscriber1topic"].rateVisitor)
+
+	// Registering visitor 8.7.7.1 to topic has no effect
+	rr = request(t, s, "GET", "/up012345678912/json?poll=1", "", nil, func(r *http.Request) {
+		r.RemoteAddr = "8.7.7.1"
+	})
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "", rr.Body.String())
+	require.Nil(t, s.topics["up012345678912"].rateVisitor)
+
+	// Publish 3 messages to "subscriber1topic" as visitor 9.9.9.9
+	for i := 0; i < 3; i++ {
+		rr := request(t, s, "PUT", "/subscriber1topic", "some message", nil)
+		require.Equal(t, 200, rr.Code)
+	}
+	rr = request(t, s, "PUT", "/subscriber1topic", "some message", nil)
+	require.Equal(t, 429, rr.Code)
+	rr = request(t, s, "PUT", "/up012345678912", "some message", nil)
+	require.Equal(t, 429, rr.Code)
+}
+
+func TestServer_SubscriberRateLimiting_UP_Only(t *testing.T) {
+	c := newTestConfigWithAuthFile(t)
+	c.VisitorRequestLimitBurst = 3
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// "Register" 5 different UnifiedPush visitors
+	for i := 0; i < 5; i++ {
+		subscriberFn := func(r *http.Request) {
+			r.RemoteAddr = fmt.Sprintf("1.2.3.%d", i+1)
+		}
+		rr := request(t, s, "GET", fmt.Sprintf("/up12345678901%d/json?poll=1", i), "", nil, subscriberFn)
+		require.Equal(t, 200, rr.Code)
+	}
+
+	// Publish 2 messages per topic
+	for i := 0; i < 5; i++ {
+		for j := 0; j < 2; j++ {
+			rr := request(t, s, "PUT", fmt.Sprintf("/up12345678901%d?up=1", i), "some message", nil)
+			require.Equal(t, 200, rr.Code)
+		}
+	}
+}
+
+func TestServer_Matrix_SubscriberRateLimiting_UP_Only(t *testing.T) {
+	c := newTestConfig(t)
+	c.VisitorRequestLimitBurst = 3
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// "Register" 5 different UnifiedPush visitors
+	for i := 0; i < 5; i++ {
+		rr := request(t, s, "GET", fmt.Sprintf("/up12345678901%d/json?poll=1", i), "", nil, func(r *http.Request) {
+			r.RemoteAddr = fmt.Sprintf("1.2.3.%d", i+1)
+		})
+		require.Equal(t, 200, rr.Code)
+	}
+
+	// Publish 2 messages per topic
+	for i := 0; i < 5; i++ {
+		notification := fmt.Sprintf(`{"notification":{"devices":[{"pushkey":"http://127.0.0.1:12345/up12345678901%d?up=1"}]}}`, i)
+		for j := 0; j < 2; j++ {
+			response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+			require.Equal(t, 200, response.Code)
+			require.Equal(t, `{"rejected":[]}`+"\n", response.Body.String())
+		}
+		response := request(t, s, "POST", "/_matrix/push/v1/notify", notification, nil)
+		require.Equal(t, 429, response.Code, notification)
+		require.Equal(t, 42901, toHTTPError(t, response.Body.String()).Code)
+	}
+}
+
+func TestServer_SubscriberRateLimiting_VisitorExpiration(t *testing.T) {
+	c := newTestConfig(t)
+	c.VisitorRequestLimitBurst = 3
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// "Register" rate visitor
+	subscriberFn := func(r *http.Request) {
+		r.RemoteAddr = "1.2.3.4"
+	}
+	rr := request(t, s, "GET", "/mytopic/json?poll=1", "", map[string]string{
+		"rate-topics": "mytopic",
+	}, subscriberFn)
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "1.2.3.4", s.topics["mytopic"].rateVisitor.ip.String())
+	require.Equal(t, s.visitors["ip:1.2.3.4"], s.topics["mytopic"].rateVisitor)
+
+	// Publish message, observe rate visitor tokens being decreased
+	response := request(t, s, "POST", "/mytopic", "some message", nil)
+	require.Equal(t, 200, response.Code)
+	require.Equal(t, int64(0), s.visitors["ip:9.9.9.9"].messagesLimiter.Value())
+	require.Equal(t, int64(1), s.topics["mytopic"].rateVisitor.messagesLimiter.Value())
+	require.Equal(t, s.visitors["ip:1.2.3.4"], s.topics["mytopic"].rateVisitor)
+
+	// Expire visitor
+	s.visitors["ip:1.2.3.4"].seen = time.Now().Add(-1 * 25 * time.Hour)
+	s.pruneVisitors()
+
+	// Publish message again, observe that rateVisitor is not used anymore and is reset
+	response = request(t, s, "POST", "/mytopic", "some message", nil)
+	require.Equal(t, 200, response.Code)
+	require.Equal(t, int64(1), s.visitors["ip:9.9.9.9"].messagesLimiter.Value())
+	require.Nil(t, s.topics["mytopic"].rateVisitor)
+	require.Nil(t, s.visitors["ip:1.2.3.4"])
+}
+
+func TestServer_SubscriberRateLimiting_ProtectedTopics(t *testing.T) {
+	c := newTestConfigWithAuthFile(t)
+	c.AuthDefault = user.PermissionDenyAll
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// Create some ACLs
+	require.Nil(t, s.userManager.AddTier(&user.Tier{
+		Code:         "test",
+		MessageLimit: 5,
+	}))
+	require.Nil(t, s.userManager.AddUser("ben", "ben", user.RoleUser))
+	require.Nil(t, s.userManager.ChangeTier("ben", "test"))
+	require.Nil(t, s.userManager.AllowAccess("ben", "announcements", user.PermissionReadWrite))
+	require.Nil(t, s.userManager.AllowAccess(user.Everyone, "announcements", user.PermissionRead))
+	require.Nil(t, s.userManager.AllowAccess(user.Everyone, "public_topic", user.PermissionReadWrite))
+
+	require.Nil(t, s.userManager.AddUser("phil", "phil", user.RoleUser))
+	require.Nil(t, s.userManager.ChangeTier("phil", "test"))
+	require.Nil(t, s.userManager.AddReservation("phil", "reserved-for-phil", user.PermissionReadWrite))
+
+	// Set rate visitor as user "phil" on topic
+	// - "reserved-for-phil": Allowed, because I am the owner
+	// - "public_topic": Allowed, because it has read-write permissions for everyone
+	// - "announcements": NOT allowed, because it has read-only permissions for everyone
+	rr := request(t, s, "GET", "/reserved-for-phil,public_topic,announcements/json?poll=1", "", map[string]string{
+		"Authorization": util.BasicAuth("phil", "phil"),
+		"Rate-Topics":   "reserved-for-phil,public_topic,announcements",
+	})
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "phil", s.topics["reserved-for-phil"].rateVisitor.user.Name)
+	require.Equal(t, "phil", s.topics["public_topic"].rateVisitor.user.Name)
+	require.Nil(t, s.topics["announcements"].rateVisitor)
+
+	// Set rate visitor as user "ben" on topic
+	// - "reserved-for-phil": NOT allowed, because I am not the owner
+	// - "public_topic": Allowed, because it has read-write permissions for everyone
+	// - "announcements": Allowed, because I have read-write permissions
+	rr = request(t, s, "GET", "/reserved-for-phil,public_topic,announcements/json?poll=1", "", map[string]string{
+		"Authorization": util.BasicAuth("ben", "ben"),
+		"Rate-Topics":   "reserved-for-phil,public_topic,announcements",
+	})
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "phil", s.topics["reserved-for-phil"].rateVisitor.user.Name)
+	require.Equal(t, "ben", s.topics["public_topic"].rateVisitor.user.Name)
+	require.Equal(t, "ben", s.topics["announcements"].rateVisitor.user.Name)
+}
+
+func TestServer_SubscriberRateLimiting_ProtectedTopics_WithDefaultReadWrite(t *testing.T) {
+	c := newTestConfigWithAuthFile(t)
+	c.AuthDefault = user.PermissionReadWrite
+	c.VisitorSubscriberRateLimiting = true
+	s := newTestServer(t, c)
+
+	// Create some ACLs
+	require.Nil(t, s.userManager.AllowAccess(user.Everyone, "announcements", user.PermissionRead))
+
+	// Set rate visitor as ip:1.2.3.4 on topic
+	// - "up123456789012": Allowed, because no ACLs and nobody owns the topic
+	// - "announcements": NOT allowed, because it has read-only permissions for everyone
+	rr := request(t, s, "GET", "/up123456789012,announcements/json?poll=1", "", nil, func(r *http.Request) {
+		r.RemoteAddr = "1.2.3.4"
+	})
+	require.Equal(t, 200, rr.Code)
+	require.Equal(t, "1.2.3.4", s.topics["up123456789012"].rateVisitor.ip.String())
+	require.Nil(t, s.topics["announcements"].rateVisitor)
+}
+
 func newTestConfig(t *testing.T) *Config {
 	conf := NewConfig()
 	conf.BaseURL = "http://127.0.0.1:12345"
@@ -1911,17 +2387,20 @@ func newTestServer(t *testing.T, config *Config) *Server {
 	return server
 }

-func request(t *testing.T, s *Server, method, url, body string, headers map[string]string) *httptest.ResponseRecorder {
+func request(t *testing.T, s *Server, method, url, body string, headers map[string]string, fn ...func(r *http.Request)) *httptest.ResponseRecorder {
 	rr := httptest.NewRecorder()
-	req, err := http.NewRequest(method, url, strings.NewReader(body))
+	r, err := http.NewRequest(method, url, strings.NewReader(body))
 	if err != nil {
 		t.Fatal(err)
 	}
-	req.RemoteAddr = "9.9.9.9" // Used for tests
+	r.RemoteAddr = "9.9.9.9" // Used for tests
 	for k, v := range headers {
-		req.Header.Set(k, v)
+		r.Header.Set(k, v)
 	}
-	s.handle(rr, req)
+	for _, f := range fn {
+		f(r)
+	}
+	s.handle(rr, r)
 	return rr
 }

@@ -1973,3 +2452,18 @@ func readAll(t *testing.T, rc io.ReadCloser) string {
 	}
 	return string(b)
 }
+
+func waitFor(t *testing.T, f func() bool) {
+	waitForWithMaxWait(t, 5*time.Second, f)
+}
+
+func waitForWithMaxWait(t *testing.T, maxWait time.Duration, f func() bool) {
+	start := time.Now()
+	for time.Since(start) < maxWait {
+		if f() {
+			return
+		}
+		time.Sleep(100 * time.Millisecond)
+	}
+	t.Fatalf("Function f did not succeed after %v: %v", maxWait, string(debug.Stack()))
+}
--- a/server/smtp_sender.go
+++ b/server/smtp_sender.go
@@ -36,7 +36,10 @@ func (s *smtpSender) Send(v *visitor, m *message, to string) error {
 		if err != nil {
 			return err
 		}
-		auth := smtp.PlainAuth("", s.config.SMTPSenderUser, s.config.SMTPSenderPass, host)
+		var auth smtp.Auth
+		if s.config.SMTPSenderUser != "" {
+			auth = smtp.PlainAuth("", s.config.SMTPSenderUser, s.config.SMTPSenderPass, host)
+		}
 		ev := logvm(v, m).
 			Tag(tagEmail).
 			Fields(log.Context{
--- a/server/smtp_server.go
+++ b/server/smtp_server.go
@@ -2,6 +2,7 @@ package server

 import (
 	"bytes"
+	"encoding/base64"
 	"errors"
 	"fmt"
 	"github.com/emersion/go-smtp"
@@ -21,9 +22,14 @@ var (
 	errInvalidAddress         = errors.New("invalid address")
 	errInvalidTopic           = errors.New("invalid topic")
 	errTooManyRecipients      = errors.New("too many recipients")
+	errMultipartNestedTooDeep = errors.New("multipart message nested too deep")
 	errUnsupportedContentType = errors.New("unsupported content type")
 )

+const (
+	maxMultipartDepth = 2
+)
+
 // smtpBackend implements SMTP server methods.
 type smtpBackend struct {
 	config  *Config
@@ -59,6 +65,7 @@ type smtpSession struct {
 	backend *smtpBackend
 	conn    *smtp.Conn
 	topic   string
+	token   string
 	mu      sync.Mutex
 }

@@ -75,6 +82,7 @@ func (s *smtpSession) Mail(from string, opts *smtp.MailOptions) error {
 func (s *smtpSession) Rcpt(to string) error {
 	logem(s.conn).Field("smtp_rcpt_to", to).Debug("RCPT TO: %s", to)
 	return s.withFailCount(func() error {
+		token := ""
 		conf := s.backend.config
 		addressList, err := mail.ParseAddressList(to)
 		if err != nil {
@@ -86,18 +94,27 @@ func (s *smtpSession) Rcpt(to string) error {
 		if !strings.HasSuffix(to, "@"+conf.SMTPServerDomain) {
 			return errInvalidDomain
 		}
+		// Remove @ntfy.sh from end of email
 		to = strings.TrimSuffix(to, "@"+conf.SMTPServerDomain)
 		if conf.SMTPServerAddrPrefix != "" {
 			if !strings.HasPrefix(to, conf.SMTPServerAddrPrefix) {
 				return errInvalidAddress
 			}
+			// remove ntfy- from beginning of email
 			to = strings.TrimPrefix(to, conf.SMTPServerAddrPrefix)
 		}
+		// If email contains token, split topic and token
+		if strings.Contains(to, "+") {
+			parts := strings.Split(to, "+")
+			to = parts[0]
+			token = parts[1]
+		}
 		if !topicRegex.MatchString(to) {
 			return errInvalidTopic
 		}
 		s.mu.Lock()
 		s.topic = to
+		s.token = token
 		s.mu.Unlock()
 		return nil
 	})
@@ -120,7 +137,7 @@ func (s *smtpSession) Data(r io.Reader) error {
 		if err != nil {
 			return err
 		}
-		body, err := readMailBody(msg)
+		body, err := readMailBody(msg.Body, msg.Header)
 		if err != nil {
 			return err
 		}
@@ -148,6 +165,7 @@ func (s *smtpSession) Data(r io.Reader) error {
 		s.backend.mu.Lock()
 		s.backend.success++
 		s.backend.mu.Unlock()
+		minc(metricEmailsReceivedSuccess)
 		return nil
 	})
 }
@@ -158,7 +176,6 @@ func (s *smtpSession) publishMessage(m *message) error {
 	if err != nil {
 		remoteAddr = s.conn.Conn().RemoteAddr().String()
 	}
-
 	// Call HTTP handler with fake HTTP request
 	url := fmt.Sprintf("%s/%s", s.backend.config.BaseURL, m.Topic)
 	req, err := http.NewRequest("POST", url, strings.NewReader(m.Message))
@@ -171,6 +188,9 @@ func (s *smtpSession) publishMessage(m *message) error {
 	if m.Title != "" {
 		req.Header.Set("Title", m.Title)
 	}
+	if s.token != "" {
+		req.Header.Add("Authorization", "Bearer "+s.token)
+	}
 	rr := httptest.NewRecorder()
 	s.backend.handler(rr, req)
 	if rr.Code != http.StatusOK {
@@ -198,52 +218,57 @@ func (s *smtpSession) withFailCount(fn func() error) error {
 		// We do not want to spam the log with WARN messages.
 		logem(s.conn).Err(err).Debug("Incoming mail error")
 		s.backend.failure++
+		minc(metricEmailsReceivedFailure)
 	}
 	return err
 }

-func readMailBody(msg *mail.Message) (string, error) {
-	if msg.Header.Get("Content-Type") == "" {
-		return readPlainTextMailBody(msg)
+func readMailBody(body io.Reader, header mail.Header) (string, error) {
+	if header.Get("Content-Type") == "" {
+		return readPlainTextMailBody(body, header.Get("Content-Transfer-Encoding"))
 	}
-	contentType, params, err := mime.ParseMediaType(msg.Header.Get("Content-Type"))
+	contentType, params, err := mime.ParseMediaType(header.Get("Content-Type"))
 	if err != nil {
 		return "", err
 	}
-	if contentType == "text/plain" {
-		return readPlainTextMailBody(msg)
-	} else if strings.HasPrefix(contentType, "multipart/") {
-		return readMultipartMailBody(msg, params)
+	if strings.ToLower(contentType) == "text/plain" {
+		return readPlainTextMailBody(body, header.Get("Content-Transfer-Encoding"))
+	} else if strings.HasPrefix(strings.ToLower(contentType), "multipart/") {
+		return readMultipartMailBody(body, params, 0)
 	}
 	return "", errUnsupportedContentType
 }

-func readPlainTextMailBody(msg *mail.Message) (string, error) {
-	body, err := io.ReadAll(msg.Body)
-	if err != nil {
-		return "", err
+func readMultipartMailBody(body io.Reader, params map[string]string, depth int) (string, error) {
+	if depth >= maxMultipartDepth {
+		return "", errMultipartNestedTooDeep
 	}
-	return string(body), nil
-}
-
-func readMultipartMailBody(msg *mail.Message, params map[string]string) (string, error) {
-	mr := multipart.NewReader(msg.Body, params["boundary"])
+	mr := multipart.NewReader(body, params["boundary"])
 	for {
 		part, err := mr.NextPart()
 		if err != nil { // may be io.EOF
 			return "", err
 		}
-		partContentType, _, err := mime.ParseMediaType(part.Header.Get("Content-Type"))
+		partContentType, partParams, err := mime.ParseMediaType(part.Header.Get("Content-Type"))
 		if err != nil {
 			return "", err
 		}
-		if partContentType != "text/plain" {
-			continue
+		if strings.ToLower(partContentType) == "text/plain" {
+			return readPlainTextMailBody(part, part.Header.Get("Content-Transfer-Encoding"))
+		} else if strings.HasPrefix(strings.ToLower(partContentType), "multipart/") {
+			return readMultipartMailBody(part, partParams, depth+1)
 		}
-		body, err := io.ReadAll(part)
-		if err != nil {
-			return "", err
-		}
-		return string(body), nil
+		// Continue with next part
 	}
 }
+
+func readPlainTextMailBody(reader io.Reader, transferEncoding string) (string, error) {
+	if strings.ToLower(transferEncoding) == "base64" {
+		reader = base64.NewDecoder(base64.StdEncoding, reader)
+	}
+	body, err := io.ReadAll(reader)
+	if err != nil {
+		return "", err
+	}
+	return string(body), nil
+}
--- a/server/smtp_server_test.go
+++ b/server/smtp_server_test.go
@@ -348,6 +348,171 @@ what's up
 	writeAndReadUntilLine(t, email, c, scanner, "451 4.0.0 invalid address")
 }

+func TestSmtpBackend_Base64Body(t *testing.T) {
+	email := `EHLO example.com
+MAIL FROM: test@mydomain.me
+RCPT TO: ntfy-mytopic@ntfy.sh
+DATA
+Content-Type: multipart/mixed; boundary="===============2138658284696597373=="
+MIME-Version: 1.0
+Subject: TrueNAS truenas.local: TrueNAS Test Message hostname: truenas.local
+From: =?utf-8?q?Robbie?= <test@mydomain.me>
+To: test@mydomain.me
+Date: Thu, 16 Feb 2023 01:04:00 -0000
+Message-ID: <truenas-20230216.010400.344514.b'8jfL'@truenas.local>
+
+This is a multi-part message in MIME format.
+--===============2138658284696597373==
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+VGhpcyBpcyBhIHRlc3QgbWVzc2FnZSBmcm9tIFRydWVOQVMgQ09SRS4=
+
+--===============2138658284696597373==
+Content-Type: text/html; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
+L0VOIj4KClRoaXMgaXMgYSB0ZXN0IG1lc3NhZ2UgZnJvbSBUcnVlTkFTIENPUkUuCg==
+
+--===============2138658284696597373==--
+.
+`
+	s, c, _, scanner := newTestSMTPServer(t, func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "TrueNAS truenas.local: TrueNAS Test Message hostname: truenas.local", r.Header.Get("Title"))
+		require.Equal(t, "This is a test message from TrueNAS CORE.", readAll(t, r.Body))
+	})
+	defer s.Close()
+	defer c.Close()
+	writeAndReadUntilLine(t, email, c, scanner, "250 2.0.0 OK: queued")
+}
+
+func TestSmtpBackend_NestedMultipartBase64(t *testing.T) {
+	email := `EHLO example.com
+MAIL FROM: test@mydomain.me
+RCPT TO: ntfy-mytopic@ntfy.sh
+DATA
+Content-Type: multipart/mixed; boundary="===============2138658284696597373=="
+MIME-Version: 1.0
+Subject: TrueNAS truenas.local: TrueNAS Test Message hostname: truenas.local
+From: =?utf-8?q?Robbie?= <test@mydomain.me>
+To: test@mydomain.me
+Date: Thu, 16 Feb 2023 01:04:00 -0000
+Message-ID: <truenas-20230216.010400.344514.b'8jfL'@truenas.local>
+
+This is a multi-part message in MIME format.
+--===============2138658284696597373==
+Content-Type: multipart/alternative; boundary="===============2233989480071754745=="
+MIME-Version: 1.0
+
+--===============2233989480071754745==
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+VGhpcyBpcyBhIHRlc3QgbWVzc2FnZSBmcm9tIFRydWVOQVMgQ09SRS4=
+
+--===============2233989480071754745==
+Content-Type: text/html; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
+L0VOIj4KClRoaXMgaXMgYSB0ZXN0IG1lc3NhZ2UgZnJvbSBUcnVlTkFTIENPUkUuCg==
+
+--===============2233989480071754745==--
+
+--===============2138658284696597373==--
+.
+`
+
+	s, c, _, scanner := newTestSMTPServer(t, func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "TrueNAS truenas.local: TrueNAS Test Message hostname: truenas.local", r.Header.Get("Title"))
+		require.Equal(t, "This is a test message from TrueNAS CORE.", readAll(t, r.Body))
+	})
+	defer s.Close()
+	defer c.Close()
+	writeAndReadUntilLine(t, email, c, scanner, "250 2.0.0 OK: queued")
+}
+
+func TestSmtpBackend_NestedMultipartTooDeep(t *testing.T) {
+	email := `EHLO example.com
+MAIL FROM: test@mydomain.me
+RCPT TO: ntfy-mytopic@ntfy.sh
+DATA
+Content-Type: multipart/mixed; boundary="===============1=="
+MIME-Version: 1.0
+Subject: TrueNAS truenas.local: TrueNAS Test Message hostname: truenas.local
+From: =?utf-8?q?Robbie?= <test@mydomain.me>
+To: test@mydomain.me
+Date: Thu, 16 Feb 2023 01:04:00 -0000
+Message-ID: <truenas-20230216.010400.344514.b'8jfL'@truenas.local>
+
+This is a multi-part message in MIME format.
+--===============1==
+Content-Type: multipart/alternative; boundary="===============2=="
+MIME-Version: 1.0
+
+--===============2==
+Content-Type: multipart/alternative; boundary="===============3=="
+MIME-Version: 1.0
+
+--===============3==
+Content-Type: text/plain; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+VGhpcyBpcyBhIHRlc3QgbWVzc2FnZSBmcm9tIFRydWVOQVMgQ09SRS4=
+
+--===============3==
+Content-Type: text/html; charset="utf-8"
+MIME-Version: 1.0
+Content-Transfer-Encoding: base64
+
+PCFET0NUWVBFIEhUTUwgUFVCTElDICItLy9XM0MvL0RURCBIVE1MIDQuMCBUcmFuc2l0aW9uYWwv
+L0VOIj4KClRoaXMgaXMgYSB0ZXN0IG1lc3NhZ2UgZnJvbSBUcnVlTkFTIENPUkUuCg==
+
+--===============3==--
+
+--===============2==--
+
+--===============1==--
+.
+`
+
+	s, c, _, scanner := newTestSMTPServer(t, func(w http.ResponseWriter, r *http.Request) {
+		t.Fatal("This should not be called")
+	})
+	defer s.Close()
+	defer c.Close()
+	writeAndReadUntilLine(t, email, c, scanner, "554 5.0.0 Error: transaction failed, blame it on the weather: multipart message nested too deep")
+}
+
+func TestSmtpBackend_PlaintextWithToken(t *testing.T) {
+	email := `EHLO example.com
+MAIL FROM: phil@example.com
+RCPT TO: ntfy-mytopic+tk_KLORUqSqvNRLpY11DfkHVbHu9NGG2@ntfy.sh
+DATA
+Subject: Very short mail
+
+what's up
+.
+`
+	s, c, _, scanner := newTestSMTPServer(t, func(w http.ResponseWriter, r *http.Request) {
+		require.Equal(t, "/mytopic", r.URL.Path)
+		require.Equal(t, "Very short mail", r.Header.Get("Title"))
+		require.Equal(t, "Bearer tk_KLORUqSqvNRLpY11DfkHVbHu9NGG2", r.Header.Get("Authorization"))
+		require.Equal(t, "what's up", readAll(t, r.Body))
+	})
+	defer s.Close()
+	defer c.Close()
+	writeAndReadUntilLine(t, email, c, scanner, "250 2.0.0 OK: queued")
+}
+
 type smtpHandlerFunc func(http.ResponseWriter, *http.Request)

 func newTestSMTPServer(t *testing.T, handler smtpHandlerFunc) (s *smtp.Server, c net.Conn, conf *Config, scanner *bufio.Scanner) {
--- a/server/topic.go
+++ b/server/topic.go
@@ -2,8 +2,17 @@ package server

 import (
 	"heckel.io/ntfy/log"
+	"heckel.io/ntfy/util"
 	"math/rand"
 	"sync"
+	"time"
+)
+
+const (
+	// topicExpungeAfter defines how long a topic is active before it is removed from memory.
+	// This must be larger than matrixRejectPushKeyForUnifiedPushTopicWithoutRateVisitorAfter to give
+	// time for more requests to come in, so that we can send a {"rejected":["<pushkey>"]} response back.
+	topicExpungeAfter = 16 * time.Hour
 )

 // topic represents a channel to which subscribers can subscribe, and publishers
@@ -11,7 +20,9 @@ import (
 type topic struct {
 	ID          string
 	subscribers map[int]*topicSubscriber
-	mu          sync.Mutex
+	rateVisitor *visitor
+	lastAccess  time.Time
+	mu          sync.RWMutex
 }

 type topicSubscriber struct {
@@ -28,6 +39,7 @@ func newTopic(id string) *topic {
 	return &topic{
 		ID:          id,
 		subscribers: make(map[int]*topicSubscriber),
+		lastAccess:  time.Now(),
 	}
 }

@@ -41,9 +53,41 @@ func (t *topic) Subscribe(s subscriber, userID string, cancel func()) int {
 		subscriber: s,
 		cancel:     cancel,
 	}
+	t.lastAccess = time.Now()
 	return subscriberID
 }

+func (t *topic) Stale() bool {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	if t.rateVisitor != nil && !t.rateVisitor.Stale() {
+		return false
+	}
+	return len(t.subscribers) == 0 && time.Since(t.lastAccess) > topicExpungeAfter
+}
+
+func (t *topic) LastAccess() time.Time {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	return t.lastAccess
+}
+
+func (t *topic) SetRateVisitor(v *visitor) {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	t.rateVisitor = v
+	t.lastAccess = time.Now()
+}
+
+func (t *topic) RateVisitor() *visitor {
+	t.mu.Lock()
+	defer t.mu.Unlock()
+	if t.rateVisitor != nil && t.rateVisitor.Stale() {
+		t.rateVisitor = nil
+	}
+	return t.rateVisitor
+}
+
 // Unsubscribe removes the subscription from the list of subscribers
 func (t *topic) Unsubscribe(id int) {
 	t.mu.Lock()
@@ -71,15 +115,23 @@ func (t *topic) Publish(v *visitor, m *message) error {
 		} else {
 			logvm(v, m).Tag(tagPublish).Trace("No stream or WebSocket subscribers, not forwarding")
 		}
+		t.Keepalive()
 	}()
 	return nil
 }

-// SubscribersCount returns the number of subscribers to this topic
-func (t *topic) SubscribersCount() int {
+// Stats returns the number of subscribers and last access to this topic
+func (t *topic) Stats() (int, time.Time) {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	return len(t.subscribers), t.lastAccess
+}
+
+// Keepalive sets the last access time and ensures that Stale does not return true
+func (t *topic) Keepalive() {
 	t.mu.Lock()
 	defer t.mu.Unlock()
-	return len(t.subscribers)
+	t.lastAccess = time.Now()
 }

 // CancelSubscribers calls the cancel function for all subscribers, forcing
@@ -88,12 +140,34 @@ func (t *topic) CancelSubscribers(exceptUserID string) {
 	defer t.mu.Unlock()
 	for _, s := range t.subscribers {
 		if s.userID != exceptUserID {
-			log.Tag(tagSubscribe).Field("topic", t.ID).Debug("Canceling subscriber %s", s.userID)
+			log.
+				Tag(tagSubscribe).
+				With(t).
+				Fields(log.Context{
+					"user_id": s.userID,
+				}).
+				Debug("Canceling subscriber %s", s.userID)
 			s.cancel()
 		}
 	}
 }

+func (t *topic) Context() log.Context {
+	t.mu.RLock()
+	defer t.mu.RUnlock()
+	fields := map[string]any{
+		"topic":             t.ID,
+		"topic_subscribers": len(t.subscribers),
+		"topic_last_access": util.FormatTime(t.lastAccess),
+	}
+	if t.rateVisitor != nil {
+		for k, v := range t.rateVisitor.Context() {
+			fields["topic_rate_"+k] = v
+		}
+	}
+	return fields
+}
+
 // subscribersCopy returns a shallow copy of the subscribers map
 func (t *topic) subscribersCopy() map[int]*topicSubscriber {
 	t.mu.Lock()
--- a/server/topic_test.go
+++ b/server/topic_test.go
@@ -0,0 +1,41 @@
+package server
+
+import (
+	"github.com/stretchr/testify/require"
+	"sync/atomic"
+	"testing"
+	"time"
+)
+
+func TestTopic_CancelSubscribers(t *testing.T) {
+	t.Parallel()
+
+	subFn := func(v *visitor, msg *message) error {
+		return nil
+	}
+	canceled1 := atomic.Bool{}
+	cancelFn1 := func() {
+		canceled1.Store(true)
+	}
+	canceled2 := atomic.Bool{}
+	cancelFn2 := func() {
+		canceled2.Store(true)
+	}
+	to := newTopic("mytopic")
+	to.Subscribe(subFn, "", cancelFn1)
+	to.Subscribe(subFn, "u_phil", cancelFn2)
+
+	to.CancelSubscribers("u_phil")
+	require.True(t, canceled1.Load())
+	require.False(t, canceled2.Load())
+}
+
+func TestTopic_Keepalive(t *testing.T) {
+	t.Parallel()
+
+	to := newTopic("mytopic")
+	to.lastAccess = time.Now().Add(-1 * time.Hour)
+	to.Keepalive()
+	require.True(t, to.LastAccess().Unix() >= time.Now().Unix()-2)
+	require.True(t, to.LastAccess().Unix() <= time.Now().Unix()+2)
+}
--- a/server/types.go
+++ b/server/types.go
@@ -45,10 +45,10 @@ type message struct {

 func (m *message) Context() log.Context {
 	fields := map[string]any{
+		"topic":             m.Topic,
 		"message_id":        m.ID,
 		"message_time":      m.Time,
 		"message_event":     m.Event,
-		"message_topic":     m.Topic,
 		"message_body_size": len(m.Message),
 	}
 	if m.Sender.IsValid() {
@@ -309,6 +309,7 @@ type apiAccountBilling struct {
 	Customer     bool   `json:"customer"`
 	Subscription bool   `json:"subscription"`
 	Status       string `json:"status,omitempty"`
+	Interval     string `json:"interval,omitempty"`
 	PaidUntil    int64  `json:"paid_until,omitempty"`
 	CancelAt     int64  `json:"cancel_at,omitempty"`
 }
@@ -340,14 +341,20 @@ type apiConfigResponse struct {
 	EnableSignup       bool     `json:"enable_signup"`
 	EnablePayments     bool     `json:"enable_payments"`
 	EnableReservations bool     `json:"enable_reservations"`
+	BillingContact     string   `json:"billing_contact"`
 	DisallowedTopics   []string `json:"disallowed_topics"`
 }

+type apiAccountBillingPrices struct {
+	Month int64 `json:"month"`
+	Year  int64 `json:"year"`
+}
+
 type apiAccountBillingTier struct {
-	Code   string            `json:"code,omitempty"`
-	Name   string            `json:"name,omitempty"`
-	Price  string            `json:"price,omitempty"`
-	Limits *apiAccountLimits `json:"limits"`
+	Code   string                   `json:"code,omitempty"`
+	Name   string                   `json:"name,omitempty"`
+	Prices *apiAccountBillingPrices `json:"prices,omitempty"`
+	Limits *apiAccountLimits        `json:"limits"`
 }

 type apiAccountBillingSubscriptionCreateResponse struct {
@@ -355,7 +362,8 @@ type apiAccountBillingSubscriptionCreateResponse struct {
 }

 type apiAccountBillingSubscriptionChangeRequest struct {
-	Tier string `json:"tier"`
+	Tier     string `json:"tier"`
+	Interval string `json:"interval"`
 }

 type apiAccountBillingPortalRedirectResponse struct {
@@ -385,7 +393,10 @@ type apiStripeSubscriptionUpdatedEvent struct {
 	Items            *struct {
 		Data []*struct {
 			Price *struct {
-				ID string `json:"id"`
+				ID        string `json:"id"`
+				Recurring *struct {
+					Interval string `json:"interval"`
+				} `json:"recurring"`
 			} `json:"price"`
 		} `json:"data"`
 	} `json:"items"`
--- a/server/util.go
+++ b/server/util.go
@@ -1,6 +1,8 @@
 package server

 import (
+	"context"
+	"fmt"
 	"heckel.io/ntfy/util"
 	"io"
 	"net/http"
@@ -16,6 +18,17 @@ func readBoolParam(r *http.Request, defaultValue bool, names ...string) bool {
 	return value == "1" || value == "yes" || value == "true"
 }

+func readCommaSeparatedParam(r *http.Request, names ...string) (params []string) {
+	paramStr := readParam(r, names...)
+	if paramStr != "" {
+		params = make([]string, 0)
+		for _, s := range util.SplitNoEmpty(paramStr, ",") {
+			params = append(params, strings.TrimSpace(s))
+		}
+	}
+	return params
+}
+
 func readParam(r *http.Request, names ...string) string {
 	value := readHeaderParam(r, names...)
 	if value != "" {
@@ -85,3 +98,19 @@ func readJSONWithLimit[T any](r io.ReadCloser, limit int, allowEmpty bool) (*T,
 	}
 	return obj, nil
 }
+
+func withContext(r *http.Request, ctx map[contextKey]any) *http.Request {
+	c := r.Context()
+	for k, v := range ctx {
+		c = context.WithValue(c, k, v)
+	}
+	return r.WithContext(c)
+}
+
+func fromContext[T any](r *http.Request, key contextKey) (T, error) {
+	t, ok := r.Context().Value(key).(T)
+	if !ok {
+		return t, fmt.Errorf("cannot find key %v in request context", key)
+	}
+	return t, nil
+}
--- a/server/visitor.go
+++ b/server/visitor.go
@@ -141,7 +141,9 @@ func (v *visitor) Context() log.Context {
 func (v *visitor) contextNoLock() log.Context {
 	info := v.infoLightNoLock()
 	fields := log.Context{
+		"visitor_id":                     visitorID(v.ip, v.user),
 		"visitor_ip":                     v.ip.String(),
+		"visitor_seen":                   util.FormatTime(v.seen),
 		"visitor_messages":               info.Stats.Messages,
 		"visitor_messages_limit":         info.Limits.MessageLimit,
 		"visitor_messages_remaining":     info.Stats.MessagesRemaining,
@@ -330,9 +332,13 @@ func (v *visitor) SetUser(u *user.User) {
 	v.mu.Lock()
 	defer v.mu.Unlock()
 	shouldResetLimiters := v.user.TierID() != u.TierID() // TierID works with nil receiver
-	v.user = u
+	v.user = u                                           // u may be nil!
 	if shouldResetLimiters {
-		v.resetLimitersNoLock(u.Stats.Messages, u.Stats.Emails, true)
+		var messages, emails int64
+		if u != nil {
+			messages, emails = u.Stats.Messages, u.Stats.Emails
+		}
+		v.resetLimitersNoLock(messages, emails, true)
 	}
 }

--- a/user/manager.go
+++ b/user/manager.go
@@ -46,7 +46,261 @@ var (

 // Manager-related queries
 const (
-	createTablesQueriesNoTx = `
+	createTablesQueries = `
+		BEGIN;
+		CREATE TABLE IF NOT EXISTS tier (
+			id TEXT PRIMARY KEY,
+			code TEXT NOT NULL,
+			name TEXT NOT NULL,
+			messages_limit INT NOT NULL,
+			messages_expiry_duration INT NOT NULL,
+			emails_limit INT NOT NULL,
+			reservations_limit INT NOT NULL,
+			attachment_file_size_limit INT NOT NULL,
+			attachment_total_size_limit INT NOT NULL,
+			attachment_expiry_duration INT NOT NULL,
+			attachment_bandwidth_limit INT NOT NULL,
+			stripe_monthly_price_id TEXT,
+			stripe_yearly_price_id TEXT
+		);
+		CREATE UNIQUE INDEX idx_tier_code ON tier (code);
+		CREATE UNIQUE INDEX idx_tier_stripe_monthly_price_id ON tier (stripe_monthly_price_id);
+		CREATE UNIQUE INDEX idx_tier_stripe_yearly_price_id ON tier (stripe_yearly_price_id);
+		CREATE TABLE IF NOT EXISTS user (
+		    id TEXT PRIMARY KEY,
+			tier_id TEXT,
+			user TEXT NOT NULL,
+			pass TEXT NOT NULL,
+			role TEXT CHECK (role IN ('anonymous', 'admin', 'user')) NOT NULL,
+			prefs JSON NOT NULL DEFAULT '{}',
+			sync_topic TEXT NOT NULL,
+			stats_messages INT NOT NULL DEFAULT (0),
+			stats_emails INT NOT NULL DEFAULT (0),
+			stripe_customer_id TEXT,
+			stripe_subscription_id TEXT,
+			stripe_subscription_status TEXT,
+			stripe_subscription_interval TEXT,
+			stripe_subscription_paid_until INT,
+			stripe_subscription_cancel_at INT,
+			created INT NOT NULL,
+			deleted INT,
+		    FOREIGN KEY (tier_id) REFERENCES tier (id)
+		);
+		CREATE UNIQUE INDEX idx_user ON user (user);
+		CREATE UNIQUE INDEX idx_user_stripe_customer_id ON user (stripe_customer_id);
+		CREATE UNIQUE INDEX idx_user_stripe_subscription_id ON user (stripe_subscription_id);
+		CREATE TABLE IF NOT EXISTS user_access (
+			user_id TEXT NOT NULL,
+			topic TEXT NOT NULL,
+			read INT NOT NULL,
+			write INT NOT NULL,
+			owner_user_id INT,
+			PRIMARY KEY (user_id, topic),
+			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE,
+		    FOREIGN KEY (owner_user_id) REFERENCES user (id) ON DELETE CASCADE
+		);
+		CREATE TABLE IF NOT EXISTS user_token (
+			user_id TEXT NOT NULL,
+			token TEXT NOT NULL,
+			label TEXT NOT NULL,
+			last_access INT NOT NULL,
+			last_origin TEXT NOT NULL,
+			expires INT NOT NULL,
+			PRIMARY KEY (user_id, token),
+			FOREIGN KEY (user_id) REFERENCES user (id) ON DELETE CASCADE
+		);
+		CREATE TABLE IF NOT EXISTS schemaVersion (
+			id INT PRIMARY KEY,
+			version INT NOT NULL
+		);
+		INSERT INTO user (id, user, pass, role, sync_topic, created)
+		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', UNIXEPOCH())
+		ON CONFLICT (id) DO NOTHING;
+		COMMIT;
+	`
+	builtinStartupQueries = `
+		PRAGMA foreign_keys = ON;
+	`
+
+	selectUserByIDQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		LEFT JOIN tier t on t.id = u.tier_id
+		WHERE u.id = ?
+	`
+	selectUserByNameQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		LEFT JOIN tier t on t.id = u.tier_id
+		WHERE user = ?
+	`
+	selectUserByTokenQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		JOIN user_token tk on u.id = tk.user_id
+		LEFT JOIN tier t on t.id = u.tier_id
+		WHERE tk.token = ? AND (tk.expires = 0 OR tk.expires >= ?)
+	`
+	selectUserByStripeCustomerIDQuery = `
+		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_interval, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_monthly_price_id, t.stripe_yearly_price_id
+		FROM user u
+		LEFT JOIN tier t on t.id = u.tier_id
+		WHERE u.stripe_customer_id = ?
+	`
+	selectTopicPermsQuery = `
+		SELECT read, write
+		FROM user_access a
+		JOIN user u ON u.id = a.user_id
+		WHERE (u.user = ? OR u.user = ?) AND ? LIKE a.topic
+		ORDER BY u.user DESC
+	`
+
+	insertUserQuery = `
+		INSERT INTO user (id, user, pass, role, sync_topic, created)
+		VALUES (?, ?, ?, ?, ?, ?)
+	`
+	selectUsernamesQuery = `
+		SELECT user
+		FROM user
+		ORDER BY
+			CASE role
+				WHEN 'admin' THEN 1
+				WHEN 'anonymous' THEN 3
+				ELSE 2
+			END, user
+	`
+	selectUserCountQuery         = `SELECT COUNT(*) FROM user`
+	updateUserPassQuery          = `UPDATE user SET pass = ? WHERE user = ?`
+	updateUserRoleQuery          = `UPDATE user SET role = ? WHERE user = ?`
+	updateUserPrefsQuery         = `UPDATE user SET prefs = ? WHERE id = ?`
+	updateUserStatsQuery         = `UPDATE user SET stats_messages = ?, stats_emails = ? WHERE id = ?`
+	updateUserStatsResetAllQuery = `UPDATE user SET stats_messages = 0, stats_emails = 0`
+	updateUserDeletedQuery       = `UPDATE user SET deleted = ? WHERE id = ?`
+	deleteUsersMarkedQuery       = `DELETE FROM user WHERE deleted < ?`
+	deleteUserQuery              = `DELETE FROM user WHERE user = ?`
+
+	upsertUserAccessQuery = `
+		INSERT INTO user_access (user_id, topic, read, write, owner_user_id)
+		VALUES ((SELECT id FROM user WHERE user = ?), ?, ?, ?, (SELECT IIF(?='',NULL,(SELECT id FROM user WHERE user=?))))
+		ON CONFLICT (user_id, topic)
+		DO UPDATE SET read=excluded.read, write=excluded.write, owner_user_id=excluded.owner_user_id
+	`
+	selectUserAccessQuery = `
+		SELECT topic, read, write
+		FROM user_access
+		WHERE user_id = (SELECT id FROM user WHERE user = ?)
+		ORDER BY write DESC, read DESC, topic
+	`
+	selectUserReservationsQuery = `
+		SELECT a_user.topic, a_user.read, a_user.write, a_everyone.read AS everyone_read, a_everyone.write AS everyone_write
+		FROM user_access a_user
+		LEFT JOIN  user_access a_everyone ON a_user.topic = a_everyone.topic AND a_everyone.user_id = (SELECT id FROM user WHERE user = ?)
+		WHERE a_user.user_id = a_user.owner_user_id
+		  AND a_user.owner_user_id = (SELECT id FROM user WHERE user = ?)
+		ORDER BY a_user.topic
+	`
+	selectUserReservationsCountQuery = `
+		SELECT COUNT(*)
+		FROM user_access
+		WHERE user_id = owner_user_id 
+		  AND owner_user_id = (SELECT id FROM user WHERE user = ?)
+	`
+	selectUserReservationsOwnerQuery = `
+		SELECT owner_user_id
+		FROM user_access
+		WHERE topic = ?
+		  AND user_id = owner_user_id
+	`
+	selectUserHasReservationQuery = `
+		SELECT COUNT(*)
+		FROM user_access
+		WHERE user_id = owner_user_id
+		  AND owner_user_id = (SELECT id FROM user WHERE user = ?)
+		  AND topic = ?
+	`
+	selectOtherAccessCountQuery = `
+		SELECT COUNT(*)
+		FROM user_access
+		WHERE (topic = ? OR ? LIKE topic)
+		  AND (owner_user_id IS NULL OR owner_user_id != (SELECT id FROM user WHERE user = ?))
+	`
+	deleteAllAccessQuery  = `DELETE FROM user_access`
+	deleteUserAccessQuery = `
+		DELETE FROM user_access
+		WHERE user_id = (SELECT id FROM user WHERE user = ?)
+		   OR owner_user_id = (SELECT id FROM user WHERE user = ?)
+	`
+	deleteTopicAccessQuery = `
+		DELETE FROM user_access
+	   	WHERE (user_id = (SELECT id FROM user WHERE user = ?) OR owner_user_id = (SELECT id FROM user WHERE user = ?))
+	   	  AND topic = ?
+  	`
+
+	selectTokenCountQuery      = `SELECT COUNT(*) FROM user_token WHERE user_id = ?`
+	selectTokensQuery          = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ?`
+	selectTokenQuery           = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ? AND token = ?`
+	insertTokenQuery           = `INSERT INTO user_token (user_id, token, label, last_access, last_origin, expires) VALUES (?, ?, ?, ?, ?, ?)`
+	updateTokenExpiryQuery     = `UPDATE user_token SET expires = ? WHERE user_id = ? AND token = ?`
+	updateTokenLabelQuery      = `UPDATE user_token SET label = ? WHERE user_id = ? AND token = ?`
+	updateTokenLastAccessQuery = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
+	deleteTokenQuery           = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
+	deleteAllTokenQuery        = `DELETE FROM user_token WHERE user_id = ?`
+	deleteExpiredTokensQuery   = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
+	deleteExcessTokensQuery    = `
+		DELETE FROM user_token
+		WHERE (user_id, token) NOT IN (
+			SELECT user_id, token
+			FROM user_token
+			WHERE user_id = ?
+			ORDER BY expires DESC
+			LIMIT ?
+		)
+	`
+
+	insertTierQuery = `
+		INSERT INTO tier (id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id)
+		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
+	`
+	updateTierQuery = `
+		UPDATE tier
+		SET name = ?, messages_limit = ?, messages_expiry_duration = ?, emails_limit = ?, reservations_limit = ?, attachment_file_size_limit = ?, attachment_total_size_limit = ?, attachment_expiry_duration = ?, attachment_bandwidth_limit = ?, stripe_monthly_price_id = ?, stripe_yearly_price_id = ?
+		WHERE code = ?
+	`
+	selectTiersQuery = `
+		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
+		FROM tier
+	`
+	selectTierByCodeQuery = `
+		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
+		FROM tier
+		WHERE code = ?
+	`
+	selectTierByPriceIDQuery = `
+		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_monthly_price_id, stripe_yearly_price_id
+		FROM tier
+		WHERE (stripe_monthly_price_id = ? OR stripe_yearly_price_id = ?)
+	`
+	updateUserTierQuery = `UPDATE user SET tier_id = (SELECT id FROM tier WHERE code = ?) WHERE user = ?`
+	deleteUserTierQuery = `UPDATE user SET tier_id = null WHERE user = ?`
+	deleteTierQuery     = `DELETE FROM tier WHERE code = ?`
+
+	updateBillingQuery = `
+		UPDATE user
+		SET stripe_customer_id = ?, stripe_subscription_id = ?, stripe_subscription_status = ?, stripe_subscription_interval = ?, stripe_subscription_paid_until = ?, stripe_subscription_cancel_at = ?
+		WHERE user = ?
+	`
+)
+
+// Schema management queries
+const (
+	currentSchemaVersion     = 3
+	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
+	updateSchemaVersion      = `UPDATE schemaVersion SET version = ? WHERE id = 1`
+	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
+
+	// 1 -> 2 (complex migration!)
+	migrate1To2CreateTablesQueries = `
+		ALTER TABLE user RENAME TO user_old;
 		CREATE TABLE IF NOT EXISTS tier (
 			id TEXT PRIMARY KEY,
 			code TEXT NOT NULL,
@@ -110,186 +364,9 @@ const (
 			version INT NOT NULL
 		);
 		INSERT INTO user (id, user, pass, role, sync_topic, created)
-		VALUES ('` + everyoneID + `', '*', '', 'anonymous', '', UNIXEPOCH())
+		VALUES ('u_everyone', '*', '', 'anonymous', '', UNIXEPOCH())
 		ON CONFLICT (id) DO NOTHING;
 	`
-	createTablesQueries   = `BEGIN; ` + createTablesQueriesNoTx + ` COMMIT;`
-	builtinStartupQueries = `
-		PRAGMA foreign_keys = ON;
-	`
-
-	selectUserByIDQuery = `
-		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_price_id
-		FROM user u
-		LEFT JOIN tier t on t.id = u.tier_id
-		WHERE u.id = ?
-	`
-	selectUserByNameQuery = `
-		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_price_id
-		FROM user u
-		LEFT JOIN tier t on t.id = u.tier_id
-		WHERE user = ?
-	`
-	selectUserByTokenQuery = `
-		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_price_id
-		FROM user u
-		JOIN user_token tk on u.id = tk.user_id
-		LEFT JOIN tier t on t.id = u.tier_id
-		WHERE tk.token = ? AND (tk.expires = 0 OR tk.expires >= ?)
-	`
-	selectUserByStripeCustomerIDQuery = `
-		SELECT u.id, u.user, u.pass, u.role, u.prefs, u.sync_topic, u.stats_messages, u.stats_emails, u.stripe_customer_id, u.stripe_subscription_id, u.stripe_subscription_status, u.stripe_subscription_paid_until, u.stripe_subscription_cancel_at, deleted, t.id, t.code, t.name, t.messages_limit, t.messages_expiry_duration, t.emails_limit, t.reservations_limit, t.attachment_file_size_limit, t.attachment_total_size_limit, t.attachment_expiry_duration, t.attachment_bandwidth_limit, t.stripe_price_id
-		FROM user u
-		LEFT JOIN tier t on t.id = u.tier_id
-		WHERE u.stripe_customer_id = ?
-	`
-	selectTopicPermsQuery = `
-		SELECT read, write
-		FROM user_access a
-		JOIN user u ON u.id = a.user_id
-		WHERE (u.user = ? OR u.user = ?) AND ? LIKE a.topic
-		ORDER BY u.user DESC
-	`
-
-	insertUserQuery = `
-		INSERT INTO user (id, user, pass, role, sync_topic, created)
-		VALUES (?, ?, ?, ?, ?, ?)
-	`
-	selectUsernamesQuery = `
-		SELECT user
-		FROM user
-		ORDER BY
-			CASE role
-				WHEN 'admin' THEN 1
-				WHEN 'anonymous' THEN 3
-				ELSE 2
-			END, user
-	`
-	updateUserPassQuery          = `UPDATE user SET pass = ? WHERE user = ?`
-	updateUserRoleQuery          = `UPDATE user SET role = ? WHERE user = ?`
-	updateUserPrefsQuery         = `UPDATE user SET prefs = ? WHERE id = ?`
-	updateUserStatsQuery         = `UPDATE user SET stats_messages = ?, stats_emails = ? WHERE id = ?`
-	updateUserStatsResetAllQuery = `UPDATE user SET stats_messages = 0, stats_emails = 0`
-	updateUserDeletedQuery       = `UPDATE user SET deleted = ? WHERE id = ?`
-	deleteUsersMarkedQuery       = `DELETE FROM user WHERE deleted < ?`
-	deleteUserQuery              = `DELETE FROM user WHERE user = ?`
-
-	upsertUserAccessQuery = `
-		INSERT INTO user_access (user_id, topic, read, write, owner_user_id)
-		VALUES ((SELECT id FROM user WHERE user = ?), ?, ?, ?, (SELECT IIF(?='',NULL,(SELECT id FROM user WHERE user=?))))
-		ON CONFLICT (user_id, topic)
-		DO UPDATE SET read=excluded.read, write=excluded.write, owner_user_id=excluded.owner_user_id
-	`
-	selectUserAccessQuery = `
-		SELECT topic, read, write
-		FROM user_access
-		WHERE user_id = (SELECT id FROM user WHERE user = ?)
-		ORDER BY write DESC, read DESC, topic
-	`
-	selectUserReservationsQuery = `
-		SELECT a_user.topic, a_user.read, a_user.write, a_everyone.read AS everyone_read, a_everyone.write AS everyone_write
-		FROM user_access a_user
-		LEFT JOIN  user_access a_everyone ON a_user.topic = a_everyone.topic AND a_everyone.user_id = (SELECT id FROM user WHERE user = ?)
-		WHERE a_user.user_id = a_user.owner_user_id
-		  AND a_user.owner_user_id = (SELECT id FROM user WHERE user = ?)
-		ORDER BY a_user.topic
-	`
-	selectUserReservationsCountQuery = `
-		SELECT COUNT(*)
-		FROM user_access
-		WHERE user_id = owner_user_id AND owner_user_id = (SELECT id FROM user WHERE user = ?)
-	`
-	selectUserHasReservationQuery = `
-		SELECT COUNT(*)
-		FROM user_access
-		WHERE user_id = owner_user_id
-		  AND owner_user_id = (SELECT id FROM user WHERE user = ?)
-		  AND topic = ?
-	`
-	selectOtherAccessCountQuery = `
-		SELECT COUNT(*)
-		FROM user_access
-		WHERE (topic = ? OR ? LIKE topic)
-		  AND (owner_user_id IS NULL OR owner_user_id != (SELECT id FROM user WHERE user = ?))
-	`
-	deleteAllAccessQuery  = `DELETE FROM user_access`
-	deleteUserAccessQuery = `
-		DELETE FROM user_access
-		WHERE user_id = (SELECT id FROM user WHERE user = ?)
-		   OR owner_user_id = (SELECT id FROM user WHERE user = ?)
-	`
-	deleteTopicAccessQuery = `
-		DELETE FROM user_access
-	   	WHERE (user_id = (SELECT id FROM user WHERE user = ?) OR owner_user_id = (SELECT id FROM user WHERE user = ?))
-	   	  AND topic = ?
-  	`
-
-	selectTokenCountQuery      = `SELECT COUNT(*) FROM user_token WHERE user_id = ?`
-	selectTokensQuery          = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ?`
-	selectTokenQuery           = `SELECT token, label, last_access, last_origin, expires FROM user_token WHERE user_id = ? AND token = ?`
-	insertTokenQuery           = `INSERT INTO user_token (user_id, token, label, last_access, last_origin, expires) VALUES (?, ?, ?, ?, ?, ?)`
-	updateTokenExpiryQuery     = `UPDATE user_token SET expires = ? WHERE user_id = ? AND token = ?`
-	updateTokenLabelQuery      = `UPDATE user_token SET label = ? WHERE user_id = ? AND token = ?`
-	updateTokenLastAccessQuery = `UPDATE user_token SET last_access = ?, last_origin = ? WHERE token = ?`
-	deleteTokenQuery           = `DELETE FROM user_token WHERE user_id = ? AND token = ?`
-	deleteAllTokenQuery        = `DELETE FROM user_token WHERE user_id = ?`
-	deleteExpiredTokensQuery   = `DELETE FROM user_token WHERE expires > 0 AND expires < ?`
-	deleteExcessTokensQuery    = `
-		DELETE FROM user_token
-		WHERE (user_id, token) NOT IN (
-			SELECT user_id, token
-			FROM user_token
-			WHERE user_id = ?
-			ORDER BY expires DESC
-			LIMIT ?
-		)
-	`
-
-	insertTierQuery = `
-		INSERT INTO tier (id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_price_id)
-		VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)
-	`
-	updateTierQuery = `
-		UPDATE tier
-		SET name = ?, messages_limit = ?, messages_expiry_duration = ?, emails_limit = ?, reservations_limit = ?, attachment_file_size_limit = ?, attachment_total_size_limit = ?, attachment_expiry_duration = ?, attachment_bandwidth_limit = ?, stripe_price_id = ?
-		WHERE code = ?
-	`
-	selectTiersQuery = `
-		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_price_id
-		FROM tier
-	`
-	selectTierByCodeQuery = `
-		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_price_id
-		FROM tier
-		WHERE code = ?
-	`
-	selectTierByPriceIDQuery = `
-		SELECT id, code, name, messages_limit, messages_expiry_duration, emails_limit, reservations_limit, attachment_file_size_limit, attachment_total_size_limit, attachment_expiry_duration, attachment_bandwidth_limit, stripe_price_id
-		FROM tier
-		WHERE stripe_price_id = ?
-	`
-	updateUserTierQuery = `UPDATE user SET tier_id = (SELECT id FROM tier WHERE code = ?) WHERE user = ?`
-	deleteUserTierQuery = `UPDATE user SET tier_id = null WHERE user = ?`
-	deleteTierQuery     = `DELETE FROM tier WHERE code = ?`
-
-	updateBillingQuery = `
-		UPDATE user
-		SET stripe_customer_id = ?, stripe_subscription_id = ?, stripe_subscription_status = ?, stripe_subscription_paid_until = ?, stripe_subscription_cancel_at = ?
-		WHERE user = ?
-	`
-)
-
-// Schema management queries
-const (
-	currentSchemaVersion     = 2
-	insertSchemaVersion      = `INSERT INTO schemaVersion VALUES (1, ?)`
-	updateSchemaVersion      = `UPDATE schemaVersion SET version = ? WHERE id = 1`
-	selectSchemaVersionQuery = `SELECT version FROM schemaVersion WHERE id = 1`
-
-	// 1 -> 2 (complex migration!)
-	migrate1To2RenameUserTableQueryNoTx = `
-		ALTER TABLE user RENAME TO user_old;
-	`
 	migrate1To2SelectAllOldUsernamesNoTx = `SELECT user FROM user_old`
 	migrate1To2InsertUserNoTx            = `
 		INSERT INTO user (id, user, pass, role, sync_topic, created)
@@ -304,11 +381,22 @@ const (
 		DROP TABLE access;
 		DROP TABLE user_old;
 	`
+
+	// 2 -> 3
+	migrate2To3UpdateQueries = `
+		ALTER TABLE user ADD COLUMN stripe_subscription_interval TEXT;
+		ALTER TABLE tier RENAME COLUMN stripe_price_id TO stripe_monthly_price_id;
+		ALTER TABLE tier ADD COLUMN stripe_yearly_price_id TEXT;
+		DROP INDEX IF EXISTS idx_tier_price_id;
+		CREATE UNIQUE INDEX idx_tier_stripe_monthly_price_id ON tier (stripe_monthly_price_id);
+		CREATE UNIQUE INDEX idx_tier_stripe_yearly_price_id ON tier (stripe_yearly_price_id);
+	`
 )

 var (
 	migrations = map[int]func(db *sql.DB) error{
 		1: migrateFrom1,
+		2: migrateFrom2,
 	}
 )

@@ -766,6 +854,23 @@ func (a *Manager) Users() ([]*User, error) {
 	return users, nil
 }

+// UsersCount returns the number of users in the databsae
+func (a *Manager) UsersCount() (int64, error) {
+	rows, err := a.db.Query(selectUserCountQuery)
+	if err != nil {
+		return 0, err
+	}
+	defer rows.Close()
+	if !rows.Next() {
+		return 0, errNoRows
+	}
+	var count int64
+	if err := rows.Scan(&count); err != nil {
+		return 0, err
+	}
+	return count, nil
+}
+
 // User returns the user with the given username if it exists, or ErrUserNotFound otherwise.
 // You may also pass Everyone to retrieve the anonymous user and its Grant list.
 func (a *Manager) User(username string) (*User, error) {
@@ -805,13 +910,13 @@ func (a *Manager) userByToken(token string) (*User, error) {
 func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
 	defer rows.Close()
 	var id, username, hash, role, prefs, syncTopic string
-	var stripeCustomerID, stripeSubscriptionID, stripeSubscriptionStatus, stripePriceID, tierID, tierCode, tierName sql.NullString
+	var stripeCustomerID, stripeSubscriptionID, stripeSubscriptionStatus, stripeSubscriptionInterval, stripeMonthlyPriceID, stripeYearlyPriceID, tierID, tierCode, tierName sql.NullString
 	var messages, emails int64
 	var messagesLimit, messagesExpiryDuration, emailsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit, stripeSubscriptionPaidUntil, stripeSubscriptionCancelAt, deleted sql.NullInt64
 	if !rows.Next() {
 		return nil, ErrUserNotFound
 	}
-	if err := rows.Scan(&id, &username, &hash, &role, &prefs, &syncTopic, &messages, &emails, &stripeCustomerID, &stripeSubscriptionID, &stripeSubscriptionStatus, &stripeSubscriptionPaidUntil, &stripeSubscriptionCancelAt, &deleted, &tierID, &tierCode, &tierName, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripePriceID); err != nil {
+	if err := rows.Scan(&id, &username, &hash, &role, &prefs, &syncTopic, &messages, &emails, &stripeCustomerID, &stripeSubscriptionID, &stripeSubscriptionStatus, &stripeSubscriptionInterval, &stripeSubscriptionPaidUntil, &stripeSubscriptionCancelAt, &deleted, &tierID, &tierCode, &tierName, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
 		return nil, err
 	} else if err := rows.Err(); err != nil {
 		return nil, err
@@ -828,11 +933,12 @@ func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
 			Emails:   emails,
 		},
 		Billing: &Billing{
-			StripeCustomerID:            stripeCustomerID.String,                                    // May be empty
-			StripeSubscriptionID:        stripeSubscriptionID.String,                                // May be empty
-			StripeSubscriptionStatus:    stripe.SubscriptionStatus(stripeSubscriptionStatus.String), // May be empty
-			StripeSubscriptionPaidUntil: time.Unix(stripeSubscriptionPaidUntil.Int64, 0),            // May be zero
-			StripeSubscriptionCancelAt:  time.Unix(stripeSubscriptionCancelAt.Int64, 0),             // May be zero
+			StripeCustomerID:            stripeCustomerID.String,                                          // May be empty
+			StripeSubscriptionID:        stripeSubscriptionID.String,                                      // May be empty
+			StripeSubscriptionStatus:    stripe.SubscriptionStatus(stripeSubscriptionStatus.String),       // May be empty
+			StripeSubscriptionInterval:  stripe.PriceRecurringInterval(stripeSubscriptionInterval.String), // May be empty
+			StripeSubscriptionPaidUntil: time.Unix(stripeSubscriptionPaidUntil.Int64, 0),                  // May be zero
+			StripeSubscriptionCancelAt:  time.Unix(stripeSubscriptionCancelAt.Int64, 0),                   // May be zero
 		},
 		Deleted: deleted.Valid,
 	}
@@ -853,7 +959,8 @@ func (a *Manager) readUser(rows *sql.Rows) (*User, error) {
 			AttachmentTotalSizeLimit: attachmentTotalSizeLimit.Int64,
 			AttachmentExpiryDuration: time.Duration(attachmentExpiryDuration.Int64) * time.Second,
 			AttachmentBandwidthLimit: attachmentBandwidthLimit.Int64,
-			StripePriceID:            stripePriceID.String, // May be empty
+			StripeMonthlyPriceID:     stripeMonthlyPriceID.String, // May be empty
+			StripeYearlyPriceID:      stripeYearlyPriceID.String,  // May be empty
 		}
 	}
 	return user, nil
@@ -943,6 +1050,24 @@ func (a *Manager) ReservationsCount(username string) (int64, error) {
 	return count, nil
 }

+// ReservationOwner returns user ID of the user that owns this topic, or an
+// empty string if it's not owned by anyone
+func (a *Manager) ReservationOwner(topic string) (string, error) {
+	rows, err := a.db.Query(selectUserReservationsOwnerQuery, topic)
+	if err != nil {
+		return "", err
+	}
+	defer rows.Close()
+	if !rows.Next() {
+		return "", nil
+	}
+	var ownerUserID string
+	if err := rows.Scan(&ownerUserID); err != nil {
+		return "", err
+	}
+	return ownerUserID, nil
+}
+
 // ChangePassword changes a user's password
 func (a *Manager) ChangePassword(username, password string) error {
 	hash, err := bcrypt.GenerateFromPassword([]byte(password), a.bcryptCost)
@@ -1134,7 +1259,7 @@ func (a *Manager) AddTier(tier *Tier) error {
 	if tier.ID == "" {
 		tier.ID = util.RandomStringPrefix(tierIDPrefix, tierIDLength)
 	}
-	if _, err := a.db.Exec(insertTierQuery, tier.ID, tier.Code, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripePriceID)); err != nil {
+	if _, err := a.db.Exec(insertTierQuery, tier.ID, tier.Code, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripeMonthlyPriceID), nullString(tier.StripeYearlyPriceID)); err != nil {
 		return err
 	}
 	return nil
@@ -1142,7 +1267,7 @@ func (a *Manager) AddTier(tier *Tier) error {

 // UpdateTier updates a tier's properties in the database
 func (a *Manager) UpdateTier(tier *Tier) error {
-	if _, err := a.db.Exec(updateTierQuery, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripePriceID), tier.Code); err != nil {
+	if _, err := a.db.Exec(updateTierQuery, tier.Name, tier.MessageLimit, int64(tier.MessageExpiryDuration.Seconds()), tier.EmailLimit, tier.ReservationLimit, tier.AttachmentFileSizeLimit, tier.AttachmentTotalSizeLimit, int64(tier.AttachmentExpiryDuration.Seconds()), tier.AttachmentBandwidthLimit, nullString(tier.StripeMonthlyPriceID), nullString(tier.StripeYearlyPriceID), tier.Code); err != nil {
 		return err
 	}
 	return nil
@@ -1162,7 +1287,7 @@ func (a *Manager) RemoveTier(code string) error {

 // ChangeBilling updates a user's billing fields, namely the Stripe customer ID, and subscription information
 func (a *Manager) ChangeBilling(username string, billing *Billing) error {
-	if _, err := a.db.Exec(updateBillingQuery, nullString(billing.StripeCustomerID), nullString(billing.StripeSubscriptionID), nullString(string(billing.StripeSubscriptionStatus)), nullInt64(billing.StripeSubscriptionPaidUntil.Unix()), nullInt64(billing.StripeSubscriptionCancelAt.Unix()), username); err != nil {
+	if _, err := a.db.Exec(updateBillingQuery, nullString(billing.StripeCustomerID), nullString(billing.StripeSubscriptionID), nullString(string(billing.StripeSubscriptionStatus)), nullString(string(billing.StripeSubscriptionInterval)), nullInt64(billing.StripeSubscriptionPaidUntil.Unix()), nullInt64(billing.StripeSubscriptionCancelAt.Unix()), username); err != nil {
 		return err
 	}
 	return nil
@@ -1200,7 +1325,7 @@ func (a *Manager) Tier(code string) (*Tier, error) {

 // TierByStripePrice returns a Tier based on the Stripe price ID, or ErrTierNotFound if it does not exist
 func (a *Manager) TierByStripePrice(priceID string) (*Tier, error) {
-	rows, err := a.db.Query(selectTierByPriceIDQuery, priceID)
+	rows, err := a.db.Query(selectTierByPriceIDQuery, priceID, priceID)
 	if err != nil {
 		return nil, err
 	}
@@ -1210,12 +1335,12 @@ func (a *Manager) TierByStripePrice(priceID string) (*Tier, error) {

 func (a *Manager) readTier(rows *sql.Rows) (*Tier, error) {
 	var id, code, name string
-	var stripePriceID sql.NullString
+	var stripeMonthlyPriceID, stripeYearlyPriceID sql.NullString
 	var messagesLimit, messagesExpiryDuration, emailsLimit, reservationsLimit, attachmentFileSizeLimit, attachmentTotalSizeLimit, attachmentExpiryDuration, attachmentBandwidthLimit sql.NullInt64
 	if !rows.Next() {
 		return nil, ErrTierNotFound
 	}
-	if err := rows.Scan(&id, &code, &name, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripePriceID); err != nil {
+	if err := rows.Scan(&id, &code, &name, &messagesLimit, &messagesExpiryDuration, &emailsLimit, &reservationsLimit, &attachmentFileSizeLimit, &attachmentTotalSizeLimit, &attachmentExpiryDuration, &attachmentBandwidthLimit, &stripeMonthlyPriceID, &stripeYearlyPriceID); err != nil {
 		return nil, err
 	} else if err := rows.Err(); err != nil {
 		return nil, err
@@ -1233,7 +1358,8 @@ func (a *Manager) readTier(rows *sql.Rows) (*Tier, error) {
 		AttachmentTotalSizeLimit: attachmentTotalSizeLimit.Int64,
 		AttachmentExpiryDuration: time.Duration(attachmentExpiryDuration.Int64) * time.Second,
 		AttachmentBandwidthLimit: attachmentBandwidthLimit.Int64,
-		StripePriceID:            stripePriceID.String, // May be empty
+		StripeMonthlyPriceID:     stripeMonthlyPriceID.String, // May be empty
+		StripeYearlyPriceID:      stripeYearlyPriceID.String,  // May be empty
 	}, nil
 }

@@ -1313,10 +1439,7 @@ func migrateFrom1(db *sql.DB) error {
 	}
 	defer tx.Rollback()
 	// Rename user -> user_old, and create new tables
-	if _, err := tx.Exec(migrate1To2RenameUserTableQueryNoTx); err != nil {
-		return err
-	}
-	if _, err := tx.Exec(createTablesQueriesNoTx); err != nil {
+	if _, err := tx.Exec(migrate1To2CreateTablesQueries); err != nil {
 		return err
 	}
 	// Insert users from user_old into new user table, with ID and sync_topic
@@ -1356,6 +1479,22 @@ func migrateFrom1(db *sql.DB) error {
 	return nil
 }

+func migrateFrom2(db *sql.DB) error {
+	log.Tag(tag).Info("Migrating user database schema: from 2 to 3")
+	tx, err := db.Begin()
+	if err != nil {
+		return err
+	}
+	defer tx.Rollback()
+	if _, err := tx.Exec(migrate2To3UpdateQueries); err != nil {
+		return err
+	}
+	if _, err := tx.Exec(updateSchemaVersion, 3); err != nil {
+		return err
+	}
+	return tx.Commit()
+}
+
 func nullString(s string) sql.NullString {
 	if s == "" {
 		return sql.NullString{}
--- a/user/manager_test.go
+++ b/user/manager_test.go
@@ -4,6 +4,7 @@ import (
 	"database/sql"
 	"fmt"
 	"github.com/stretchr/testify/require"
+	"github.com/stripe/stripe-go/v74"
 	"golang.org/x/crypto/bcrypt"
 	"heckel.io/ntfy/util"
 	"net/netip"
@@ -113,7 +114,8 @@ func TestManager_AddUser_And_Query(t *testing.T) {
 	require.Nil(t, a.ChangeBilling("user", &Billing{
 		StripeCustomerID:            "acct_123",
 		StripeSubscriptionID:        "sub_123",
-		StripeSubscriptionStatus:    "active",
+		StripeSubscriptionStatus:    stripe.SubscriptionStatusActive,
+		StripeSubscriptionInterval:  stripe.PriceRecurringIntervalMonth,
 		StripeSubscriptionPaidUntil: time.Now().Add(time.Hour),
 		StripeSubscriptionCancelAt:  time.Unix(0, 0),
 	}))
@@ -131,29 +133,6 @@ func TestManager_AddUser_And_Query(t *testing.T) {
 	require.Equal(t, u.ID, u3.ID)
 }

-func TestManager_Authenticate_Timing(t *testing.T) {
-	a := newTestManagerFromFile(t, filepath.Join(t.TempDir(), "user.db"), "", PermissionDenyAll, DefaultUserPasswordBcryptCost, DefaultUserStatsQueueWriterInterval)
-	require.Nil(t, a.AddUser("user", "pass", RoleAdmin))
-
-	// Timing a correct attempt
-	start := time.Now().UnixMilli()
-	_, err := a.Authenticate("user", "pass")
-	require.Nil(t, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-
-	// Timing an incorrect attempt
-	start = time.Now().UnixMilli()
-	_, err = a.Authenticate("user", "INCORRECT")
-	require.Equal(t, ErrUnauthenticated, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-
-	// Timing a non-existing user attempt
-	start = time.Now().UnixMilli()
-	_, err = a.Authenticate("DOES-NOT-EXIST", "hithere")
-	require.Equal(t, ErrUnauthenticated, err)
-	require.GreaterOrEqual(t, time.Now().UnixMilli()-start, minBcryptTimingMillis)
-}
-
 func TestManager_MarkUserRemoved_RemoveDeletedUsers(t *testing.T) {
 	a := newTestManager(t, PermissionDenyAll)

@@ -395,7 +374,7 @@ func TestManager_ChangeRoleFromTierUserToAdmin(t *testing.T) {
 	require.Nil(t, a.AddTier(&Tier{
 		Code:                     "pro",
 		Name:                     "ntfy Pro",
-		StripePriceID:            "price123",
+		StripeMonthlyPriceID:     "price123",
 		MessageLimit:             5_000,
 		MessageExpiryDuration:    3 * 24 * time.Hour,
 		EmailLimit:               50,
@@ -761,7 +740,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 		AttachmentTotalSizeLimit: 1,
 		AttachmentExpiryDuration: time.Second,
 		AttachmentBandwidthLimit: 1,
-		StripePriceID:            "price_1",
+		StripeMonthlyPriceID:     "price_1",
 	}))
 	require.Nil(t, a.AddTier(&Tier{
 		Code:                     "pro",
@@ -774,7 +753,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 		AttachmentTotalSizeLimit: 123123,
 		AttachmentExpiryDuration: 10800 * time.Second,
 		AttachmentBandwidthLimit: 21474836480,
-		StripePriceID:            "price_2",
+		StripeMonthlyPriceID:     "price_2",
 	}))
 	require.Nil(t, a.AddUser("phil", "phil", RoleUser))
 	require.Nil(t, a.ChangeTier("phil", "pro"))
@@ -800,7 +779,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 	require.Equal(t, int64(123123), ti.AttachmentTotalSizeLimit)
 	require.Equal(t, 10800*time.Second, ti.AttachmentExpiryDuration)
 	require.Equal(t, int64(21474836480), ti.AttachmentBandwidthLimit)
-	require.Equal(t, "price_2", ti.StripePriceID)
+	require.Equal(t, "price_2", ti.StripeMonthlyPriceID)

 	// Update tier
 	ti.EmailLimit = 999999
@@ -822,7 +801,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 	require.Equal(t, int64(1), ti.AttachmentTotalSizeLimit)
 	require.Equal(t, time.Second, ti.AttachmentExpiryDuration)
 	require.Equal(t, int64(1), ti.AttachmentBandwidthLimit)
-	require.Equal(t, "price_1", ti.StripePriceID)
+	require.Equal(t, "price_1", ti.StripeMonthlyPriceID)

 	ti = tiers[1]
 	require.Equal(t, "pro", ti.Code)
@@ -835,7 +814,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 	require.Equal(t, int64(123123), ti.AttachmentTotalSizeLimit)
 	require.Equal(t, 10800*time.Second, ti.AttachmentExpiryDuration)
 	require.Equal(t, int64(21474836480), ti.AttachmentBandwidthLimit)
-	require.Equal(t, "price_2", ti.StripePriceID)
+	require.Equal(t, "price_2", ti.StripeMonthlyPriceID)

 	ti, err = a.TierByStripePrice("price_1")
 	require.Nil(t, err)
@@ -849,7 +828,7 @@ func TestManager_Tier_Create_Update_List_Delete(t *testing.T) {
 	require.Equal(t, int64(1), ti.AttachmentTotalSizeLimit)
 	require.Equal(t, time.Second, ti.AttachmentExpiryDuration)
 	require.Equal(t, int64(1), ti.AttachmentBandwidthLimit)
-	require.Equal(t, "price_1", ti.StripePriceID)
+	require.Equal(t, "price_1", ti.StripeMonthlyPriceID)

 	// Cannot remove tier, since user has this tier
 	require.Error(t, a.RemoveTier("pro"))
--- a/user/types.go
+++ b/user/types.go
@@ -91,15 +91,17 @@ type Tier struct {
 	AttachmentTotalSizeLimit int64         // Total file size for all files of this user (bytes)
 	AttachmentExpiryDuration time.Duration // Duration after which attachments will be deleted
 	AttachmentBandwidthLimit int64         // Daily bandwidth limit for the user
-	StripePriceID            string        // Price ID for paid tiers (price_...)
+	StripeMonthlyPriceID     string        // Monthly price ID for paid tiers (price_...)
+	StripeYearlyPriceID      string        // Yearly price ID for paid tiers (price_...)
 }

 // Context returns fields for the log
 func (t *Tier) Context() log.Context {
 	return log.Context{
-		"tier_id":         t.ID,
-		"tier_code":       t.Code,
-		"stripe_price_id": t.StripePriceID,
+		"tier_id":                 t.ID,
+		"tier_code":               t.Code,
+		"stripe_monthly_price_id": t.StripeMonthlyPriceID,
+		"stripe_yearly_price_id":  t.StripeYearlyPriceID,
 	}
 }

@@ -136,6 +138,7 @@ type Billing struct {
 	StripeCustomerID            string
 	StripeSubscriptionID        string
 	StripeSubscriptionStatus    stripe.SubscriptionStatus
+	StripeSubscriptionInterval  stripe.PriceRecurringInterval
 	StripeSubscriptionPaidUntil time.Time
 	StripeSubscriptionCancelAt  time.Time
 }
--- a/user/types_test.go
+++ b/user/types_test.go
@@ -49,12 +49,15 @@ func TestAllowedTier(t *testing.T) {

 func TestTierContext(t *testing.T) {
 	tier := &Tier{
-		ID:            "ti_abc",
-		Code:          "pro",
-		StripePriceID: "price_123",
+		ID:                   "ti_abc",
+		Code:                 "pro",
+		StripeMonthlyPriceID: "price_123",
+		StripeYearlyPriceID:  "price_456",
 	}
 	context := tier.Context()
 	require.Equal(t, "ti_abc", context["tier_id"])
 	require.Equal(t, "pro", context["tier_code"])
-	require.Equal(t, "price_123", context["stripe_price_id"])
+	require.Equal(t, "price_123", context["stripe_monthly_price_id"])
+	require.Equal(t, "price_456", context["stripe_yearly_price_id"])
+
 }
--- a/util/time.go
+++ b/util/time.go
@@ -14,6 +14,15 @@ var (
 	durationStrRegex  = regexp.MustCompile(`(?i)^(\d+)\s*(d|days?|h|hours?|m|mins?|minutes?|s|secs?|seconds?)$`)
 )

+const (
+	timestampFormat = "2006-01-02T15:04:05.999Z07:00" // Like RFC3339, but with milliseconds
+)
+
+// FormatTime formats a time.Time in a RFC339-like format that includes milliseconds
+func FormatTime(t time.Time) string {
+	return t.Format(timestampFormat)
+}
+
 // NextOccurrenceUTC takes a time of day (e.g. 9:00am), and returns the next occurrence
 // of that time from the current time (in UTC).
 func NextOccurrenceUTC(timeOfDay, base time.Time) time.Time {
@@ -45,15 +54,9 @@ func ParseFutureTime(s string, now time.Time) (time.Time, error) {
 	return time.Time{}, errUnparsableTime
 }

-func parseFromDuration(s string, now time.Time) (time.Time, error) {
-	d, err := parseDuration(s)
-	if err == nil {
-		return now.Add(d), nil
-	}
-	return time.Time{}, errUnparsableTime
-}
-
-func parseDuration(s string) (time.Duration, error) {
+// ParseDuration is like time.ParseDuration, except that it also understands days (d), which
+// translates to 24 hours, e.g. "2d" or "20h".
+func ParseDuration(s string) (time.Duration, error) {
 	d, err := time.ParseDuration(s)
 	if err == nil {
 		return d, nil
@@ -80,6 +83,14 @@ func parseDuration(s string) (time.Duration, error) {
 	return 0, errUnparsableTime
 }

+func parseFromDuration(s string, now time.Time) (time.Time, error) {
+	d, err := ParseDuration(s)
+	if err == nil {
+		return now.Add(d), nil
+	}
+	return time.Time{}, errUnparsableTime
+}
+
 func parseUnixTime(s string, now time.Time) (time.Time, error) {
 	t, err := strconv.Atoi(s)
 	if err != nil {
--- a/util/time_test.go
+++ b/util/time_test.go
@@ -78,3 +78,17 @@ func TestParseFutureTime_UnixTime(t *testing.T) {
 	require.Nil(t, err)
 	require.Equal(t, time.Date(2021, 12, 11, 0, 51, 51, 0, time.UTC), d)
 }
+
+func TestParseDuration(t *testing.T) {
+	d, err := ParseDuration("2d")
+	require.Nil(t, err)
+	require.Equal(t, 48*time.Hour, d)
+
+	d, err = ParseDuration("2h")
+	require.Nil(t, err)
+	require.Equal(t, 2*time.Hour, d)
+
+	d, err = ParseDuration("0")
+	require.Nil(t, err)
+	require.Equal(t, time.Duration(0), d)
+}
--- a/web/package-lock.json
+++ b/web/package-lock.json
--- a/web/public/config.js
+++ b/web/public/config.js
@@ -6,11 +6,12 @@
 // During web development, you may change values here for rapid testing.

 var config = {
-    base_url: window.location.origin, // Set this to "https://127.0.0.1" to test against a different server
+    base_url: window.location.origin, // Change to test against a different server
    app_root: "/app",
    enable_login: true,
    enable_signup: true,
    enable_payments: true,
    enable_reservations: true,
+    billing_contact: "",
    disallowed_topics: ["docs", "static", "file", "app", "account", "settings", "signup", "login", "v1"]
 };
--- a/web/public/static/css/fonts.css
+++ b/web/public/static/css/fonts.css
@@ -6,8 +6,7 @@
    font-style: normal;
    font-weight: 300;
    src: local(''),
-    url('../fonts/roboto-v29-latin-300.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
-    url('../fonts/roboto-v29-latin-300.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
+    url('../fonts/roboto-v29-latin-300.woff2') format('woff2');
 }

 /* roboto-regular - latin */
@@ -16,8 +15,7 @@
    font-style: normal;
    font-weight: 400;
    src: local(''),
-    url('../fonts/roboto-v29-latin-regular.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
-    url('../fonts/roboto-v29-latin-regular.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
+    url('../fonts/roboto-v29-latin-regular.woff2') format('woff2');
 }

 /* roboto-500 - latin */
@@ -26,8 +24,7 @@
    font-style: normal;
    font-weight: 500;
    src: local(''),
-    url('../fonts/roboto-v29-latin-500.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
-    url('../fonts/roboto-v29-latin-500.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
+    url('../fonts/roboto-v29-latin-500.woff2') format('woff2');
 }

 /* roboto-700 - latin */
@@ -36,6 +33,5 @@
    font-style: normal;
    font-weight: 700;
    src: local(''),
-    url('../fonts/roboto-v29-latin-700.woff2') format('woff2'), /* Chrome 26+, Opera 23+, Firefox 39+ */
-    url('../fonts/roboto-v29-latin-700.woff') format('woff'); /* Chrome 6+, Firefox 3.6+, IE 9+, Safari 5.1+ */
+    url('../fonts/roboto-v29-latin-700.woff2') format('woff2');
 }
--- a/web/public/static/fonts/roboto-v29-latin-300.woff
+++ b/web/public/static/fonts/roboto-v29-latin-300.woff
--- a/web/public/static/fonts/roboto-v29-latin-500.woff
+++ b/web/public/static/fonts/roboto-v29-latin-500.woff
--- a/web/public/static/fonts/roboto-v29-latin-700.woff
+++ b/web/public/static/fonts/roboto-v29-latin-700.woff
--- a/web/public/static/fonts/roboto-v29-latin-regular.woff
+++ b/web/public/static/fonts/roboto-v29-latin-regular.woff
--- a/web/public/static/langs/ar.json
+++ b/web/public/static/langs/ar.json
@@ -0,0 +1,333 @@
+{
+    "action_bar_logo_alt": "شعار ntfy",
+    "action_bar_settings": "اﻹعدادات",
+    "action_bar_clear_notifications": "محو كافة الإشعارات",
+    "action_bar_unsubscribe": "إلغاء الاشتراك",
+    "message_bar_show_dialog": "إظهار مربع حوار النشر",
+    "message_bar_publish": "نشر الرسالة",
+    "nav_topics_title": "المواضيع التي تم الاشتراك فيها",
+    "nav_button_all_notifications": "كافة الإشعارات",
+    "nav_button_settings": "اﻹعدادات",
+    "nav_button_documentation": "الدليل",
+    "nav_button_publish_message": "نشر الإشعار",
+    "nav_button_subscribe": "اشترك في الموضوع",
+    "nav_button_connecting": "جارٍ الاتصال",
+    "alert_grant_title": "تم تعطيل الإشعارات",
+    "alert_grant_description": "امنح متصفحك الإذن لعرض إشعارات سطح المكتب.",
+    "notifications_list": "قائمة الإشعارات",
+    "notifications_list_item": "إشعار",
+    "notifications_mark_read": "وضع علامة كمقروء",
+    "notifications_tags": "الوسوم",
+    "notifications_priority_x": "الأولوية {{priority}}",
+    "notifications_new_indicator": "إشعار جديد",
+    "notifications_attachment_image": "صورة مرفقة",
+    "notifications_attachment_copy_url_button": "نسخ عنوان URL",
+    "notifications_attachment_open_title": "انتقل إلى {{url}}",
+    "notifications_attachment_link_expires": "تنتهي صلاحية الرابط {{date}}",
+    "notifications_attachment_link_expired": "انتهت صلاحية رابط التنزيل",
+    "notifications_attachment_file_image": "ملف الصورة",
+    "notifications_attachment_file_video": "ملف فيديو",
+    "notifications_attachment_file_audio": "ملف صوتي",
+    "notifications_attachment_file_app": "ملف تطبيق Android",
+    "notifications_attachment_file_document": "وثيقة أخرى",
+    "notifications_click_copy_url_button": "نسخ الرابط",
+    "notifications_click_open_button": "فتح الرابط",
+    "notifications_actions_open_url_title": "انتقل إلى {{url}}",
+    "notifications_actions_not_supported": "هذا الإجراء غير مدعوم في تطبيق الويب",
+    "action_bar_send_test_notification": "إرسال إشعار للاختبار",
+    "action_bar_show_menu": "عرض القائمة",
+    "message_bar_type_message": "اكتب رسالة هنا",
+    "alert_not_supported_title": "الإشعارات غير مدعومة",
+    "alert_not_supported_description": "الإشعارات غير مدعومة في متصفحك.",
+    "message_bar_error_publishing": "خطأ خلال نشر الإشعار",
+    "notifications_delete": "حذف",
+    "notifications_copied_to_clipboard": "تم نسخه إلى الحافظة",
+    "action_bar_toggle_mute": "كتم / إلغاء كتم الإشعارات",
+    "action_bar_toggle_action_menu": "فتح/إغلاق قائمة الإجراءات",
+    "alert_grant_button": "امنح الآن",
+    "notifications_attachment_open_button": "فتح المرفق",
+    "notifications_attachment_copy_url_title": "نسخ عنوان URL للمرفق إلى الحافظة",
+    "notifications_click_copy_url_title": "انسخ رابط URL إلى الحافظة",
+    "notifications_none_for_topic_title": "لم تتلق بعد أية إشعارات حول هذا الموضوع.",
+    "notifications_none_for_any_title": "لم تتلق أية إشعارات.",
+    "notifications_no_subscriptions_title": "يبدو أنك لا تملك أي اشتراكات بعد.",
+    "notifications_example": "مثال",
+    "notifications_loading": "تحميل الإشعارات…",
+    "publish_dialog_title_topic": "أنشُر إلى {{topic}}",
+    "publish_dialog_title_no_topic": "انشُر الإشعار",
+    "publish_dialog_emoji_picker_show": "اختر رمزًا تعبيريًا",
+    "publish_dialog_priority_min": "أولوية دنيا",
+    "publish_dialog_priority_low": "أولوية منخفضة",
+    "publish_dialog_priority_default": "الأولوية الافتراضية",
+    "publish_dialog_priority_high": "أولوية عالية",
+    "publish_dialog_base_url_label": "الرابط التشعبي للخدمة",
+    "publish_dialog_priority_max": "أولوية قصوى",
+    "publish_dialog_topic_placeholder": "اسم الموضوع، على سبيل المثال phil_alerts",
+    "publish_dialog_title_label": "العنوان",
+    "publish_dialog_title_placeholder": "عنوان الإشعار، على سبيل المثال تنبيه مساحة القرص",
+    "publish_dialog_message_label": "الرسالة",
+    "publish_dialog_message_placeholder": "اكتب رسالة هنا",
+    "publish_dialog_tags_label": "الوسوم",
+    "publish_dialog_priority_label": "الأولوية",
+    "publish_dialog_click_placeholder": "العنوان التشعبي URL الذي يتم فتحه عند النقر فوق الإشعار",
+    "publish_dialog_email_label": "البريد الإلكتروني",
+    "publish_dialog_filename_label": "اسم الملف",
+    "publish_dialog_attach_label": "الرابط التشعبي URL للمرفق",
+    "publish_dialog_filename_placeholder": "اسم ملف المرفق",
+    "publish_dialog_delay_label": "تأخير",
+    "publish_dialog_delay_reset": "إزالة تأخر التسليم",
+    "publish_dialog_chip_click_label": "انقر على عنوان URL",
+    "publish_dialog_chip_email_label": "إعادة التوجيه إلى البريد الإلكتروني",
+    "publish_dialog_chip_attach_file_label": "إرفاق ملف محلي",
+    "publish_dialog_chip_topic_label": "تغيير الموضوع",
+    "publish_dialog_button_cancel_sending": "إلغاء الإرسال",
+    "publish_dialog_button_send": "أرسل",
+    "publish_dialog_checkbox_publish_another": "نشر آخر",
+    "publish_dialog_attached_file_title": "الملف المرفق:",
+    "publish_dialog_attached_file_filename_placeholder": "اسم الملف المرفق",
+    "publish_dialog_attached_file_remove": "إزالة الملف المرفق",
+    "publish_dialog_drop_file_here": "قم بإسقاط ملف هنا",
+    "emoji_picker_search_placeholder": "البحث عن رمز تعبيري",
+    "emoji_picker_search_clear": "مسح البحث",
+    "subscribe_dialog_subscribe_title": "الإشتراك في الموضوع",
+    "subscribe_dialog_subscribe_use_another_label": "استخدام خادم آخر",
+    "subscribe_dialog_subscribe_base_url_label": "الرابط التشعبي URL للخدمة",
+    "subscribe_dialog_subscribe_button_subscribe": "اشترِك",
+    "subscribe_dialog_login_title": "تسجيل الدخول مطلوب",
+    "subscribe_dialog_login_username_label": "اسم المستخدم، على سبيل المثال phil",
+    "subscribe_dialog_login_password_label": "كلمة المرور",
+    "subscribe_dialog_login_button_login": "الولوج",
+    "subscribe_dialog_error_user_anonymous": "مجهول",
+    "prefs_notifications_title": "الإشعارات",
+    "prefs_notifications_sound_title": "صوت الإشعار",
+    "prefs_notifications_sound_no_sound": "لا صوت",
+    "prefs_notifications_min_priority_description_any": "عرض جميع الإشعارات، بغض النظر عن الأولوية",
+    "prefs_notifications_delete_after_title": "حذف الإشعارات",
+    "prefs_notifications_delete_after_never": "أبداً",
+    "prefs_notifications_delete_after_three_hours": "بعد ثلاث ساعات",
+    "prefs_notifications_delete_after_one_day": "بعد يوم واحد",
+    "prefs_notifications_delete_after_one_month": "بعد شهر واحد",
+    "prefs_notifications_delete_after_never_description": "لا يتم حذف الإشعارات تلقائيا مطلقا",
+    "prefs_notifications_delete_after_one_week_description": "يتم حذف الإشعارات تلقائيا بعد يوم واحد",
+    "prefs_notifications_delete_after_one_month_description": "يتم حذف الإشعارات تلقائيا بعد شهر واحد",
+    "prefs_users_table": "قائمة المستخدمين",
+    "prefs_users_edit_button": "تعديل المستخدم",
+    "prefs_users_table_user_header": "المستخدم",
+    "prefs_users_table_base_url_header": "الرابط التشعبي للخدمة",
+    "priority_default": "افتراضية",
+    "prefs_users_dialog_username_label": "اسم المستخدم، على سبيل المثال phil",
+    "prefs_users_dialog_button_cancel": "إلغاء",
+    "prefs_users_dialog_button_add": "اضافة",
+    "prefs_users_dialog_button_save": "حفظ",
+    "prefs_appearance_title": "المظهر",
+    "prefs_appearance_language_title": "اللغة",
+    "error_boundary_gathering_info": "جمع مزيد من المعلومات …",
+    "error_boundary_unsupported_indexeddb_title": "التصفح الخاص غير مدعوم",
+    "priority_high": "عالية",
+    "priority_max": "قصوى",
+    "error_boundary_title": "أوه لا ، لقد تحطم ntfy",
+    "prefs_users_delete_button": "حذف المستخدم",
+    "prefs_users_add_button": "إضافة مستخدم",
+    "prefs_notifications_min_priority_any": "مهما كانت الأولوية",
+    "prefs_notifications_delete_after_one_week": "بعد أسبوع واحد",
+    "prefs_notifications_delete_after_three_hours_description": "يتم حذف الإشعارات تلقائيا بعد ثلاث ساعات",
+    "prefs_notifications_delete_after_one_day_description": "يتم حذف الإشعارات تلقائيا بعد يوم واحد",
+    "prefs_users_title": "إدارة المستخدمين",
+    "prefs_users_dialog_title_add": "إضافة مستخدم",
+    "prefs_users_dialog_title_edit": "تعديل المستخدم",
+    "prefs_users_dialog_base_url_label": "عنوان URL للخدمة، على سبيل المثال، https://ntfy.sh",
+    "publish_dialog_button_cancel": "إلغاء",
+    "publish_dialog_message_published": "تم نشر الإشعار",
+    "prefs_users_dialog_password_label": "كلمة المرور",
+    "publish_dialog_base_url_placeholder": "عنوان URL للخدمة، على سبيل المثال، https://example.com",
+    "publish_dialog_progress_uploading": "جارٍ التحميل…",
+    "publish_dialog_topic_label": "اسم الموضوع",
+    "publish_dialog_topic_reset": "إعادة تعيين الموضوع",
+    "publish_dialog_email_reset": "إزالة إعادة توجيه البريد الإلكتروني",
+    "publish_dialog_email_placeholder": "عنوان لإعادة توجيه الإشعار إليه، على سبيل المثال phil@example.com",
+    "publish_dialog_other_features": "ميزات أخرى:",
+    "publish_dialog_chip_attach_url_label": "إرفاق ملف عن طريق عنوان URL",
+    "subscribe_dialog_subscribe_topic_placeholder": "اسم الموضوع، على سبيل المثال phil_alerts",
+    "prefs_notifications_sound_description_none": "لا تصدر الإشعارات أي صوت عند وصولها",
+    "publish_dialog_chip_delay_label": "تأخير التسليم",
+    "subscribe_dialog_login_description": "هذا الموضوع محمي بكلمة مرور. الرجاء إدخال اسم المستخدم وكلمة المرور للاشتراك.",
+    "subscribe_dialog_subscribe_button_cancel": "إلغاء",
+    "subscribe_dialog_login_button_back": "العودة",
+    "prefs_notifications_sound_play": "تشغيل الصوت المحدد",
+    "prefs_notifications_min_priority_title": "أولوية دنيا",
+    "prefs_notifications_min_priority_max_only": "الأولوية القصوى فقط",
+    "notifications_no_subscriptions_description": "انقر فوق الرابط \"{{linktext}}\" لإنشاء موضوع أو الاشتراك فيه. بعد ذلك، يمكنك إرسال رسائل عبر PUT أو POST وستتلقى إشعارات هنا.",
+    "publish_dialog_click_label": "الرابط التشعبي URL للنقر",
+    "publish_dialog_tags_placeholder": "قائمة علامات مفصولة بفواصل، على سبيل المثال تحذير, srv1-backup",
+    "publish_dialog_attach_placeholder": "إرفاق ملف بعنوان URL ، على سبيل المثال https://f-droid.org/F-Droid.apk",
+    "publish_dialog_attach_reset": "إزالة عنوان URL للمرفق",
+    "subscribe_dialog_error_user_not_authorized": "المستخدم {{username}} غير مصرح به",
+    "common_save": "حفظ",
+    "common_add": "إضافة",
+    "signup_form_username": "إسم المستخدم",
+    "signup_form_confirm_password": "تأكيد كلمة المرور",
+    "login_title": "تسجيل الدخول إلى حسابك ntfy",
+    "login_form_button_submit": "الولوج",
+    "login_link_signup": "إنشاء حساب",
+    "login_disabled": "تم تعطيل تسجيل الدخول",
+    "action_bar_account": "الحساب",
+    "action_bar_change_display_name": "تغيير الإسم المعروض",
+    "signup_error_creation_limit_reached": "تم بلوغ حد إنشاء الحسابات",
+    "action_bar_reservation_add": "حجز الموضوع",
+    "action_bar_reservation_edit": "تغيير الحجز",
+    "action_bar_profile_title": "الملف التعريفي",
+    "action_bar_profile_settings": "اﻹعدادات",
+    "action_bar_profile_logout": "الخروج",
+    "action_bar_sign_in": "الولوج",
+    "action_bar_sign_up": "إنشاء حساب",
+    "nav_button_account": "الحساب",
+    "nav_upgrade_banner_label": "قم بالترقية إلى NTFY Pro",
+    "reserve_dialog_checkbox_label": "حجز الموضوع وإعداد الوصول",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "توليد إسم",
+    "subscribe_dialog_error_topic_already_reserved": "الموضوع محجوز بالفعل",
+    "account_basics_title": "الحساب",
+    "account_basics_username_title": "إسم المستخدم",
+    "account_basics_username_description": "مرحبًا، هذا أنت ❤",
+    "account_basics_username_admin_tooltip": "أنت مدير",
+    "account_basics_password_title": "كلمة المرور",
+    "account_basics_password_description": "غيّر كلمة مرور حسابك",
+    "account_basics_password_dialog_title": "تغيير كلمة المرور",
+    "account_basics_password_dialog_current_password_label": "كلمة المرور الحالية",
+    "account_basics_password_dialog_new_password_label": "كلمة المرور الجديدة",
+    "account_basics_password_dialog_confirm_password_label": "تأكيد كلمة المرور",
+    "account_basics_password_dialog_button_submit": "تغيير كلمة المرور",
+    "account_basics_password_dialog_current_password_incorrect": "الكلمة السرية خاطئة",
+    "account_usage_title": "الإستخدام",
+    "account_usage_of_limit": "من {{limit}}",
+    "account_usage_unlimited": "غير محدود",
+    "account_basics_tier_title": "نوع الحساب",
+    "account_basics_tier_description": "مستوى قوة حسابك",
+    "account_basics_tier_admin": "مدير",
+    "account_basics_tier_free": "مجاني",
+    "account_basics_tier_upgrade_button": "الترقية إلى Pro",
+    "account_basics_tier_change_button": "تغيير",
+    "account_basics_tier_manage_billing_button": "إدارة الفوترة",
+    "account_usage_messages_title": "الرسائل المنشورة",
+    "account_usage_reservations_title": "المواضيع المحجوزة",
+    "account_usage_attachment_storage_title": "تخزين المرفقات",
+    "account_delete_title": "حذف الحساب",
+    "account_delete_description": "احذف حسابك نهائيا",
+    "account_delete_dialog_label": "كلمة المرور",
+    "account_upgrade_dialog_title": "تغيير فئة الحساب",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} رسائل يومية",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} من رسائل البريد الإلكتروني اليومية",
+    "account_upgrade_dialog_button_cancel": "إلغاء",
+    "account_upgrade_dialog_button_pay_now": "ادفع الآن واشترك",
+    "account_upgrade_dialog_button_cancel_subscription": "إلغاء الاشتراك",
+    "account_tokens_title": "رموز الوصول",
+    "account_tokens_table_token_header": "الرمز المميز",
+    "account_tokens_table_last_access_header": "آخر وصول",
+    "account_tokens_table_expires_header": "تنتهي مدة صلاحيته في",
+    "account_tokens_table_never_expires": "لا تنتهي صلاحيتها أبدا",
+    "account_tokens_table_current_session": "جلسة المتصفح الحالية",
+    "account_tokens_table_copy_to_clipboard": "انسخ إلى الحافظة",
+    "account_tokens_table_cannot_delete_or_edit": "لا يمكن تحرير أو حذف الرمز المميز للجلسة الحالية",
+    "account_tokens_table_create_token_button": "إنشاء رمز مميز للوصول",
+    "account_tokens_table_last_origin_tooltip": "من عنوان IP {{ip}}، انقر للبحث",
+    "account_tokens_dialog_title_create": "إنشاء رمز مميز للوصول",
+    "account_tokens_dialog_title_edit": "تعديل الرمز المميز للوصول",
+    "account_tokens_dialog_title_delete": "حذف الرمز المميز للوصول",
+    "account_tokens_dialog_label": "التسمية، على سبيل المثال إشعارات الرادار",
+    "account_tokens_dialog_button_create": "إنشاء رمز مميز",
+    "account_tokens_dialog_button_update": "تحديث الرمز المميز",
+    "account_tokens_dialog_button_cancel": "إلغاء",
+    "account_tokens_dialog_expires_label": "تنتهي صلاحية الرمز المميز للوصول في",
+    "account_tokens_dialog_expires_unchanged": "اترك تاريخ انتهاء الصلاحية دون تغيير",
+    "account_tokens_dialog_expires_x_hours": "تنتهي صلاحية الرمز المميز في {{hours}} ساعات",
+    "account_tokens_dialog_expires_never": "لا تنتهي صلاحية الرمز المميز أبدًا",
+    "account_tokens_delete_dialog_title": "حذف الرمز المميز للوصول",
+    "account_tokens_delete_dialog_submit_button": "حذف الرمز المميز نهائيا",
+    "prefs_users_table_cannot_delete_or_edit": "لا يمكن حذف أو تحرير المستخدم الذي قام بتسجيل الدخول",
+    "prefs_reservations_add_button": "إضافة موضوع محجوز",
+    "prefs_reservations_table": "جدول المواضيع المحجوزة",
+    "prefs_reservations_table_topic_header": "الموضوع",
+    "prefs_reservations_table_access_header": "الوصول",
+    "prefs_reservations_table_everyone_deny_all": "أنا فقط من يستطيع النشر والاشتراك",
+    "prefs_reservations_table_everyone_write_only": "يمكنني النشر والاشتراك ، ويمكن للجميع النشر",
+    "prefs_reservations_table_everyone_read_write": "يمكن للجميع النشر والاشتراك",
+    "prefs_reservations_table_not_subscribed": "غير مشترك",
+    "prefs_reservations_dialog_title_edit": "تحرير الموضوع المحجوز",
+    "prefs_reservations_dialog_topic_label": "الموضوع",
+    "prefs_reservations_dialog_access_label": "الوصول",
+    "reservation_delete_dialog_action_delete_title": "حذف الرسائل والمرفقات المخزنة مؤقتا",
+    "reservation_delete_dialog_submit_button": "حذف الحجز",
+    "signup_title": "إنشاء حساب ntfy",
+    "common_cancel": "إلغاء",
+    "signup_form_password": "كلمة المرور",
+    "signup_already_have_account": "هل لديك حساب؟ قم بتسجيل الدخول!",
+    "signup_form_button_submit": "إنشاء حساب",
+    "signup_disabled": "تم تعطيل التسجيل",
+    "display_name_dialog_placeholder": "الإسم المعروض",
+    "display_name_dialog_title": "تغيير الإسم المعروض",
+    "account_basics_tier_basic": "أساسي",
+    "account_usage_emails_title": "رسائل البريد الإلكتروني المرسلة",
+    "account_usage_reservations_none": "لا توجد مواضيع محجوزة لهذا الحساب",
+    "account_usage_cannot_create_portal_session": "تعذر فتح بوابة الفوترة",
+    "account_delete_dialog_button_cancel": "إلغاء",
+    "account_delete_dialog_button_submit": "حذف الحساب نهائيا",
+    "account_upgrade_dialog_button_update_subscription": "تحديث الاشتراك",
+    "account_tokens_table_copied_to_clipboard": "تم نسخ الرمز المميز للوصول",
+    "prefs_reservations_title": "المواضيع المحجوزة",
+    "prefs_reservations_table_everyone_read_only": "يمكنني النشر والاشتراك ، ويمكن للجميع الاشتراك",
+    "prefs_reservations_table_click_to_subscribe": "انقر للاشتراك",
+    "reservation_delete_dialog_action_keep_title": "الاحتفاظ بالرسائل والمرفقات المخزنة مؤقتًا",
+    "action_bar_reservation_delete": "إزالة الحجز",
+    "display_name_dialog_description": "قم بتعيين اسم بديل للموضوع المعروض في قائمة الاشتراك. يساعد هذا في تحديد الموضوعات ذات الأسماء المعقدة بسهولة أكبر.",
+    "prefs_users_description": "إضافة / إزالة المستخدمين لمواضيعك المحمية هنا. يرجى الأخذ بعين الاعتبار أنه يتم تخزين اسم المستخدم وكلمة المرور في التخزين المحلي للمتصفح.",
+    "notifications_more_details": "لمزيد من المعلومات، الرجاء الاطّلاع على <websiteLink>موقع الويب</websiteLink> أو على <docsLink>الدليل</docsLink>.",
+    "publish_dialog_details_examples_description": "للحصول على أمثلة ووصف مُفصّل لجميع ميزات الإرسال، يرجى الاستناد إلى <docsLink>الدليل</docsLink>.",
+    "subscribe_dialog_subscribe_description": "قد لا تكون الموضوعات محمية بكلمة سر لذا اختر اسمًا ليس من السهل تخمينه وبمجرد اشتراكك، يمكنك الحصول على إشعارات عبر \"PUT/POST\".",
+    "prefs_notifications_sound_description_some": "تقوم الإشعارات بتشغيل صوت {{sound}} عند وصولها",
+    "notifications_none_for_topic_description": "لإرسال إشعارات إلى هذا الموضوع، ما عليك سوى PUT أو POST إلى عنوان URL الخاص بالموضوع.",
+    "priority_low": "منخفضة",
+    "signup_form_toggle_password_visibility": "تبديل رؤية كلمة المرور",
+    "account_usage_limits_reset_daily": "يعاد تحديد حدود الاستخدام يوميا في منتصف الليل (UTC)",
+    "account_tokens_table_label_header": "المُلصَقة",
+    "account_upgrade_dialog_button_redirect_signup": "تسجيل فوري",
+    "account_upgrade_dialog_tier_current_label": "الحالي",
+    "account_tokens_dialog_expires_x_days": "تنتهي صلاحية الرمز المميز في غضون {{days}} أيام",
+    "prefs_reservations_dialog_title_add": "حجز موضوع",
+    "prefs_reservations_description": "يمكنك حجز أسماء الموضوعات للاستخدام الشخصي هنا. يمنحك حجز موضوع ما ملكية الموضوع، ويسمح لك بتحديد تصريحات الوصول للمستخدمين الآخرين إلى الموضوع.",
+    "prefs_users_description_no_sync": "لا تتم مزامنة المستخدمين وكلمات المرور مع حسابك.",
+    "reservation_delete_dialog_action_delete_description": "سيتم حذف الرسائل والمرفقات المخزنة مؤقتا نهائيا. لا يمكن التراجع عن هذا الإجراء.",
+    "notifications_actions_http_request_title": "إرسال طلب HTTP {{method}} إلى {{url}}",
+    "notifications_none_for_any_description": "لإرسال إشعارات إلى موضوع ما، ما عليك سوى إرسال طلب PUT أو POST إلى الرابط التشعبي URL للموضوع. إليك مثال باستخدام أحد مواضيعك.",
+    "error_boundary_description": "من الواضح أن هذا لا ينبغي أن يحدث. آسف جدًا بشأن هذا. <br/> إن كان لديك دقيقة، يرجى <githubLink> الإبلاغ عن ذلك على GitHub </githubLink> ، أو إعلامنا عبر <discordLink> Discord </discordLink> أو <matrixLink> Matrix </matrixLink>.",
+    "nav_button_muted": "الإشعارات المكتومة",
+    "priority_min": "دنيا",
+    "signup_error_username_taken": "تم حجز اسم المستخدم {{username}} مِن قَبلُ",
+    "action_bar_reservation_limit_reached": "بلغت الحد الأقصى",
+    "prefs_reservations_delete_button": "إعادة تعيين الوصول إلى الموضوع",
+    "prefs_reservations_edit_button": "تعديل الوصول إلى موضوع",
+    "prefs_reservations_limit_reached": "لقد بلغت الحد الأقصى من المواضيع المحجوزة.",
+    "reservation_delete_dialog_action_keep_description": "ستصبح الرسائل والمرفقات المخزنة مؤقتًا على الخادم مرئية للعموم وللأشخاص الذين لديهم معرفة باسم الموضوع.",
+    "reservation_delete_dialog_description": "تؤدي إزالة الحجز إلى التخلي عن ملكية الموضوع، مما يسمح للآخرين بحجزه. يمكنك الاحتفاظ بالرسائل والمرفقات الموجودة أو حذفها.",
+    "prefs_reservations_dialog_description": "يمنحك حجز موضوع ما ملكية الموضوع، ويسمح لك بتحديد تصريحات وصول المستخدمين الآخرين إليه.",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "توفير ما يصل إلى {{discount}}٪",
+    "account_upgrade_dialog_interval_monthly": "شهريا",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "إجمالي مساحة التخزين {{totalsize}}",
+    "publish_dialog_progress_uploading_detail": "تحميل {{loaded}}/{{total}} ({{percent}}٪) …",
+    "account_basics_tier_interval_monthly": "شهريا",
+    "account_basics_tier_interval_yearly": "سنويا",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} مواضيع محجوزة",
+    "account_upgrade_dialog_billing_contact_website": "للأسئلة المتعلقة بالفوترة، يرجى الرجوع إلى <Link>موقعنا على الويب</Link>.",
+    "prefs_notifications_min_priority_description_x_or_higher": "إظهار الإشعارات إذا كانت الأولوية {{number}} ({{name}}) أو أعلى",
+    "account_upgrade_dialog_billing_contact_email": "للأسئلة المتعلقة بالفوترة، الرجاء <Link>الاتصال بنا</Link> مباشرة.",
+    "account_upgrade_dialog_tier_selected_label": "المحدد",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} لكل ملف",
+    "account_upgrade_dialog_interval_yearly": "سنويا",
+    "account_upgrade_dialog_tier_features_no_reservations": "لا توجد مواضيع محجوزة",
+    "account_upgrade_dialog_interval_yearly_discount_save": "وفر {{discount}}٪",
+    "publish_dialog_click_reset": "إزالة الرابط التشعبي URL للنقر",
+    "prefs_notifications_min_priority_description_max": "إظهار الإشعارات إذا كانت الأولوية 5 (كحد أقصى)",
+    "publish_dialog_attachment_limits_file_reached": "يتجاوز الحد الأقصى للملف {{fileSizeLimit}}",
+    "publish_dialog_attachment_limits_quota_reached": "يتجاوز الحصة، {{remainingBytes}} متبقية",
+    "account_basics_tier_paid_until": "تم دفع مبلغ الاشتراك إلى غاية {{date}}، وسيتم تجديده تِلْقائيًا",
+    "account_basics_tier_canceled_subscription": "تم إلغاء اشتراكك وسيتم إعادته إلى مستوى حساب مجاني بداية مِن {{date}}.",
+    "account_delete_dialog_billing_warning": "إلغاء حسابك أيضاً يلغي اشتراكك في الفوترة فوراً ولن تتمكن من الوصول إلى لوح الفوترة بعد الآن."
+}
--- a/web/public/static/langs/bg.json
+++ b/web/public/static/langs/bg.json
@@ -187,5 +187,78 @@
    "prefs_users_table": "Таблица с потребители",
    "prefs_users_edit_button": "Промяна на потребител",
    "error_boundary_unsupported_indexeddb_title": "Поверително разглеждане не се поддържа",
-    "error_boundary_unsupported_indexeddb_description": "За да работи интернет-приложението ntfy се нуждае от IndexedDB, а мрежовият четец не поддържа IndexedDB в режим на поверително разглеждане.<br/><br/>Въпреки това, няма смисъл да използвате интернет-приложението ntfy в режим на поверително разглеждане, тъй като всичко се пази в хранилището на четеца. Можете да прочетете повече по <githubLink>проблема в GitHub</githubLink> или да се свържете с нас в <discordLink>Discord</discordLink> или <matrixLink>Matrix</matrixLink>."
+    "error_boundary_unsupported_indexeddb_description": "За да работи интернет-приложението ntfy се нуждае от IndexedDB, а мрежовият четец не поддържа IndexedDB в режим на поверително разглеждане.<br/><br/>Въпреки това, няма смисъл да използвате интернет-приложението ntfy в режим на поверително разглеждане, тъй като всичко се пази в хранилището на четеца. Можете да прочетете повече по <githubLink>проблема в GitHub</githubLink> или да се свържете с нас в <discordLink>Discord</discordLink> или <matrixLink>Matrix</matrixLink>.",
+    "signup_title": "Създаване на профил в ntfy",
+    "signup_form_username": "Потребител",
+    "signup_form_password": "Парола",
+    "signup_form_button_submit": "Регистриране",
+    "signup_form_toggle_password_visibility": "Превключване видимостта на паролата",
+    "signup_already_have_account": "Имате профил? Впишете се!",
+    "signup_error_username_taken": "Потребителското име {{username}} е заето",
+    "login_title": "Впишете се в профила си в ntfy",
+    "login_form_button_submit": "Вписване",
+    "login_link_signup": "Регистриране",
+    "login_disabled": "Вписването е изключено",
+    "action_bar_account": "Профил",
+    "action_bar_change_display_name": "Промяна на показваното име",
+    "action_bar_reservation_add": "Резервиране на тема",
+    "action_bar_reservation_delete": "Премахване на резервацията",
+    "action_bar_reservation_limit_reached": "Ограничението е достигнато",
+    "action_bar_profile_title": "Профил",
+    "action_bar_profile_settings": "Настройки",
+    "action_bar_profile_logout": "Изход",
+    "action_bar_sign_in": "Вписване",
+    "nav_button_account": "Профил",
+    "nav_upgrade_banner_label": "Надграждане до ntfy Pro",
+    "signup_form_confirm_password": "Парола отново",
+    "signup_disabled": "Регистрациите са затворени",
+    "signup_error_creation_limit_reached": "Достигнатео е ограничението за създаване на профили",
+    "display_name_dialog_title": "Промяна на показваното име",
+    "action_bar_reservation_edit": "Промяна на резервацията",
+    "action_bar_sign_up": "Регистриране",
+    "account_basics_title": "Профил",
+    "alert_not_supported_context_description": "Известията се поддържат само през HTTPS. Това е ограничение на <mdnLink>Notifications API</mdnLink>.",
+    "display_name_dialog_description": "Изберете друго име за темата, което да се показва в списъка с абонаменти. Помага за по-лесното разпознаване на теми със сложни имена.",
+    "subscribe_dialog_error_topic_already_reserved": "Темата вече е резервирана",
+    "nav_upgrade_banner_description": "Резервиране на теми, повече съобщения и имейли и по-големи прикачени файлове",
+    "display_name_dialog_placeholder": "Наименование",
+    "reserve_dialog_checkbox_label": "Резервиране на тема и настройки за достъп",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Произволно име",
+    "account_basics_username_title": "Потребител",
+    "account_basics_username_description": "Хей, това сте вие ❤",
+    "account_basics_username_admin_tooltip": "Вие сте администратор",
+    "account_basics_password_title": "Парола",
+    "account_delete_dialog_label": "Парола",
+    "account_basics_password_dialog_title": "Смяна на парола",
+    "account_basics_password_dialog_current_password_label": "Текуща парола",
+    "account_basics_password_dialog_new_password_label": "Нова парола",
+    "account_basics_password_dialog_confirm_password_label": "Парола отново",
+    "account_basics_password_dialog_button_submit": "Смяна на парола",
+    "account_usage_title": "Употреба",
+    "account_usage_of_limit": "от {{limit}}",
+    "account_usage_unlimited": "Неограничено",
+    "account_usage_limits_reset_daily": "Ограниченията се нулират всеки ден в полунощ (UTC)",
+    "account_basics_tier_interval_monthly": "месечно",
+    "account_basics_tier_interval_yearly": "годишно",
+    "account_basics_password_description": "Промяна на паролата на профила",
+    "account_basics_tier_title": "Вид на профила",
+    "account_basics_tier_admin": "Администратор",
+    "account_basics_tier_admin_suffix_with_tier": "(с {{tier}} ниво)",
+    "account_basics_tier_admin_suffix_no_tier": "(без ниво)",
+    "account_basics_tier_free": "безплатен",
+    "account_basics_tier_basic": "базов",
+    "account_basics_tier_change_button": "Променяне",
+    "account_basics_tier_paid_until": "Абонаментът е платен до {{date}} и автоматично ще се поднови",
+    "account_usage_attachment_storage_title": "Хранилище за прикачени файлове",
+    "account_delete_dialog_button_cancel": "Отказ",
+    "account_upgrade_dialog_interval_monthly": "Месечно",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} резервирани теми",
+    "account_upgrade_dialog_tier_features_no_reservations": "Няма резервирани теми",
+    "account_tokens_dialog_button_cancel": "Отказ",
+    "account_delete_title": "Премахване на профила",
+    "account_upgrade_dialog_title": "Промяна нивото на профила",
+    "account_usage_emails_title": "Изпратени съобщения",
+    "account_usage_reservations_title": "Резервирани теми",
+    "account_usage_reservations_none": "Няма резервирани теми",
+    "account_usage_cannot_create_portal_session": "Порталът за разплащане не може да бъде отворен"
 }
--- a/web/public/static/langs/cs.json
+++ b/web/public/static/langs/cs.json
@@ -187,5 +187,170 @@
    "prefs_notifications_sound_play": "Přehrát vybraný zvuk",
    "prefs_users_table": "Tabulka uživatelů",
    "notifications_attachment_file_document": "jiný dokument",
-    "publish_dialog_delay_reset": "Odebrat odložené doručení"
+    "publish_dialog_delay_reset": "Odebrat odložené doručení",
+    "signup_form_confirm_password": "Potvrdit heslo",
+    "signup_form_button_submit": "Zaregistrovat se",
+    "signup_form_username": "Uživatelské jméno",
+    "signup_form_toggle_password_visibility": "Přepnout viditelnost hesla",
+    "signup_already_have_account": "Už máte účet? Přihlašte se!",
+    "signup_error_username_taken": "Uživatelské jméno {{username}} je již obsazeno",
+    "signup_error_creation_limit_reached": "Dosažen limit pro vytvoření účtu",
+    "login_title": "Přihlaste se do svého ntfy účtu",
+    "login_form_button_submit": "Přihlásit se",
+    "login_link_signup": "Zaregistrovat se",
+    "login_disabled": "Přihlašování je zakázáno",
+    "action_bar_account": "Účet",
+    "action_bar_reservation_add": "Rezervovat téma",
+    "action_bar_reservation_edit": "Změnit rezervaci",
+    "action_bar_reservation_delete": "Odstranit rezervaci",
+    "action_bar_reservation_limit_reached": "Limit dosažen",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Nastavení",
+    "action_bar_profile_logout": "Odhlásit se",
+    "action_bar_sign_up": "Zaregistrovat se",
+    "nav_button_account": "Účet",
+    "nav_upgrade_banner_label": "Upgradovat na nfty Pro",
+    "nav_upgrade_banner_description": "Rezervace témat, více zpráv a emailů a větší přílohy",
+    "signup_title": "Vytvořit nfty účet",
+    "signup_form_password": "Heslo",
+    "display_name_dialog_description": "Nastaví alternativní název pro téma, které se zobrazí v seznamu odběrů. Toto pomáhá jednodušeji identifikovat témata s komplikovanými jmény.",
+    "action_bar_change_display_name": "Změnit zobrazovaný název",
+    "action_bar_sign_in": "Přihlásit se",
+    "alert_not_supported_context_description": "Oznámení jsou podporována pouze přes HTTPS. Toto je limitace <mdnLink>Notifications API</mdnLink>.",
+    "display_name_dialog_title": "Změnit zobrazovaný název",
+    "account_basics_password_title": "Heslo",
+    "account_basics_password_dialog_title": "Změna hesla",
+    "subscribe_dialog_error_topic_already_reserved": "Téma již rezervováno",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Generovat název",
+    "account_delete_dialog_description": "Dojde k trvalému odstranění vašeho účtu včetně všech dat uložených na serveru. Po smazání bude vaše uživatelské jméno po dobu 7 dnů nedostupné. Pokud opravdu chcete pokračovat, potvrďte prosím své heslo.",
+    "account_basics_tier_admin_suffix_with_tier": "(s úrovní {{tier}})",
+    "account_basics_tier_admin": "Administrátor",
+    "account_basics_tier_basic": "Základní",
+    "account_basics_tier_free": "Zdarma",
+    "account_basics_tier_admin_suffix_no_tier": "(žádná úroveň)",
+    "account_basics_tier_upgrade_button": "Přejít na verzi Pro",
+    "account_upgrade_dialog_cancel_warning": "Vaše <strong>předplatné se tímto zruší</strong> a váš účet se k datu {{date}} degraduje na nižší úroveň. K tomuto datu budou <strong>smazány</strong> rezervace témat i zprávy uložené v mezipaměti serveru.",
+    "account_upgrade_dialog_reservations_warning_other": "Vybraná úroveň umožňuje méně rezervovaných témat než vaše aktuální úroveň. Před změnou úrovně <strong>odstraňte alespoň {{počet}} rezervací</strong>. Rezervace můžete odstranit v <Link>Nastavení</Link>.",
+    "reservation_delete_dialog_description": "Odstraněním rezervace se vzdáte vlastnictví tématu a umožníte ostatním, aby si ho rezervovali. Stávající zprávy a přílohy si můžete ponechat nebo je odstranit.",
+    "account_tokens_description": "Při publikování a odběru prostřednictvím rozhraní ntfy API používejte přístupové tokeny, abyste nemuseli odesílat přihlašovací údaje k účtu. Více informací najdete v <Link>dokumentaci</Link>.",
+    "account_tokens_table_copied_to_clipboard": "Přístupový token zkopírován",
+    "account_tokens_table_last_origin_tooltip": "Z IP adresy {{ip}}, klikněte pro vyhledání",
+    "account_tokens_dialog_button_cancel": "Zrušit",
+    "account_tokens_dialog_expires_never": "Token nikdy nevyprší",
+    "account_tokens_delete_dialog_description": "Před odstraněním přístupového tokenu se ujistěte, že jej aktivně nepoužívají žádné aplikace ani skripty. <strong>Tuto akci nelze vrátit zpět</strong>.",
+    "prefs_users_description_no_sync": "Uživatelé a hesla nejsou synchronizováni s vaším účtem.",
+    "prefs_users_table_cannot_delete_or_edit": "Nelze odstranit ani upravit přihlášeného uživatele",
+    "prefs_reservations_title": "Rezervovaná témata",
+    "prefs_reservations_description": "Zde si můžete rezervovat názvy témat pro osobní použití. Rezervací tématu získáte vlastnické právo k tématu a můžete definovat přístupová práva pro ostatní uživatele k tématu.",
+    "prefs_reservations_table_click_to_subscribe": "Kliknutím se přihlásíte k odběru",
+    "prefs_reservations_dialog_description": "Rezervací tématu získáte vlastnictví tématu a můžete definovat přístupová oprávnění pro ostatní uživatele.",
+    "prefs_reservations_dialog_access_label": "Přístup",
+    "reservation_delete_dialog_action_keep_title": "Zachovat zprávy a přílohy v mezipaměti",
+    "signup_disabled": "Přihlášení je zakázáno",
+    "display_name_dialog_placeholder": "Zobrazovaný název",
+    "reserve_dialog_checkbox_label": "Rezervace tématu a nastavení přístupu",
+    "account_basics_title": "Účet",
+    "account_basics_username_title": "Uživatelské jméno",
+    "account_basics_username_description": "Hej, to jsi ty ❤",
+    "account_basics_username_admin_tooltip": "Jste správce",
+    "account_basics_password_description": "Změna hesla k účtu",
+    "account_basics_password_dialog_current_password_label": "Současné heslo",
+    "account_basics_password_dialog_new_password_label": "Nové heslo",
+    "account_basics_password_dialog_confirm_password_label": "Potvrzení hesla",
+    "account_basics_password_dialog_button_submit": "Změnit heslo",
+    "account_basics_password_dialog_current_password_incorrect": "Nesprávné heslo",
+    "account_usage_title": "Použití",
+    "account_usage_of_limit": "z {{limit}}",
+    "account_usage_unlimited": "Neomezeně",
+    "account_usage_limits_reset_daily": "Limity používání se resetují denně o půlnoci (UTC)",
+    "account_basics_tier_title": "Typ účtu",
+    "account_basics_tier_description": "Úroveň oprávnění vašeho účtu",
+    "account_basics_tier_change_button": "Změnit",
+    "account_basics_tier_paid_until": "Předplatné zaplaceno do {{date}} a bude automaticky obnoveno",
+    "account_basics_tier_payment_overdue": "Vaše platba je po splatnosti. Aktualizujte prosím svůj způsob platby, jinak bude váš účet brzy degradován.",
+    "account_basics_tier_canceled_subscription": "Vaše předplatné bylo zrušeno a ke dni {{date}} bude převedeno na bezplatný účet.",
+    "account_basics_tier_manage_billing_button": "Správa vyúčtování",
+    "account_usage_messages_title": "Zveřejněné zprávy",
+    "account_usage_emails_title": "Odeslané e-maily",
+    "account_usage_reservations_title": "Rezervovaná témata",
+    "account_usage_reservations_none": "Žádná rezervovaná témata pro tento účet",
+    "account_usage_attachment_storage_title": "Úložiště příloh",
+    "account_usage_attachment_storage_description": "{{filesize}} na soubor, maže se po {{expiry}}",
+    "account_usage_basis_ip_description": "Statistiky a limity používání tohoto účtu jsou založeny na vaší IP adrese, takže mohou být sdíleny s ostatními uživateli. Výše uvedené limity jsou přibližné a vycházejí ze stávajících limitů.",
+    "account_usage_cannot_create_portal_session": "Nelze otevřít portál pro fakturaci",
+    "account_delete_title": "Odstranit účet",
+    "account_delete_description": "Trvale odstranit účet",
+    "account_delete_dialog_label": "Heslo",
+    "account_delete_dialog_button_cancel": "Zrušit",
+    "account_delete_dialog_button_submit": "Trvale odstranit účet",
+    "account_delete_dialog_billing_warning": "Odstraněním účtu se také okamžitě zruší vaše předplatné. Nebudete již mít přístup k fakturačnímu panelu.",
+    "account_upgrade_dialog_title": "Změna úrovně účtu",
+    "account_upgrade_dialog_proration_info": "<strong>Prohlášení</strong>: Při přechodu mezi placenými úrovněmi bude rozdíl v ceně <strong>zaúčtován okamžitě</strong>. Při přechodu na nižší úroveň se zůstatek použije na platbu za budoucí zúčtovací období.",
+    "account_upgrade_dialog_reservations_warning_one": "Vybraná úroveň umožňuje méně rezervovaných témat než vaše aktuální úroveň. Než změníte svou úroveň, <strong>odstraňte alespoň jednu rezervaci</strong>. Rezervace můžete odstranit v <Link>Nastavení</Link>.",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} rezervovaných témat",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} denních zpráv",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} denních e-mailů",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} na soubor",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} celkový úložný prostor",
+    "account_upgrade_dialog_tier_selected_label": "Vybráno",
+    "account_upgrade_dialog_tier_current_label": "Současné",
+    "account_upgrade_dialog_button_cancel": "Zrušit",
+    "account_upgrade_dialog_button_redirect_signup": "Zaregistrovat se nyní",
+    "account_upgrade_dialog_button_pay_now": "Zaplatit a předplatit si",
+    "account_upgrade_dialog_button_cancel_subscription": "Zrušit předplatné",
+    "account_upgrade_dialog_button_update_subscription": "Aktualizovat předplatné",
+    "account_tokens_title": "Přístupové tokeny",
+    "account_tokens_table_token_header": "Token",
+    "account_tokens_table_last_access_header": "Poslední přístup",
+    "account_tokens_table_expires_header": "Vyprší",
+    "account_tokens_table_never_expires": "Nikdy nevyprší",
+    "account_tokens_table_current_session": "Současná relace prohlížeče",
+    "account_tokens_table_copy_to_clipboard": "Kopírování do schránky",
+    "account_tokens_table_label_header": "Popisek",
+    "account_tokens_table_cannot_delete_or_edit": "Nelze upravit nebo odstranit aktuální token relace",
+    "account_tokens_table_create_token_button": "Vytvořit přístupový token",
+    "account_tokens_dialog_title_create": "Vytvoření přístupového tokenu",
+    "account_tokens_dialog_title_edit": "Úprava přístupového tokenu",
+    "account_tokens_dialog_title_delete": "Odstranění přístupového tokenu",
+    "account_tokens_dialog_label": "Popisek, např. Radarr notifications",
+    "account_tokens_dialog_button_create": "Vytvořit token",
+    "account_tokens_dialog_button_update": "Aktualizovat token",
+    "account_tokens_dialog_expires_label": "Platnost přístupového tokenu vyprší za",
+    "account_tokens_dialog_expires_unchanged": "Ponechat datum vypršení platnosti beze změny",
+    "account_tokens_dialog_expires_x_hours": "Token vyprší za {{hours}} hodin",
+    "account_tokens_dialog_expires_x_days": "Token vyprší za {{days}} dní",
+    "account_tokens_delete_dialog_title": "Odstranění přístupového tokenu",
+    "account_tokens_delete_dialog_submit_button": "Trvale odstranit token",
+    "prefs_reservations_limit_reached": "Dosáhli jste limitu rezervovaných témat.",
+    "prefs_reservations_add_button": "Přidat rezervované téma",
+    "prefs_reservations_edit_button": "Upravit přístup k tématu",
+    "prefs_reservations_delete_button": "Resetovat přístup k tématu",
+    "prefs_reservations_table": "Tabulka rezervovaných témat",
+    "prefs_reservations_table_topic_header": "Téma",
+    "prefs_reservations_table_access_header": "Přístup",
+    "prefs_reservations_table_everyone_deny_all": "Pouze já mohu publikovat a přihlásit se k odběru",
+    "prefs_reservations_table_everyone_read_only": "Mohu publikovat a přihlásit se k odběru, kdokoli se může přihlásit k odběru",
+    "prefs_reservations_table_everyone_write_only": "Mohu publikovat a přihlásit se k odběru, kdokoli může publikovat",
+    "prefs_reservations_table_everyone_read_write": "Kdokoli může publikovat a přihlásit se k odběru",
+    "prefs_reservations_table_not_subscribed": "Odběr není přihlášen",
+    "prefs_reservations_dialog_title_add": "Rezervovat téma",
+    "prefs_reservations_dialog_title_edit": "Úprava rezervovaného tématu",
+    "prefs_reservations_dialog_title_delete": "Odstranění rezervovaného tématu",
+    "prefs_reservations_dialog_topic_label": "Téma",
+    "reservation_delete_dialog_action_keep_description": "Zprávy a přílohy, které jsou uloženy v mezipaměti serveru, se stanou veřejně viditelnými pro osoby, které znají název tématu.",
+    "reservation_delete_dialog_action_delete_title": "Odstranění zpráv a příloh uložených v mezipaměti",
+    "reservation_delete_dialog_action_delete_description": "Zprávy a přílohy uložené v mezipaměti budou trvale odstraněny. Tuto akci nelze vrátit zpět.",
+    "reservation_delete_dialog_submit_button": "Odstranit rezervaci",
+    "account_basics_tier_interval_yearly": "roční",
+    "account_upgrade_dialog_interval_yearly_discount_save": "ušetříte {{discount}}%",
+    "account_upgrade_dialog_tier_price_per_month": "měsíc",
+    "account_upgrade_dialog_tier_features_no_reservations": "Žádná rezervovaná témata",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "ušetříte až {{discount}}%",
+    "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} účtováno ročně. Ušetříte {{save}}.",
+    "account_basics_tier_interval_monthly": "měsíční",
+    "account_upgrade_dialog_interval_monthly": "Měsíční",
+    "account_upgrade_dialog_interval_yearly": "Roční",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} za rok. Účtuje se měsíčně.",
+    "account_upgrade_dialog_billing_contact_email": "V případě dotazů týkajících se fakturace nás prosím <Link>kontaktujte</Link> přímo.",
+    "account_upgrade_dialog_billing_contact_website": "Otázky týkající se fakturace naleznete na našich <Link>webových stránkách</Link>."
 }
--- a/web/public/static/langs/da.json
+++ b/web/public/static/langs/da.json
@@ -0,0 +1,283 @@
+{
+    "common_save": "Gem",
+    "common_add": "Tilføj",
+    "signup_title": "Opret en ntfy konto",
+    "signup_form_username": "Brugernavn",
+    "signup_form_password": "Kodeord",
+    "signup_form_confirm_password": "Bekræft kodeord",
+    "common_cancel": "Annuller",
+    "action_bar_account": "Konto",
+    "signup_error_username_taken": "Brugernavnet {{username}} er optaget",
+    "login_form_button_submit": "Log ind",
+    "action_bar_show_menu": "Vis menu",
+    "action_bar_logo_alt": "ntfy logo",
+    "action_bar_settings": "Indstillinger",
+    "signup_form_button_submit": "Opret konto",
+    "signup_form_toggle_password_visibility": "Skift synlighed af adgangskode",
+    "signup_disabled": "Tilmelding er deaktiveret",
+    "signup_error_creation_limit_reached": "Grænsen for kontooprettelse er nået",
+    "login_title": "Log ind på din ntfy konto",
+    "login_link_signup": "Opret konto",
+    "login_disabled": "Login er deaktiveret",
+    "action_bar_reservation_add": "Reserver emne",
+    "action_bar_reservation_edit": "Rediger reservation",
+    "action_bar_reservation_delete": "Fjern reservation",
+    "action_bar_reservation_limit_reached": "Grænsen er nået",
+    "action_bar_send_test_notification": "Send test notifikation",
+    "action_bar_unsubscribe": "Afmeld",
+    "action_bar_toggle_mute": "Slå lyden fra/til for notifikationer",
+    "action_bar_change_display_name": "Skift visningsnavn",
+    "action_bar_toggle_action_menu": "Åben/luk handlings menu",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Indstillinger",
+    "action_bar_profile_logout": "Log ud",
+    "action_bar_sign_in": "Log ind",
+    "action_bar_sign_up": "Opret konto",
+    "message_bar_type_message": "Skriv en besked her",
+    "nav_button_settings": "Indstillinger",
+    "message_bar_publish": "Offentliggør besked",
+    "nav_topics_title": "Tilmeldte emner",
+    "nav_button_all_notifications": "Alle notifikationer",
+    "nav_button_connecting": "forbinder",
+    "nav_upgrade_banner_label": "Opgrader til ntfy Pro",
+    "alert_grant_title": "Notifikationer er deaktiveret",
+    "alert_grant_description": "Giv din browser tilladelse til at vise skrivebordsnotifikationer.",
+    "alert_not_supported_title": "Notifikationer understøttes ikke",
+    "alert_not_supported_description": "Notifikationer understøttes ikke i din browser.",
+    "alert_not_supported_context_description": "Notifikationer understøttes kun via HTTPS. Dette skyldes en begrænsning i <mdnLink>Notifications API</mdnLink>.",
+    "nav_button_subscribe": "Abonner på emne",
+    "notifications_list_item": "Notifikation",
+    "notifications_delete": "Slet",
+    "notifications_tags": "Tags",
+    "notifications_list": "Notifikationsliste",
+    "notifications_mark_read": "Marker som læst",
+    "notifications_copied_to_clipboard": "Kopieret til udklipsholder",
+    "notifications_priority_x": "Prioritet {{priority}}",
+    "notifications_attachment_copy_url_title": "Kopier URL-adresse til vedhæftet fil til udklipsholder",
+    "notifications_attachment_copy_url_button": "Kopier URL",
+    "notifications_attachment_open_title": "Gå til {{url}}",
+    "notifications_attachment_open_button": "Åben vedhæftning",
+    "notifications_attachment_link_expires": "link udløber {{date}}",
+    "notifications_attachment_link_expired": "download link er udløbet",
+    "notifications_attachment_file_image": "billedfil",
+    "notifications_attachment_file_app": "Android app fil",
+    "notifications_attachment_file_document": "andet dokument",
+    "notifications_click_copy_url_title": "Kopier linkets URL til udklipsholderen",
+    "notifications_click_copy_url_button": "Kopier link",
+    "notifications_example": "Eksempel",
+    "notifications_click_open_button": "Åbn link",
+    "notifications_actions_not_supported": "Handlingen understøttes ikke i webappen",
+    "notifications_actions_http_request_title": "Send HTTP {{method}} til {{url}}",
+    "notifications_none_for_topic_title": "Du har ikke modtaget nogen notifikationer om dette emne endnu.",
+    "notifications_none_for_any_title": "Du har ikke modtaget nogen notifikationer.",
+    "display_name_dialog_placeholder": "Vist navn",
+    "publish_dialog_progress_uploading": "Uploader…",
+    "display_name_dialog_title": "Skift visningsnavn",
+    "publish_dialog_progress_uploading_detail": "Uploader {{loaded}}/{{total}} ({{percent}}%) …",
+    "publish_dialog_emoji_picker_show": "Vælg emoji",
+    "publish_dialog_priority_min": "Min. prioritet",
+    "publish_dialog_priority_low": "Lav prioritet",
+    "publish_dialog_priority_default": "Standardprioritet",
+    "publish_dialog_priority_high": "Høj prioritet",
+    "publish_dialog_title_label": "Titel",
+    "publish_dialog_message_label": "Besked",
+    "publish_dialog_tags_label": "Tags",
+    "publish_dialog_priority_label": "Prioritet",
+    "publish_dialog_message_placeholder": "Skriv en besked her",
+    "publish_dialog_tags_placeholder": "Komma-separeret liste over tags, f.eks. warning, srv1-backup",
+    "publish_dialog_click_label": "Klik på URL",
+    "publish_dialog_email_reset": "Fjern videresendelse af e-mail",
+    "publish_dialog_attach_placeholder": "Vedhæft fil via URL, f.eks. https://f-droid.org/F-Droid.apk",
+    "publish_dialog_delay_label": "Forsinkelse",
+    "publish_dialog_button_send": "Send",
+    "subscribe_dialog_subscribe_button_subscribe": "Tilmeld",
+    "subscribe_dialog_login_button_back": "Tilbage",
+    "subscribe_dialog_login_username_label": "Brugernavn, f.eks. phil",
+    "account_basics_title": "Konto",
+    "subscribe_dialog_error_topic_already_reserved": "Emnet er allerede reserveret",
+    "account_basics_username_admin_tooltip": "Du er Admin",
+    "account_basics_password_dialog_confirm_password_label": "Bekræft kodeord",
+    "account_basics_password_dialog_current_password_incorrect": "Forkert kodeord",
+    "account_usage_of_limit": "af {{limit}}",
+    "account_basics_tier_basic": "Grundlæggende",
+    "account_basics_tier_free": "Gratis",
+    "account_basics_tier_admin_suffix_no_tier": "(intet niveau)",
+    "account_basics_tier_admin_suffix_with_tier": "(med {{tier}}} niveau)",
+    "account_usage_messages_title": "Offentliggjorte meddelelser",
+    "account_delete_dialog_button_submit": "Slet konto permanent",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} pr. fil",
+    "account_upgrade_dialog_button_redirect_signup": "Tilmeld dig nu",
+    "account_tokens_table_expires_header": "Udløber",
+    "account_tokens_table_last_access_header": "Seneste adgang",
+    "account_tokens_delete_dialog_title": "Slet adgangstoken",
+    "prefs_notifications_sound_no_sound": "Ingen lyd",
+    "prefs_notifications_min_priority_title": "Minimumsprioritet",
+    "prefs_notifications_sound_play": "Afspil den valgte lyd",
+    "prefs_notifications_min_priority_max_only": "Kun maks. prioritet",
+    "prefs_notifications_delete_after_three_hours": "Efter tre timer",
+    "prefs_users_add_button": "Tilføj bruger",
+    "prefs_users_dialog_title_edit": "Rediger bruger",
+    "prefs_reservations_title": "Reserverede emner",
+    "prefs_reservations_add_button": "Tilføj reserveret emne",
+    "prefs_reservations_table_access_header": "Adgang",
+    "prefs_reservations_delete_button": "Nulstil emneadgang",
+    "prefs_reservations_dialog_title_edit": "Rediger reserveret emne",
+    "prefs_reservations_dialog_access_label": "Adgang",
+    "prefs_reservations_dialog_title_delete": "Slet emnereservation",
+    "priority_low": "lav",
+    "priority_min": "min",
+    "reservation_delete_dialog_submit_button": "Slet reservation",
+    "priority_high": "høj",
+    "priority_max": "maks",
+    "error_boundary_stack_trace": "Strack trace",
+    "error_boundary_button_copy_stack_trace": "Kopier stack trace",
+    "signup_already_have_account": "Har du allerede en konto? Log ind!",
+    "action_bar_clear_notifications": "Ryd alle notifikationer",
+    "notifications_new_indicator": "Ny notifikation",
+    "notifications_attachment_image": "Vedhæftet billede",
+    "account_delete_dialog_label": "Kodeord",
+    "error_boundary_unsupported_indexeddb_title": "Privat browsing understøttes ikke",
+    "notifications_actions_open_url_title": "Gå til {{url}}",
+    "notifications_attachment_file_audio": "lydfil",
+    "publish_dialog_click_placeholder": "URL der åbnes, når der klikkes på notifikationen",
+    "publish_dialog_email_placeholder": "Adresse, som meddelelsen skal videresendes til, f.eks. phil@example.com",
+    "notifications_attachment_file_video": "videofil",
+    "account_basics_tier_title": "Kontotype",
+    "publish_dialog_filename_label": "Filnavn",
+    "account_basics_tier_manage_billing_button": "Administrer fakturering",
+    "account_usage_emails_title": "Afsendte e-mails",
+    "account_usage_reservations_title": "Reserverede emner",
+    "account_delete_title": "Slet konto",
+    "nav_button_account": "Konto",
+    "nav_button_documentation": "Dokumentation",
+    "publish_dialog_priority_max": "Maks. prioritet",
+    "account_upgrade_dialog_button_cancel_subscription": "Opsig abonnement",
+    "account_upgrade_dialog_button_update_subscription": "Opdater abonnement",
+    "publish_dialog_button_cancel": "Annuller",
+    "publish_dialog_email_label": "Email",
+    "account_tokens_title": "Adgangstokens",
+    "account_tokens_table_never_expires": "Udløber aldrig",
+    "prefs_notifications_sound_title": "Notifikationslyd",
+    "account_tokens_dialog_button_update": "Opdater token",
+    "account_tokens_dialog_button_create": "Opret token",
+    "subscribe_dialog_subscribe_button_cancel": "Annuller",
+    "prefs_users_table_user_header": "Bruger",
+    "prefs_appearance_title": "Udseende",
+    "subscribe_dialog_login_button_login": "Log ind",
+    "subscribe_dialog_login_password_label": "Kodeord",
+    "subscribe_dialog_error_user_anonymous": "anonym",
+    "account_usage_title": "Anvendelse",
+    "account_basics_username_title": "Brugernavn",
+    "account_basics_tier_admin": "Admin",
+    "account_basics_password_title": "Kodeord",
+    "account_upgrade_dialog_tier_selected_label": "Valgt",
+    "account_usage_unlimited": "Ubegrænset",
+    "account_tokens_table_label_header": "Label",
+    "account_tokens_dialog_button_cancel": "Annuller",
+    "account_basics_tier_change_button": "Rediger",
+    "account_delete_dialog_button_cancel": "Annuller",
+    "account_upgrade_dialog_button_cancel": "Annuller",
+    "account_tokens_table_token_header": "Token",
+    "account_upgrade_dialog_tier_current_label": "Nuværende",
+    "prefs_notifications_title": "Notifikationer",
+    "prefs_notifications_delete_after_never": "Aldrig",
+    "prefs_reservations_table_topic_header": "Emne",
+    "prefs_users_dialog_password_label": "Kodeord",
+    "prefs_appearance_language_title": "Sprog",
+    "prefs_reservations_dialog_topic_label": "Emne",
+    "priority_default": "standard",
+    "publish_dialog_attached_file_remove": "Fjern vedhæftet fil",
+    "prefs_users_table": "Bruger tabel",
+    "prefs_users_edit_button": "Rediger bruger",
+    "prefs_users_dialog_title_add": "Tilføj bruger",
+    "prefs_users_delete_button": "Slet bruger",
+    "account_tokens_table_copied_to_clipboard": "Adgangstoken kopieret",
+    "prefs_notifications_min_priority_any": "Enhver prioritet",
+    "prefs_notifications_delete_after_title": "Slet notifikationer",
+    "publish_dialog_delay_reset": "Fjern forsinket levering",
+    "prefs_users_title": "Administrer brugere",
+    "account_basics_password_dialog_button_submit": "Skift kodeord",
+    "prefs_reservations_dialog_title_add": "Reserver emne",
+    "account_basics_password_dialog_current_password_label": "Nuværende kodeord",
+    "account_basics_password_dialog_new_password_label": "Nyt kodeord",
+    "notifications_loading": "Indlæser notifikationer…",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} daglige e-mails",
+    "account_tokens_table_create_token_button": "Opret adgangstoken",
+    "account_tokens_dialog_title_delete": "Slet adgangstoken",
+    "publish_dialog_chip_email_label": "Videresend til e-mail",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} samlet lagerplads",
+    "subscribe_dialog_subscribe_use_another_label": "Brug en anden server",
+    "account_basics_tier_upgrade_button": "Opgrader til Pro",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} daglige beskeder",
+    "account_tokens_table_copy_to_clipboard": "Kopier til udklipsholder",
+    "prefs_reservations_edit_button": "Rediger emneadgang",
+    "account_upgrade_dialog_title": "Skift kontoniveau",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} reserverede emner",
+    "account_tokens_dialog_expires_never": "Token udløber aldrig",
+    "account_tokens_table_current_session": "Nuværende browsersession",
+    "account_tokens_dialog_title_edit": "Rediger adgangstoken",
+    "account_tokens_dialog_title_create": "Opret adgangstoken",
+    "prefs_notifications_delete_after_one_day": "Efter en dag",
+    "account_tokens_delete_dialog_submit_button": "Slet token permanent",
+    "prefs_notifications_delete_after_one_month": "Efter en måned",
+    "prefs_notifications_delete_after_one_week": "Efter en uge",
+    "prefs_users_dialog_username_label": "Brugernavn, f.eks. phil",
+    "prefs_notifications_delete_after_one_day_description": "Notifikationer slettes automatisk efter en dag",
+    "notifications_none_for_topic_description": "For at sende en notifikation til dette emne, skal du blot sende en PUT eller POST til emne-URL'en.",
+    "notifications_none_for_any_description": "For at sende en notifikation til et emne, skal du blot sende en PUT eller POST til emne-URL'en. Her er et eksempel med et af dine emner.",
+    "notifications_no_subscriptions_title": "Det ser ud til, at du ikke har nogen abonnementer endnu.",
+    "notifications_more_details": "For mere information, se <websiteLink>webstedet</websiteLink> eller <docsLink>dokumentationen</docsLink>.",
+    "display_name_dialog_description": "Angiv et alternativt navn for et emne, der vises på abonnementslisten. Dette gør det nemmere at identificere emner med komplicerede navne.",
+    "reserve_dialog_checkbox_label": "Reserver emne og konfigurer adgang",
+    "publish_dialog_attachment_limits_file_reached": "overskrider {{fileSizeLimit}} filgrænse",
+    "publish_dialog_attachment_limits_quota_reached": "overskrider kvote, {{remainingBytes}} tilbage",
+    "publish_dialog_topic_label": "Emnenavn",
+    "publish_dialog_topic_placeholder": "Emnenavn, f.eks. phil_alerts",
+    "publish_dialog_topic_reset": "Nulstil emne",
+    "publish_dialog_click_reset": "Fjern klik-URL",
+    "publish_dialog_delay_placeholder": "Forsink levering, f.eks. {{unixTimestamp}}, {{relativeTime}} eller \"{{naturalLanguage}}\" (kun på engelsk)",
+    "publish_dialog_other_features": "Andre funktioner:",
+    "publish_dialog_chip_attach_url_label": "Vedhæft fil via URL",
+    "publish_dialog_chip_attach_file_label": "Vedhæft lokal fil",
+    "publish_dialog_details_examples_description": "For eksempler og en detaljeret beskrivelse af alle afsendelsesfunktioner henvises til <docsLink>dokumentationen</docsLink>.",
+    "publish_dialog_button_cancel_sending": "Annuller afsendelse",
+    "publish_dialog_attached_file_title": "Vedhæftet fil:",
+    "emoji_picker_search_placeholder": "Søg emoji",
+    "emoji_picker_search_clear": "Ryd søgning",
+    "subscribe_dialog_subscribe_title": "Abonner på emne",
+    "subscribe_dialog_subscribe_topic_placeholder": "Emnenavn, f.eks. phil_alerts",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Generer navn",
+    "subscribe_dialog_login_title": "Login påkrævet",
+    "subscribe_dialog_login_description": "Dette emne er adgangskodebeskyttet. Indtast venligst brugernavn og adgangskode for at abonnere.",
+    "subscribe_dialog_error_user_not_authorized": "Brugeren {{username}} er ikke autoriseret",
+    "account_basics_password_description": "Skift adgangskoden til din konto",
+    "account_usage_limits_reset_daily": "Brugsgrænser nulstilles dagligt ved midnat (UTC)",
+    "account_basics_tier_paid_until": "Abonnementet er betalt indtil {{date}} og fornys automatisk",
+    "account_basics_tier_payment_overdue": "Din betaling er forfalden. Opdater venligst din betalingsmetode, ellers bliver din konto snart nedgraderet.",
+    "account_basics_tier_canceled_subscription": "Dit abonnement blev annulleret og vil blive nedgraderet til en gratis konto den {{date}}.",
+    "account_usage_cannot_create_portal_session": "Kan ikke åbne faktureringsportalen",
+    "account_delete_description": "Slet din konto permanent",
+    "account_delete_dialog_description": "Dette vil slette din konto permanent, inklusive alle data, der er gemt på serveren. Efter sletning vil dit brugernavn være utilgængeligt i 7 dage. Hvis du virkelig ønsker at fortsætte, bedes du bekræfte med dit kodeord i feltet nedenfor.",
+    "account_upgrade_dialog_button_pay_now": "Betal nu og abonner",
+    "account_tokens_table_last_origin_tooltip": "Fra IP-adresse {{ip}}, klik for at slå op",
+    "account_tokens_dialog_label": "Label, f.eks. radarmeddelelser",
+    "account_tokens_dialog_expires_label": "Adgangstoken udløber om",
+    "account_tokens_dialog_expires_unchanged": "Lad udløbsdatoen forblive uændret",
+    "account_tokens_dialog_expires_x_hours": "Token udløber om {{hours}} timer",
+    "account_tokens_dialog_expires_x_days": "Token udløber om {{days}} dage",
+    "prefs_notifications_sound_description_none": "Notifikationer afspiller ingen lyd, når de ankommer",
+    "prefs_notifications_sound_description_some": "Notifikationer afspiller {{sound}}-lyden, når de ankommer",
+    "prefs_notifications_min_priority_low_and_higher": "Lav prioritet og højere",
+    "prefs_notifications_min_priority_default_and_higher": "Standardprioritet og højere",
+    "prefs_notifications_min_priority_high_and_higher": "Høj prioritet og højere",
+    "prefs_notifications_delete_after_never_description": "Notifikationer slettes aldrig automatisk",
+    "prefs_notifications_delete_after_three_hours_description": "Notifikationer slettes automatisk efter tre timer",
+    "prefs_notifications_delete_after_one_week_description": "Notifikationer slettes automatisk efter en uge",
+    "prefs_notifications_delete_after_one_month_description": "Notifikationer slettes automatisk efter en måned",
+    "prefs_reservations_limit_reached": "Du har nået din grænse for reserverede emner.",
+    "prefs_reservations_table_click_to_subscribe": "Klik for at abonnere",
+    "reservation_delete_dialog_action_keep_title": "Behold cachelagrede meddelelser og vedhæftede filer",
+    "reservation_delete_dialog_action_delete_title": "Slet cachelagrede meddelelser og vedhæftede filer",
+    "error_boundary_title": "Oh nej, ntfy brød sammen",
+    "error_boundary_description": "Dette bør naturligvis ikke ske. Det beklager vi meget.<br/>Hvis du har et øjeblik, bedes du <githubLink>rapportere dette på GitHub</githubLink>, eller give os besked via <discordLink>Discord</discordLink> eller <matrixLink>Matrix</matrixLink>."
+}
--- a/web/public/static/langs/de.json
+++ b/web/public/static/langs/de.json
@@ -82,7 +82,7 @@
    "publish_dialog_attach_placeholder": "Datei von URL anhängen, z.B. https://f-droid.org/F-Droid.apk",
    "publish_dialog_filename_placeholder": "Dateiname des Anhangs",
    "publish_dialog_delay_label": "Verzögerung",
-    "publish_dialog_email_placeholder": "E-Mail-Adresse, an die die Benachrichtigung gesendet werden soll, z.B. phil@example.com",
+    "publish_dialog_email_placeholder": "E-Mail-Adresse, an welche die Benachrichtigung gesendet werden soll, z. B. phil@example.com",
    "publish_dialog_chip_click_label": "Klick-URL",
    "publish_dialog_button_cancel_sending": "Senden abbrechen",
    "publish_dialog_drop_file_here": "Datei hierher ziehen",
@@ -187,5 +187,170 @@
    "publish_dialog_emoji_picker_show": "Emoji wählen",
    "publish_dialog_topic_reset": "Thema zurücksetzen",
    "publish_dialog_attach_reset": "angehängte URL entfernen",
-    "publish_dialog_click_reset": "Klick-URL entfernen"
+    "publish_dialog_click_reset": "Klick-URL entfernen",
+    "account_tokens_delete_dialog_description": "Stelle vor dem Löschen eines Access-Tokens sicher, dass keine Anwendung oder Skripte dieses Token verwenden. <strong>Diese Aktion kann nicht rückgängig gemacht werden</strong>.",
+    "account_upgrade_dialog_cancel_warning": "Dies wird <strong>Dein Abo stornieren</strong> und Dein Konto am {{date}} herabstufen. An diesem Datum werden reservierte Themen und auch auf dem Server gecachte Nachrichten <strong>gelöscht</strong>.",
+    "prefs_reservations_table_everyone_read_write": "Jeder kann veröffentlichen und lesen",
+    "prefs_reservations_table_everyone_read_only": "Ich kann veröffentlichen und lesen, jeder kann lesen",
+    "prefs_reservations_table_access_header": "Zugriff",
+    "account_tokens_dialog_button_cancel": "Abbrechen",
+    "account_tokens_dialog_expires_x_hours": "Token verfällt in {{hours}} Stunden",
+    "account_tokens_dialog_expires_never": "Token verfällt nie",
+    "signup_form_username": "Benutzername",
+    "signup_form_button_submit": "Konto anlegen",
+    "signup_already_have_account": "Du hast schon ein Konto? Melde Dich an!",
+    "signup_disabled": "Die Anmeldung ist deaktiviert",
+    "login_title": "Melde Dich mit Deinem ntfy-Konto an",
+    "login_form_button_submit": "Anmelden",
+    "login_link_signup": "Konto erstellen",
+    "login_disabled": "Anmeldung ist deaktiviert",
+    "action_bar_account": "Konto",
+    "action_bar_change_display_name": "Anzeigenamen ändern",
+    "action_bar_reservation_add": "Thema reservieren",
+    "action_bar_reservation_edit": "Reservierung ändern",
+    "action_bar_reservation_delete": "Reservierung löschen",
+    "action_bar_reservation_limit_reached": "Grenze erreicht",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Einstellungen",
+    "action_bar_profile_logout": "Abmelden",
+    "action_bar_sign_in": "Anmelden",
+    "signup_form_password": "Kennwort",
+    "signup_form_toggle_password_visibility": "Kennwort-Sichtbarkeit umschalten",
+    "nav_button_account": "Konto",
+    "nav_upgrade_banner_description": "Themen reservieren, mehr Nachrichten & Emails, größere Anhänge",
+    "display_name_dialog_title": "Anzeigennamen ändern",
+    "display_name_dialog_placeholder": "Anzeigename",
+    "reserve_dialog_checkbox_label": "Thema reservieren und Zugriffsrechte konfigurieren",
+    "subscribe_dialog_error_topic_already_reserved": "Thema ist bereits reserviert",
+    "account_basics_username_title": "Benutzername",
+    "account_basics_username_description": "Hey, das bist Du ❤",
+    "account_basics_password_description": "Konto-Kennwort ändern",
+    "account_basics_password_dialog_title": "Kennwort ändern",
+    "account_basics_password_dialog_current_password_label": "Aktuelles Kennwort",
+    "account_basics_password_dialog_new_password_label": "Neues Kennwort",
+    "account_basics_password_dialog_confirm_password_label": "Kennwort bestätigen",
+    "account_basics_password_dialog_current_password_incorrect": "Kennwort falsch",
+    "account_usage_title": "Verbrauch",
+    "account_usage_of_limit": "von {{limit}}",
+    "account_usage_unlimited": "unbegrenzt",
+    "account_usage_limits_reset_daily": "Verbrauchslimits werden täglich um Mitternacht (UTC) zurückgesetzt",
+    "account_basics_password_title": "Kennwort",
+    "account_basics_tier_description": "Der Funktionsumfang Deines Konto-Levels",
+    "account_basics_tier_admin_suffix_with_tier": "(mit Level {{tier}})",
+    "account_basics_tier_admin_suffix_no_tier": "(kein Level)",
+    "account_basics_tier_admin": "Admin",
+    "account_basics_tier_basic": "Basic",
+    "account_basics_tier_free": "Kostenlos",
+    "account_basics_tier_paid_until": "Abo bezahlt bis {{date}} mit automatischer Verlängerung",
+    "account_basics_tier_payment_overdue": "Deine Zahlung ist überfällig. Bitte aktualisiere Deine Zahlungsmethode, oder Dein Konto wird herabgestuft.",
+    "account_basics_tier_manage_billing_button": "Zahlung verwalten",
+    "account_usage_messages_title": "Veröffentlichte Nachrichten",
+    "account_usage_emails_title": "Gesendete Emails",
+    "account_usage_reservations_title": "Reservierte Themen",
+    "account_usage_reservations_none": "Keine reservierten Themen für dieses Konto",
+    "account_usage_attachment_storage_title": "Speicherplatz für Anhänge",
+    "account_usage_attachment_storage_description": "{{filesize}} pro Datei, Löschung nach {{expiry}}",
+    "account_usage_cannot_create_portal_session": "Kann Abrechnungsportal nicht öffnen",
+    "account_delete_title": "Konto löschen",
+    "account_delete_description": "Konto endgültig löschen",
+    "account_delete_dialog_label": "Kennwort",
+    "account_delete_dialog_button_cancel": "Abbrechen",
+    "account_delete_dialog_button_submit": "Lösche mein Konto endgültig",
+    "account_basics_tier_change_button": "Wechseln",
+    "account_basics_tier_canceled_subscription": "Dein Abo wurde storniert und wird am {{date}} auf ein kostenloses Konto herabgestuft.",
+    "account_usage_basis_ip_description": "Nutzungsstatistiken und Limits für diesen Account basieren auf Deiner IP-Adresse, können also mit anderen Usern geteilt sein. Die oben gezeigten Limits sind Schätzungen basierend auf den bestehenden Limits.",
+    "account_delete_dialog_billing_warning": "Das Löschen Deines Kontos storniert auch sofort Deine Zahlung. Du wirst dann keinen Zugang zum Abrechnungs-Dashboard haben.",
+    "account_upgrade_dialog_title": "Konto-Level ändern",
+    "account_upgrade_dialog_proration_info": "<strong>Anrechnung</strong>: Wenn Du auf einen höheren kostenpflichtigen Level wechselst wird die Differenz <strong>sofort berechnet</strong>. Beim Wechsel auf ein kleineres Level verwenden wir Dein Guthaben für zukünftige Abrechnungsperioden.",
+    "account_upgrade_dialog_reservations_warning_one": "Das gewählte Level erlaubt weniger reservierte Themen als Dein aktueller Level. <strong>Bitte löschen vor dem Wechsel Deines Levels mindestens eine Reservierung</strong>. Du kannst Reservierungen in den <Link>Einstellungen</Link> löschen.",
+    "account_upgrade_dialog_reservations_warning_other": "Das gewählte Level erlaubt weniger reservierte Themen als Dein aktueller Level. <strong>Bitte löschen vor dem Wechsel Deines Levels mindestens {{count}} Reservierungen</strong>. Du kannst Reservierungen in den <Link>Einstellungen</Link> löschen.",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} reservierte Themen",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} Nachrichten pro Tag",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} Emails pro Tag",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} pro Datei",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} gesamter Speicherplatz",
+    "account_upgrade_dialog_tier_selected_label": "Ausgewählt",
+    "account_upgrade_dialog_tier_current_label": "Aktuell",
+    "account_upgrade_dialog_button_cancel": "Abbrechen",
+    "account_upgrade_dialog_button_redirect_signup": "Jetzt ein Konto anlegen",
+    "account_upgrade_dialog_button_pay_now": "Jetzt bezahlen und abonnieren",
+    "account_upgrade_dialog_button_cancel_subscription": "Abo stornieren",
+    "account_upgrade_dialog_button_update_subscription": "Abo aktualisieren",
+    "account_tokens_title": "Access-Token",
+    "account_tokens_description": "Verwende Access-Token zum Versenden und Empfangen über die ntfy-API, um nicht Deine Zugangsdaten verwenden zu müssen. Lies die <Link>Dokumentation</Link> für mehr Info.",
+    "account_tokens_table_token_header": "Token",
+    "account_tokens_table_label_header": "Bezeichnung",
+    "account_tokens_table_last_access_header": "Letzter Zugriff",
+    "account_tokens_table_expires_header": "Verfällt",
+    "account_tokens_table_never_expires": "Verfällt nie",
+    "account_tokens_table_current_session": "Aktuelle Browser-Sitzung",
+    "account_tokens_table_copy_to_clipboard": "In die Zwischenablage kopieren",
+    "account_tokens_table_copied_to_clipboard": "Access-Token kopiert",
+    "account_tokens_table_cannot_delete_or_edit": "Aktuelles Token kann nicht bearbeitet oder gelöscht werden",
+    "account_tokens_table_create_token_button": "Access-Token erzeugen",
+    "account_tokens_table_last_origin_tooltip": "Von IP-Adresse {{ip}}, klicke zum Nachschlagen",
+    "account_tokens_dialog_title_create": "Access-Token erzeugen",
+    "account_tokens_dialog_title_edit": "Access-Token bearbeiten",
+    "account_tokens_dialog_title_delete": "Access-Token löschen",
+    "account_tokens_dialog_label": "Bezeichnung, z.B. Radarr Benachrichtigungen",
+    "account_tokens_dialog_button_create": "Token erzeugen",
+    "account_tokens_dialog_button_update": "Token aktualisieren",
+    "account_tokens_dialog_expires_label": "Access-Token verfällt in",
+    "account_tokens_dialog_expires_unchanged": "Verfallsdatum nicht ändern",
+    "account_tokens_dialog_expires_x_days": "Token verfällt in {{days}} Tagen",
+    "account_tokens_delete_dialog_title": "Access-Token löschen",
+    "account_tokens_delete_dialog_submit_button": "Token endgültig löschen",
+    "prefs_users_description_no_sync": "Benutzernamen und Kennwörter werden nicht im Konto synchronisiert.",
+    "prefs_users_table_cannot_delete_or_edit": "Angemeldeter Benutzer kann nicht gelöscht oder bearbeitet werden",
+    "prefs_reservations_title": "Reservierte Themen",
+    "prefs_reservations_description": "Du kannst hier Themen-Namen für Deine persönliche Verwendung reservieren. Das Reservieren eines Themas macht Dich zum Besitzer des Themas. Du kannst damit auch Zugriffsrechte für andere Benutzer auf das Thema festlegen.",
+    "prefs_reservations_limit_reached": "Du hast Dein Limit an reservierten Themen erreicht.",
+    "prefs_reservations_add_button": "Reserviertes Thema hinzufügen",
+    "prefs_reservations_edit_button": "Zugriff auf Thema bearbeiten",
+    "prefs_reservations_delete_button": "Zugriff auf Thema zurücksetzen",
+    "prefs_reservations_table": "Übersicht reservierter Themen",
+    "prefs_reservations_table_topic_header": "Thema",
+    "prefs_reservations_table_everyone_deny_all": "Nur kann veröffentlichen und lesen",
+    "prefs_reservations_table_everyone_write_only": "Ich kann veröffentlichen und lesen, jeder kann veröffentlichen",
+    "prefs_reservations_table_not_subscribed": "Nicht abonniert",
+    "prefs_reservations_table_click_to_subscribe": "Klicken um zu abonnieren",
+    "prefs_reservations_dialog_title_add": "Thema reservieren",
+    "prefs_reservations_dialog_title_edit": "Reserviertes Thema bearbeiten",
+    "prefs_reservations_dialog_title_delete": "Thema-Reservierung löschen",
+    "prefs_reservations_dialog_description": "Ein Thema zu reservieren macht Dich zum Besitzer des Themas, und erlaubt Dir Zugriffsrechte für andere auf dieses Thema festzulegen.",
+    "prefs_reservations_dialog_topic_label": "Thema",
+    "prefs_reservations_dialog_access_label": "Zugriff",
+    "reservation_delete_dialog_description": "Mit dem Löschen einer Reservierung gibst du den Besitz des Themas auf und ermöglichst anderen, es zu reservieren. Du kannst vorhandene Nachrichten und Dateien behalten oder löschen.",
+    "reservation_delete_dialog_action_keep_title": "Behalte gecachte Nachrichten und Dateien",
+    "reservation_delete_dialog_action_keep_description": "Nachrichten und Dateien, die auf dem Server gecached sind, werden für alle sichtbar die den Themen-Namen kennen.",
+    "reservation_delete_dialog_action_delete_title": "Löschen gecachte Nachrichten und Dateien",
+    "reservation_delete_dialog_action_delete_description": "Gecachte Nachrichten und Dateien werden endgültig gelöscht. Diese Aktion kann nicht rückgängig gemacht werden.",
+    "reservation_delete_dialog_submit_button": "Reservierung löschen",
+    "account_basics_password_dialog_button_submit": "Kennwort ändern",
+    "account_basics_tier_title": "Kontotyp",
+    "account_basics_tier_upgrade_button": "Upgrade auf Pro",
+    "account_delete_dialog_description": "Hiermit wird Dein Konto endgültig gelöscht, inklusive aller Daten auf dem Server. Nach dem Löschen wird Dein Benutzername für 7 Tage gesperrt sein. Wenn Du fortfahren willst, bestätige das durch Eingabe Deines Kennwortes.",
+    "signup_form_confirm_password": "Kennwort wiederholen",
+    "signup_title": "Erstelle ein ntfy-Konto",
+    "signup_error_username_taken": "Benutzername {{username}} ist bereits vergeben",
+    "signup_error_creation_limit_reached": "Grenze der Account-Erstellung erreicht",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Namen erzeugen",
+    "account_basics_title": "Konto",
+    "action_bar_sign_up": "Konto erstellen",
+    "nav_upgrade_banner_label": "Upgrade auf ntfy Pro",
+    "alert_not_supported_context_description": "Benachrichtigungen werden nur über HTTPS unterstützt. Das ist eine Einschränkung der <mdnLink>Notifications API</mdnLink>.",
+    "display_name_dialog_description": "Lege einen alternativen Namen für ein Thema fest, der in der Abo-Liste angezeigt wird. So kannst Du Themen mit komplizierten Namen leichter finden.",
+    "account_basics_username_admin_tooltip": "Du bist Admin",
+    "account_upgrade_dialog_interval_yearly_discount_save": "spare {{discount}}%",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "spare bis zu {{discount}}%",
+    "account_upgrade_dialog_tier_price_per_month": "Monat",
+    "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} pro Jahr. Spare {{save}}.",
+    "account_upgrade_dialog_billing_contact_email": "Bei Fragen zur Abrechnung, <Link>kontaktiere uns</Link> bitte direkt.",
+    "account_upgrade_dialog_billing_contact_website": "Bei Fragen zur Abrechnung sieh bitte auf unserer <Link>Webseite</Link> nach.",
+    "account_upgrade_dialog_tier_features_no_reservations": "Keine reservierten Themen",
+    "account_basics_tier_interval_yearly": "jährlich",
+    "account_basics_tier_interval_monthly": "monatlich",
+    "account_upgrade_dialog_interval_monthly": "Monatlich",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} pro Jahr. Monatlich abgerechnet.",
+    "account_upgrade_dialog_interval_yearly": "Jährlich"
 }
--- a/web/public/static/langs/en.json
+++ b/web/public/static/langs/en.json
@@ -193,6 +193,8 @@
  "account_basics_tier_admin_suffix_no_tier": "(no tier)",
  "account_basics_tier_basic": "Basic",
  "account_basics_tier_free": "Free",
+  "account_basics_tier_interval_monthly": "monthly",
+  "account_basics_tier_interval_yearly": "annually",
  "account_basics_tier_upgrade_button": "Upgrade to Pro",
  "account_basics_tier_change_button": "Change",
  "account_basics_tier_paid_until": "Subscription paid until {{date}}, and will auto-renew",
@@ -215,17 +217,27 @@
  "account_delete_dialog_button_submit": "Permanently delete account",
  "account_delete_dialog_billing_warning": "Deleting your account also cancels your billing subscription immediately. You will not have access to the billing dashboard anymore.",
  "account_upgrade_dialog_title": "Change account tier",
+  "account_upgrade_dialog_interval_monthly": "Monthly",
+  "account_upgrade_dialog_interval_yearly": "Annually",
+  "account_upgrade_dialog_interval_yearly_discount_save": "save {{discount}}%",
+  "account_upgrade_dialog_interval_yearly_discount_save_up_to": "save up to {{discount}}%",
  "account_upgrade_dialog_cancel_warning": "This will <strong>cancel your subscription</strong>, and downgrade your account on {{date}}. On that date, topic reservations as well as messages cached on the server <strong>will be deleted</strong>.",
-  "account_upgrade_dialog_proration_info": "<strong>Proration</strong>: When switching between paid plans, the price difference will be charged or refunded in the next invoice. You will not receive another invoice until the end of the next billing period.",
+  "account_upgrade_dialog_proration_info": "<strong>Proration</strong>: When upgrading between paid plans, the price difference will be <strong>charged immediately</strong>. When downgrading to a lower tier, the balance will be used to pay for future billing periods.",
  "account_upgrade_dialog_reservations_warning_one": "The selected tier allows fewer reserved topics than your current tier. Before changing your tier, <strong>please delete at least one reservation</strong>. You can remove reservations in the <Link>Settings</Link>.",
  "account_upgrade_dialog_reservations_warning_other": "The selected tier allows fewer reserved topics than your current tier. Before changing your tier, <strong>please delete at least {{count}} reservations</strong>. You can remove reservations in the <Link>Settings</Link>.",
  "account_upgrade_dialog_tier_features_reservations": "{{reservations}} reserved topics",
+  "account_upgrade_dialog_tier_features_no_reservations": "No reserved topics",
  "account_upgrade_dialog_tier_features_messages": "{{messages}} daily messages",
  "account_upgrade_dialog_tier_features_emails": "{{emails}} daily emails",
  "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} per file",
  "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} total storage",
+  "account_upgrade_dialog_tier_price_per_month": "month",
+  "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} per year. Billed monthly.",
+  "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} billed annually. Save {{save}}.",
  "account_upgrade_dialog_tier_selected_label": "Selected",
  "account_upgrade_dialog_tier_current_label": "Current",
+  "account_upgrade_dialog_billing_contact_email": "For billing questions, please <Link>contact us</Link> directly.",
+  "account_upgrade_dialog_billing_contact_website": "For billing questions, please refer to our <Link>website</Link>.",
  "account_upgrade_dialog_button_cancel": "Cancel",
  "account_upgrade_dialog_button_redirect_signup": "Sign up now",
  "account_upgrade_dialog_button_pay_now": "Pay now and subscribe",
--- a/web/public/static/langs/es.json
+++ b/web/public/static/langs/es.json
@@ -187,5 +187,170 @@
    "prefs_users_table": "Tabla de usuarios",
    "prefs_users_edit_button": "Editar usuario",
    "prefs_users_delete_button": "Eliminar usuario",
-    "error_boundary_unsupported_indexeddb_title": "Navegación privada no soportada"
+    "error_boundary_unsupported_indexeddb_title": "Navegación privada no soportada",
+    "action_bar_profile_title": "Perfil",
+    "action_bar_profile_settings": "Configuración",
+    "signup_title": "Crear una cuenta ntfy",
+    "signup_form_username": "Nombre de usuario",
+    "signup_form_password": "Contraseña",
+    "signup_form_confirm_password": "Confirmar contraseña",
+    "signup_form_button_submit": "Registro",
+    "signup_form_toggle_password_visibility": "Alternar la visibilidad de la contraseña",
+    "signup_already_have_account": "¿Ya tienes una cuenta? ¡Iniciar sesión!",
+    "signup_disabled": "El registro está deshabilitado",
+    "signup_error_username_taken": "El nombre de usuario {{username}} ya está en uso",
+    "signup_error_creation_limit_reached": "Límite de creación de cuenta alcanzado",
+    "login_title": "Inicie sesión en su cuenta ntfy",
+    "login_form_button_submit": "Iniciar sesión",
+    "login_link_signup": "Registro",
+    "login_disabled": "Inicio de sesión deshabilitado",
+    "action_bar_account": "Cuenta",
+    "action_bar_change_display_name": "Cambiar nombre de usuario",
+    "action_bar_reservation_add": "Reservar tema",
+    "action_bar_reservation_edit": "Modificar reserva",
+    "action_bar_reservation_delete": "Quitar reserva",
+    "action_bar_reservation_limit_reached": "Límite alcanzado",
+    "action_bar_profile_logout": "Cerrar sesión",
+    "action_bar_sign_in": "Iniciar sesión",
+    "action_bar_sign_up": "Registro",
+    "nav_button_account": "Cuenta",
+    "nav_upgrade_banner_label": "Actualizar a ntfy Pro",
+    "nav_upgrade_banner_description": "Reserve temas, más mensajes y correos electrónicos, y archivos adjuntos más grandes",
+    "display_name_dialog_title": "Cambiar el nombre para mostrar",
+    "display_name_dialog_description": "Establezca un nombre alternativo para un tópico que se muestra en la lista de suscripciones. Esto ayuda a identificar más fácilmente los temas con nombres complicados.",
+    "display_name_dialog_placeholder": "Nombre para mostrar",
+    "account_basics_username_admin_tooltip": "Eres Administrador",
+    "account_basics_password_description": "Cambiar la contraseña de tu cuenta",
+    "account_basics_password_dialog_confirm_password_label": "Confirmar contraseña",
+    "account_basics_password_dialog_button_submit": "Cambiar contraseña",
+    "account_basics_password_dialog_current_password_incorrect": "Contraseña incorrecta",
+    "account_usage_unlimited": "Ilimitado",
+    "account_usage_title": "Uso",
+    "account_usage_of_limit": "de {{límite}}",
+    "account_usage_limits_reset_daily": "Los límites de uso se restablecen diariamente a la medianoche (UTC)",
+    "account_basics_tier_description": "Nivel de poder de tu cuenta",
+    "account_basics_tier_admin": "Administrador",
+    "alert_not_supported_context_description": "Las notificaciones sólo se admiten a través de HTTPS. Esta es una limitante de la <mdnLink>API de notificaciones</mdnLink> .",
+    "reserve_dialog_checkbox_label": "Reservar tópico y configurar el acceso",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Generar nombre",
+    "subscribe_dialog_error_topic_already_reserved": "Tópico ya reservado",
+    "account_basics_title": "Cuenta",
+    "account_basics_username_title": "Nombre de usuario",
+    "account_basics_username_description": "Hey, ese eres tú ❤",
+    "account_basics_password_title": "Contraseña",
+    "account_basics_password_dialog_title": "Cambiar contraseña",
+    "account_basics_password_dialog_current_password_label": "Contraseña actual",
+    "account_basics_password_dialog_new_password_label": "Contraseña nueva",
+    "account_basics_tier_basic": "Básico",
+    "account_basics_tier_admin_suffix_with_tier": "(con nivel {{tier}})",
+    "account_basics_tier_admin_suffix_no_tier": "(sin nivel)",
+    "account_basics_tier_free": "Gratis",
+    "account_basics_tier_upgrade_button": "Actualizar a Pro",
+    "account_basics_tier_change_button": "Cambiar",
+    "account_basics_tier_paid_until": "Suscripción pagada hasta {{fecha}}, y se renovará automáticamente",
+    "account_basics_tier_manage_billing_button": "Administrar la facturación",
+    "account_basics_tier_title": "Tipo de cuenta",
+    "account_tokens_description": "Utilice tokens de acceso al publicar y suscribirse a través de la API de ntfy para no tener que enviar las credenciales de su cuenta. Consulte la <Link>documentación</Link> para obtener más información.",
+    "account_tokens_table_token_header": "Token",
+    "account_tokens_table_label_header": "Etiqueta",
+    "account_tokens_table_last_access_header": "Último acceso",
+    "account_tokens_table_expires_header": "Expira",
+    "account_tokens_table_never_expires": "Nunca expira",
+    "account_tokens_table_current_session": "Sesión del navegador actual",
+    "account_tokens_table_copy_to_clipboard": "Copiar al portapapeles",
+    "account_tokens_table_copied_to_clipboard": "Token de acceso copiado",
+    "account_tokens_table_cannot_delete_or_edit": "No se puede editar ni eliminar el token de sesión actual",
+    "account_tokens_table_create_token_button": "Crear token de acceso",
+    "account_tokens_table_last_origin_tooltip": "Desde la dirección IP {{ip}}, haga clic para buscar",
+    "account_tokens_dialog_title_create": "Crear token de acceso",
+    "account_tokens_dialog_title_edit": "Editar token de acceso",
+    "account_tokens_dialog_title_delete": "Eliminar token de acceso",
+    "account_tokens_dialog_label": "Etiqueta, por ejemplo, notificaciones de Radarr",
+    "account_tokens_dialog_button_create": "Crear token",
+    "prefs_reservations_table_everyone_write_only": "Puedo publicar y suscribirme, todo el mundo puede publicar",
+    "account_usage_messages_title": "Mensajes publicados",
+    "account_usage_reservations_title": "Tópicos reservados",
+    "account_usage_reservations_none": "No hay tópicos reservados para esta cuenta",
+    "account_usage_cannot_create_portal_session": "No se puede abrir el portal de facturación",
+    "account_upgrade_dialog_title": "Cambiar nivel de cuenta",
+    "account_basics_tier_payment_overdue": "Su pago ha vencido. Por favor actualice su método de pago o su cuenta será degradada en breve.",
+    "account_basics_tier_canceled_subscription": "Su suscripción fue cancelada y será degradada a una cuenta gratuita el {{date}}.",
+    "account_usage_emails_title": "Correos enviados",
+    "account_usage_attachment_storage_title": "Almacenamiento de archivos adjuntos",
+    "account_usage_attachment_storage_description": "{{filesize}} por archivo, eliminado después de {{expiry}}",
+    "account_usage_basis_ip_description": "Las estadísticas de uso y los límites de esta cuenta se basan en su dirección IP, por lo que podrían ser compartidos con otros usuarios. Los límites mostrados anteriormente son aproximados basados en los límites existentes.",
+    "account_delete_title": "Elimina cuenta",
+    "account_delete_dialog_button_cancel": "Cancelar",
+    "account_delete_dialog_billing_warning": "La eliminación de su cuenta también cancela su suscripción de facturación inmediatamente. Ya no tendrá acceso al panel de facturación.",
+    "account_upgrade_dialog_reservations_warning_one": "El nivel seleccionado permite menos tópicos reservados que su nivel actual. Antes de cambiar de nivel, <strong>por favor elimine al menos una reserva</strong>. Puede eliminar reservas en <Link>Configuración</Link>.",
+    "account_upgrade_dialog_tier_selected_label": "Seleccionado",
+    "account_upgrade_dialog_button_cancel": "Cancelar",
+    "account_upgrade_dialog_button_cancel_subscription": "Cancelar suscripción",
+    "account_tokens_title": "Tokens de acceso",
+    "account_delete_description": "Eliminar permanentemente su cuenta",
+    "account_delete_dialog_description": "Esto borrará permanentemente su cuenta, incluyendo todos los datos almacenados en el servidor. Tras la eliminación, su nombre de usuario no estará disponible durante 7 días. Si realmente desea continuar, por favor confirme su contraseña en la casilla de abajo.",
+    "account_delete_dialog_label": "Contraseña",
+    "account_delete_dialog_button_submit": "Eliminar permanentemente la cuenta",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} tópicos reservados",
+    "account_upgrade_dialog_cancel_warning": "Esto <strong>cancelará su suscripción</strong> y degradará su cuenta en {{date}}. En esa fecha, sus tópicos reservados y sus mensajes almacenados en caché en el servidor <strong>serán eliminados</strong>.",
+    "account_upgrade_dialog_proration_info": "<strong>Prorrateo</strong>: al actualizar entre planes pagos, la diferencia de precio se <strong>cobrará de inmediato</strong>. Al cambiar a un nivel inferior, el saldo se utilizará para pagar futuros períodos de facturación.",
+    "account_upgrade_dialog_reservations_warning_other": "El nivel seleccionado permite menos tópicos reservados que su nivel actual. Antes de cambiar de nivel, <strong>por favor elimine al menos {{count}} reservaciones</strong>. Puede eliminar reservaciones en <Link>Configuración</Link>.",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} mensajes diarios",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} correos diarios",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} por archivo",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} almacenamiento total",
+    "account_upgrade_dialog_tier_current_label": "Actual",
+    "account_upgrade_dialog_button_redirect_signup": "Regístrese ahora",
+    "account_upgrade_dialog_button_pay_now": "Pague ahora y suscríbase",
+    "account_upgrade_dialog_button_update_subscription": "Actualizar suscripción",
+    "account_tokens_dialog_button_update": "Actualizar token",
+    "account_tokens_dialog_expires_label": "El token de acceso expira en",
+    "prefs_reservations_table": "Tabla de tópicos reservados",
+    "prefs_reservations_dialog_description": "Reservar un tópico le otorga la propiedad sobre el mismo y le permite definir permisos de acceso para otros usuarios sobre el tópico.",
+    "account_tokens_dialog_button_cancel": "Cancelar",
+    "account_tokens_dialog_expires_unchanged": "No modificar la fecha de expiración",
+    "prefs_reservations_add_button": "Agregar tópico reservado",
+    "prefs_reservations_table_access_header": "Acceso",
+    "reservation_delete_dialog_action_delete_description": "Los mensajes y archivos adjuntos almacenados en caché se eliminarán de forma permanente. Esta acción no se puede deshacer.",
+    "account_tokens_dialog_expires_x_hours": "El token expira en {{hours}} horas",
+    "account_tokens_delete_dialog_title": "Eliminar token de acceso",
+    "prefs_reservations_limit_reached": "Ha alcanzado su límite de tópicos reservados.",
+    "prefs_reservations_table_everyone_read_write": "Todo el mundo puede publicar y suscribirse",
+    "reservation_delete_dialog_action_keep_description": "Los mensajes y archivos adjuntos que se almacenen en caché en el servidor pasarán a ser visibles públicamente para las personas que conozcan el nombre del tópico.",
+    "account_tokens_dialog_expires_x_days": "El token expira en {{days}} días",
+    "account_tokens_dialog_expires_never": "El token nunca expira",
+    "account_tokens_delete_dialog_description": "Antes de eliminar un token de acceso, asegúrese de que ninguna aplicación o script lo está utilizando activamente. <strong>Esta acción no se puede deshacer</strong>.",
+    "prefs_users_table_cannot_delete_or_edit": "No se puede eliminar o editar el usuario conectado",
+    "prefs_reservations_title": "Tópicos reservados",
+    "prefs_reservations_edit_button": "Editar acceso al tópico",
+    "prefs_reservations_table_topic_header": "Tópico",
+    "prefs_reservations_table_everyone_read_only": "Puedo publicar y suscribirme, todo el mundo puede suscribirse",
+    "prefs_reservations_table_everyone_deny_all": "Sólo yo puedo publicar y suscribirme",
+    "prefs_reservations_table_click_to_subscribe": "Haga clic para suscribirse",
+    "prefs_reservations_dialog_title_edit": "Edita tópico reservado",
+    "account_tokens_delete_dialog_submit_button": "Eliminar permanentemente el token",
+    "prefs_reservations_description": "Aquí puede reservar nombres de tópicos para uso personal. Reservar un tópico le otorga la propiedad sobre el mismo y le permite definir permisos de acceso para otros usuarios sobre el tópico.",
+    "prefs_reservations_delete_button": "Restablecer acceso a tópico",
+    "prefs_reservations_table_not_subscribed": "No suscrito",
+    "prefs_reservations_dialog_title_add": "Reservar tópico",
+    "prefs_users_description_no_sync": "Los usuarios y las contraseñas no están sincronizados con su cuenta.",
+    "prefs_reservations_dialog_title_delete": "Borrar reserva de tópico",
+    "prefs_reservations_dialog_access_label": "Acceso",
+    "reservation_delete_dialog_action_keep_title": "Conservar mensajes y archivos adjuntos en caché",
+    "prefs_reservations_dialog_topic_label": "Tópico",
+    "reservation_delete_dialog_description": "Al eliminar una reserva se renuncia a la propiedad sobre el tópico y se permite que otros lo reserven. Puede conservar o eliminar los mensajes y archivos adjuntos existentes.",
+    "reservation_delete_dialog_action_delete_title": "Eliminar mensajes y archivos adjuntos en caché",
+    "reservation_delete_dialog_submit_button": "Eliminar reserva",
+    "account_basics_tier_interval_monthly": "mensualmente",
+    "account_basics_tier_interval_yearly": "anualmente",
+    "account_upgrade_dialog_interval_monthly": "Mensualmente",
+    "account_upgrade_dialog_interval_yearly": "Anualmente",
+    "account_upgrade_dialog_interval_yearly_discount_save": "ahorrar {{discount}}%",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "ahorra hasta un {{discount}}%",
+    "account_upgrade_dialog_tier_features_no_reservations": "Ningún tema reservado",
+    "account_upgrade_dialog_tier_price_per_month": "mes",
+    "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} facturado anualmente. Guardar {{save}}.",
+    "account_upgrade_dialog_billing_contact_website": "Si tiene preguntas sobre facturación, consulte nuestra <Link>página web</Link>.",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} al año. Facturación mensual.",
+    "account_upgrade_dialog_billing_contact_email": "Para preguntas sobre facturación, por favor <Link>contáctenos</Link> directamente."
 }
--- a/web/public/static/langs/fr.json
+++ b/web/public/static/langs/fr.json
@@ -187,5 +187,170 @@
    "prefs_users_edit_button": "Éditer l'utilisateur",
    "prefs_users_delete_button": "Supprimer l'utilisateur",
    "error_boundary_unsupported_indexeddb_title": "Navigation privée non prise en charge",
-    "publish_dialog_attached_file_remove": "Retirer le fichier joint"
+    "publish_dialog_attached_file_remove": "Retirer le fichier joint",
+    "signup_form_password": "Mot de passe",
+    "signup_form_confirm_password": "Confirmation du mot de passe",
+    "signup_disabled": "L'inscription est désactivée",
+    "signup_error_username_taken": "L'identifiant {{username}} est déjà utilisé",
+    "signup_error_creation_limit_reached": "Limite de création de comptes atteinte",
+    "login_title": "Se connecter à son compte Ntfy",
+    "login_form_button_submit": "Connexion",
+    "login_link_signup": "S'inscrire",
+    "login_disabled": "La connection est désactivée",
+    "action_bar_account": "Compte",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Paramètres",
+    "action_bar_sign_in": "Connexion",
+    "action_bar_sign_up": "Inscription",
+    "nav_button_account": "Compte",
+    "signup_title": "Créer un compte Ntfy",
+    "signup_form_username": "Identifiant",
+    "signup_form_button_submit": "S'inscrire",
+    "signup_already_have_account": "Vous avez déjà un compte ? Connectez-vous !",
+    "action_bar_profile_logout": "Se déconnecter",
+    "signup_form_toggle_password_visibility": "Afficher le mot de passe",
+    "action_bar_change_display_name": "Changer le nom affiché",
+    "prefs_reservations_table_click_to_subscribe": "Cliquer pour s'abonner",
+    "account_tokens_table_cannot_delete_or_edit": "Impossible d'éditer ou de supprimer le jeton de la session actuelle",
+    "account_tokens_dialog_button_cancel": "Annuler",
+    "prefs_users_table_cannot_delete_or_edit": "Impossible de supprimer ou de modifier un utilisateur connecté",
+    "prefs_users_description_no_sync": "Les utilisateurs et les mots de passe ne sont pas synchronisés avec votre compte.",
+    "account_tokens_dialog_button_update": "Mettre à jour un jeton",
+    "nav_upgrade_banner_description": "Réservation de sujets, plus de messages et d'emails, et des pièces jointes plus larges",
+    "display_name_dialog_description": "Mettre un nom supplémentaire pour un sujet qui est affiché dans la liste des abonnements. Cela aide à identifier plus facilement les sujets ayant des noms compliqués.",
+    "account_usage_basis_ip_description": "Les statistiques d'utilisation et les limites pour ce compte sont basées sur votre adresse IP, donc elles peuvent être partagées avec d'autres utilisateurs. Les limites affichées plus haut sont approximativement basées sur les limites de débit existantes.",
+    "action_bar_reservation_add": "Réserver un sujet",
+    "action_bar_reservation_edit": "Changer la réservation",
+    "action_bar_reservation_delete": "Supprimer la réservation",
+    "action_bar_reservation_limit_reached": "Limite atteinte",
+    "nav_upgrade_banner_label": "Passer à ntfy Pro",
+    "display_name_dialog_title": "Changer le nom affiché",
+    "reserve_dialog_checkbox_label": "Réserver un sujet et en configurer l'accès",
+    "display_name_dialog_placeholder": "Nom affiché",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Générer un nom",
+    "subscribe_dialog_error_topic_already_reserved": "Sujet déjà réservé",
+    "account_basics_title": "Compte",
+    "account_basics_username_title": "Nom d'utilisateur",
+    "account_basics_username_description": "Hé, c'est toi ❤",
+    "account_basics_username_admin_tooltip": "Vous êtes Administrateur",
+    "account_basics_password_title": "Mot de passe",
+    "account_basics_password_description": "Changer le mot de passe de votre compte",
+    "account_basics_password_dialog_title": "Changer le mot de passe",
+    "account_basics_password_dialog_current_password_label": "Mot de passe actuel",
+    "account_basics_password_dialog_new_password_label": "Nouveau mot de passe",
+    "account_basics_password_dialog_confirm_password_label": "Confirmer le mot de passe",
+    "account_basics_password_dialog_button_submit": "Changer le mot de passe",
+    "account_basics_password_dialog_current_password_incorrect": "Mot de passe incorrect",
+    "account_usage_title": "Utilisation",
+    "account_usage_of_limit": "sur {{limit}}",
+    "account_usage_unlimited": "Illimité",
+    "account_usage_limits_reset_daily": "Les limites d'utilisation sont réinitialisées chaque jour à minuit (UTC)",
+    "account_basics_tier_title": "Type de compte",
+    "account_basics_tier_description": "Le niveau de puissance de votre compte",
+    "account_basics_tier_admin": "Administrateur",
+    "account_basics_tier_admin_suffix_with_tier": "(avec le tarif {{tier}})",
+    "account_basics_tier_admin_suffix_no_tier": "(pas de tarif)",
+    "account_basics_tier_free": "Gratuit",
+    "account_basics_tier_upgrade_button": "Passer à Pro",
+    "account_basics_tier_change_button": "Changer",
+    "account_basics_tier_paid_until": "Abonnement payé jusqu'à {{date}}, et va être automatiquement renouvelé",
+    "account_basics_tier_canceled_subscription": "Votre abonnement a été annulé et va être rétrogradé vers un compte gratuit le {{date}}.",
+    "account_basics_tier_manage_billing_button": "Gérer la facturation",
+    "account_usage_messages_title": "Messages publiés",
+    "account_usage_emails_title": "Emails envoyés",
+    "account_usage_reservations_title": "Sujets réservés",
+    "account_usage_reservations_none": "Pas de sujet réservé pour ce compte",
+    "account_usage_attachment_storage_title": "Stockage des pièces jointes",
+    "account_usage_attachment_storage_description": "{{filesize}} par fichier, supprimé après {{expiry}}",
+    "account_usage_cannot_create_portal_session": "Impossible d'ouvrir le portail de facturation",
+    "account_delete_title": "Supprimer le compte",
+    "account_delete_description": "Supprimer définitivement votre compte",
+    "account_basics_tier_basic": "Basique",
+    "account_delete_dialog_description": "Cela supprimera définitivement votre compte, ainsi que toutes les données qui sont stockées sur le serveur. Après suppression, votre nom d'utilisateur sera indisponible pendant 7 jours. Si vous voulez vraiment faire cela, veuillez le confirmer en mettant votre mot de passe dans le champ ci-dessous.",
+    "account_delete_dialog_label": "Mot de passe",
+    "account_delete_dialog_button_cancel": "Annuler",
+    "account_delete_dialog_button_submit": "Supprimer définitivement le compte",
+    "account_delete_dialog_billing_warning": "Supprimer votre compte annule aussi immédiatement votre facturation. Vous n'aurez plus accès à votre tableau de bord de facturation.",
+    "account_upgrade_dialog_title": "Changer le tarif du compte",
+    "account_upgrade_dialog_proration_info": "<strong>Facturation</strong> : Lors d'un changement entre un plan payant et un autre, la différence de prix sera créditée ou remboursée sur la prochaine facture. Vous ne recevrez pas d'autre facture avant la fin de la prochaine période de facturation.",
+    "account_upgrade_dialog_reservations_warning_other": "Le tarif sélectionné autorise moins de sujets réservés que votre tarif actuel. Avant de changer de tarif, <strong>veuillez supprimer au moins {{count}} sujets réservés</strong>. Vous pouvez supprimer des sujets réservés dans les <Link>Paramètres</Link>.",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} sujets réservés",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} messages journaliers",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} emails journaliers",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} par fichier",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} stockage total",
+    "account_upgrade_dialog_tier_selected_label": "Sélectionné",
+    "account_upgrade_dialog_tier_current_label": "Actuel",
+    "account_upgrade_dialog_button_cancel": "Annuler",
+    "account_upgrade_dialog_button_redirect_signup": "S'inscrire maintenant",
+    "account_upgrade_dialog_button_pay_now": "Payer maintenant et s'abonner",
+    "account_upgrade_dialog_button_cancel_subscription": "Annuler l'abonnement",
+    "account_upgrade_dialog_button_update_subscription": "Mettre à jour l'abonnement",
+    "account_tokens_title": "Jetons d'accès",
+    "account_tokens_table_token_header": "Jeton",
+    "account_tokens_table_label_header": "Étiquette",
+    "account_tokens_table_last_access_header": "Dernier accès",
+    "account_tokens_table_expires_header": "Expire",
+    "account_tokens_table_never_expires": "N'expire jamais",
+    "account_tokens_table_current_session": "Session de navigation actuelle",
+    "account_tokens_table_copy_to_clipboard": "Copier dans le presse-papier",
+    "account_tokens_table_copied_to_clipboard": "Jeton d'accès copié",
+    "account_tokens_table_create_token_button": "Créer un jeton d'accès",
+    "account_tokens_table_last_origin_tooltip": "Depuis l'adresse IP {{ip}}, cliquer pour rechercher",
+    "account_tokens_dialog_title_create": "Créer un jeton d'accès",
+    "account_tokens_dialog_title_edit": "Modifier le jeton d'accès",
+    "account_tokens_dialog_title_delete": "Supprimer le jeton d'accès",
+    "account_tokens_dialog_label": "Étiquette, par ex. Notifications Radarr",
+    "account_tokens_dialog_button_create": "Créer un jeton",
+    "account_tokens_dialog_expires_label": "Le jeton d'accès expire dans",
+    "account_tokens_dialog_expires_unchanged": "Laisser la date d'expiration inchangée",
+    "account_tokens_dialog_expires_x_hours": "Le jeton expire dans {{hours}} heures",
+    "account_tokens_dialog_expires_x_days": "Le jeton expire dans {{days}} jours",
+    "account_tokens_dialog_expires_never": "Le jeton n'expire jamais",
+    "account_tokens_delete_dialog_title": "Supprimer le jeton d'accès",
+    "account_tokens_delete_dialog_submit_button": "Supprimer définitivement le jeton",
+    "prefs_reservations_title": "Sujets réservés",
+    "prefs_reservations_limit_reached": "Vous avez atteint votre limite de réservation de sujets.",
+    "prefs_reservations_add_button": "Ajouter un sujet réservé",
+    "prefs_reservations_edit_button": "Modifier l'accès d'un sujet",
+    "prefs_reservations_delete_button": "Réinitialiser l'accès d'un sujet",
+    "prefs_reservations_table": "Tableau des sujets réservés",
+    "prefs_reservations_table_topic_header": "Sujet",
+    "prefs_reservations_table_access_header": "Accès",
+    "prefs_reservations_table_everyone_deny_all": "Seulement moi peut publier et m'abonner",
+    "prefs_reservations_table_everyone_read_only": "Je peux publier et m'abonner, tout le monde peut s'abonner",
+    "prefs_reservations_table_everyone_write_only": "Je peux publier et m'abonner, tout le monde peut publier",
+    "prefs_reservations_table_everyone_read_write": "Tout le monde peut publier et s'abonner",
+    "prefs_reservations_table_not_subscribed": "Pas abonné",
+    "prefs_reservations_dialog_title_add": "Réserver un sujet",
+    "prefs_reservations_dialog_title_edit": "Modifier un sujet réservé",
+    "prefs_reservations_dialog_title_delete": "Supprimé un sujet réservé",
+    "prefs_reservations_dialog_description": "Réserver un sujet vous donne la propriété sur ce sujet et vous permet de définir les permissions d'accès à ce sujet pour d'autres utilisateurs.",
+    "prefs_reservations_dialog_topic_label": "Sujet",
+    "prefs_reservations_dialog_access_label": "Accès",
+    "reservation_delete_dialog_description": "Supprimer un sujet réservé abandonne la propriété sur le sujet et permet aux autres de le réserver. Vous pouvez garder ou supprimer les messages et pièces jointes existantes.",
+    "reservation_delete_dialog_action_keep_title": "Garder les messages et pièces jointes mises en cache",
+    "reservation_delete_dialog_action_keep_description": "Les messages et pièces jointes qui sont dans le cache du serveur deviendront visibles publiquement pour les personnes ayant connaissance du nom du sujet.",
+    "reservation_delete_dialog_action_delete_title": "Supprimer les messages et pièces jointes mises en cache",
+    "reservation_delete_dialog_action_delete_description": "Les messages et pièces jointes mises en cache seront définitivement supprimées. Cette action ne peut pas être annulée.",
+    "reservation_delete_dialog_submit_button": "Supprimer un sujet réservé",
+    "alert_not_supported_context_description": "Les notifications ne sont supportées qu'en HTTPS. C'est une limitation de la <mdnLink>Notifications API</mdnLink>.",
+    "account_basics_tier_payment_overdue": "Votre paiement est en retard. Veuillez mettre à jour votre méthode de paiement, ou votre compte va bientôt être rétrogradé.",
+    "account_upgrade_dialog_cancel_warning": "Cela va <strong>annuler votre abonnement</strong> et rétrograder votre compte le {{date}}. Ce jour là, les sujets réservés ainsi que tous les messages dans le cache du serveur <strong>seront supprimés</strong>.",
+    "account_upgrade_dialog_reservations_warning_one": "Le tarif sélectionné autorise moins de sujets réservés que votre tarif actuel. Avant de changer de tarif, <strong>veuillez supprimer au moins un sujet réservé</strong>. Vous pouvez supprimer des sujets réservés dans les <Link>Paramètres</Link>.",
+    "account_tokens_description": "Utilisez des jetons d'accès lors de la publication ou de l'abonnement via l'API de ntfy, afin d'éviter d'envoyer vos identifiants de compte. Regardez la <Link>documentation</Link> pour en savoir plus.",
+    "account_tokens_delete_dialog_description": "Avant de supprimer un jeton d'accès, assurez-vous qu'aucune application ou script ne soit en train de l'utiliser. <strong>Cette action ne peut pas être annulée</strong>.",
+    "prefs_reservations_description": "Vous pouvez réserver les noms de sujet à usage personnel ici. Réserver un sujet vous donne la propriété sur ce sujet et vous permet de définir les permissions d'accès à ce sujet pour d'autres utilisateurs.",
+    "account_basics_tier_interval_yearly": "annuel",
+    "account_upgrade_dialog_interval_yearly": "Annuel",
+    "account_upgrade_dialog_interval_yearly_discount_save": "économisez {{discount}}%",
+    "account_upgrade_dialog_tier_features_no_reservations": "Aucun sujet(s) réservé(s)",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} par an. Prélevé mensuellement.",
+    "account_upgrade_dialog_billing_contact_website": "Pour des questions en rapport avec la facturation, se référer à notre <Link>site internet</Link>.",
+    "account_basics_tier_interval_monthly": "mensuel",
+    "account_upgrade_dialog_interval_monthly": "Mensuel",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "économisez jusqu'à {{discount}}%",
+    "account_upgrade_dialog_tier_price_per_month": "mois",
+    "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} prélevé annuellement. Économisez {{save}}.",
+    "account_upgrade_dialog_billing_contact_email": "Pour des questions concernant la facturation, merci de nous <Link>contacter</Link> directement."
 }
--- a/web/public/static/langs/id.json
+++ b/web/public/static/langs/id.json
@@ -187,5 +187,170 @@
    "prefs_users_edit_button": "Edit pengguna",
    "prefs_users_delete_button": "Hapus pengguna",
    "error_boundary_unsupported_indexeddb_description": "Aplikasi web ntfy membutuhkan IndexedDB untuk berfungsi, dan peramban Anda tidak mendukung IndexedDB dalam mode penjelajahan pribadi.<br/><br/>Meskipun ini disayangkan, penggunaan aplikasi web ntfy juga tidak masuk akal di mode penjelajahan pribadi, karena semuanya disimpan di penyimpanan peramban. Anda dapat membaca lebih lanjut tentangnya <githubLink>di masalah GitHub ini</githubLink>, atau berbicara dengan kami di <discordLink>Discord</discordLink> atau <matrixLink>Matrix</matrixLink>.",
-    "error_boundary_unsupported_indexeddb_title": "Penjelajahan privat tidak didukung"
+    "error_boundary_unsupported_indexeddb_title": "Penjelajahan privat tidak didukung",
+    "signup_form_confirm_password": "Konfirmasi kata sandi",
+    "signup_form_button_submit": "Daftar",
+    "signup_form_toggle_password_visibility": "Alih keterlihatan kata sandi",
+    "signup_already_have_account": "Sudah punya akun? Masuk!",
+    "signup_disabled": "Pendaftaran dinonaktifkan",
+    "signup_error_username_taken": "Nama pengguna {{username}} telah digunakan",
+    "signup_error_creation_limit_reached": "Batasan pembuatan akun tercapai",
+    "login_title": "Masuk ke akun ntfy Anda",
+    "login_disabled": "Pemasukan dinonaktifkan",
+    "action_bar_account": "Akun",
+    "action_bar_change_display_name": "Ubah nama tampilan",
+    "action_bar_reservation_add": "Reservasi topik",
+    "action_bar_reservation_edit": "Ubah reservasi",
+    "action_bar_reservation_delete": "Hapus reservasi",
+    "action_bar_reservation_limit_reached": "Batasan tercapai",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Pengaturan",
+    "action_bar_profile_logout": "Keluar",
+    "nav_button_account": "Akun",
+    "display_name_dialog_placeholder": "Nama tampilan",
+    "reserve_dialog_checkbox_label": "Reservasi topik dan atur akses",
+    "nav_upgrade_banner_description": "Reservasikan topik, lebih banyak pesan & surel, dan lampiran lebih besar",
+    "signup_title": "Buat sebuah akun ntfy",
+    "signup_form_password": "Kata sandi",
+    "login_link_signup": "Daftar",
+    "action_bar_sign_up": "Daftar",
+    "signup_form_username": "Nama pengguna",
+    "login_form_button_submit": "Masuk",
+    "action_bar_sign_in": "Masuk",
+    "nav_upgrade_banner_label": "Tingkatkan ke ntfy Pro",
+    "alert_not_supported_context_description": "Notifikasi hanya didukung melalui HTTPS. Ini adalah batasan <mdnLink>API Notifikasi</mdnLink>.",
+    "display_name_dialog_title": "Ubah nama tampilan",
+    "display_name_dialog_description": "Tetapkan nama alternatif untuk sebuah topik yang ditampilkan di daftar langganan. Ini membantu mengidentifikasi topik dengan nama yang rumit dengan lebih mudah.",
+    "subscribe_dialog_error_topic_already_reserved": "Topik sudah direservasi",
+    "account_basics_username_title": "Nama pengguna",
+    "account_basics_username_admin_tooltip": "Anda adalah Admin",
+    "account_basics_password_title": "Kata sandi",
+    "account_basics_password_description": "Ubah kata sandi akun Anda",
+    "account_basics_password_dialog_title": "Ubah kata sandi",
+    "account_basics_password_dialog_current_password_label": "Kata sandi saat ini",
+    "account_basics_password_dialog_confirm_password_label": "Konfirmasi kata sandi",
+    "account_basics_password_dialog_button_submit": "Ubah kata sandi",
+    "account_basics_password_dialog_current_password_incorrect": "Kata sandi salah",
+    "account_usage_title": "Penggunaan",
+    "account_usage_of_limit": "dari {{limit}}",
+    "account_usage_unlimited": "Tidak terbatas",
+    "account_usage_limits_reset_daily": "Batasan penggunaan diatur ulang setiap hari di tengah malam (UTC)",
+    "account_basics_tier_title": "Jenis akun",
+    "account_basics_tier_description": "Tingkat daya akun Anda",
+    "account_basics_tier_admin_suffix_no_tier": "(tidak ada peringkat)",
+    "account_basics_tier_basic": "Dasaran",
+    "account_basics_tier_change_button": "Ubah",
+    "account_basics_tier_paid_until": "Langganan dibayar sampai {{date}}, dan akan dibayar secara otomatis",
+    "account_basics_tier_canceled_subscription": "Langganan Anda dibatalkan dan akan diturunkan ke akun gratis pada {{date}}.",
+    "account_usage_messages_title": "Pesan terkirim",
+    "account_usage_emails_title": "Surel terkirim",
+    "account_usage_reservations_title": "Topik yang telah direservasi",
+    "account_usage_reservations_none": "Tidak ada topik yang telah direservasi untuk akun ini",
+    "account_usage_attachment_storage_title": "Penyimpanan lampiran",
+    "account_usage_attachment_storage_description": "{{filesize}} per berkas, dihapus setelah {{expiry}}",
+    "account_delete_title": "Hapus akun",
+    "account_delete_description": "Hapus akun Anda secara permanen",
+    "account_delete_dialog_label": "Kata sandi",
+    "account_delete_dialog_button_cancel": "Batal",
+    "account_delete_dialog_button_submit": "Hapus akun secara permanen",
+    "account_usage_cannot_create_portal_session": "Tidak dapat membuka portal tagihan",
+    "account_delete_dialog_billing_warning": "Menghapus akun Anda juga membatalkan tagihan langganan dengan segera. Anda tidak akan memiliki akses lagi ke dasbor tagihan.",
+    "account_upgrade_dialog_title": "Ubah peringkat akun",
+    "account_upgrade_dialog_proration_info": "<strong>Prorasi</strong>: Saat melakukan upgrade antar paket berbayar, selisih harga akan <strong>langsung dibebankan ke</strong>. Saat menurunkan ke tingkat yang lebih rendah, saldo akan digunakan untuk membayar periode penagihan di masa mendatang.",
+    "account_upgrade_dialog_reservations_warning_other": "Peringkat yang dipilih memperbolehkan lebih sedikit reservasi topik daripada peringkat Anda saat ini. Sebelum mengubah peringkat Anda, <strong>silakan menghapus setidaknya {{count}} reservasi</strong>. Anda dapat menghapus reservasi di <Link>Pengaturan</Link>.",
+    "account_upgrade_dialog_tier_features_reservations": "{{reservations}} topik yang telah direservasi",
+    "account_upgrade_dialog_tier_features_messages": "{{messages}} pesan harian",
+    "account_upgrade_dialog_tier_features_emails": "{{emails}} surel harian",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} per berkas",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} jumlah penyimpanan",
+    "account_upgrade_dialog_tier_selected_label": "Dipilih",
+    "account_upgrade_dialog_tier_current_label": "Saat ini",
+    "account_upgrade_dialog_button_cancel": "Batal",
+    "account_upgrade_dialog_button_redirect_signup": "Daftar sekarang",
+    "account_upgrade_dialog_button_pay_now": "Bayar sekaramg dan berlangganan",
+    "account_upgrade_dialog_button_cancel_subscription": "Batalkan langganan",
+    "account_upgrade_dialog_button_update_subscription": "Perbarui langganan",
+    "account_tokens_title": "Token akses",
+    "account_tokens_description": "Gunakan token akses saat mengirim dan berlangganan melalui API ntfy, sehingga Anda tidak perlu mengirimkan kredensial akun Anda. Lihat <Link>dokumentasi</Link> untuk mempelajari lebih lanjut.",
+    "account_tokens_table_token_header": "Token",
+    "account_tokens_table_label_header": "Label",
+    "account_tokens_table_last_access_header": "Akses terakhir",
+    "account_tokens_table_expires_header": "Kedaluwarsa",
+    "account_tokens_table_never_expires": "Tidak pernah kedaluwarsa",
+    "account_tokens_table_current_session": "Sesi peramban saat ini",
+    "account_tokens_table_copy_to_clipboard": "Salin ke papan klip",
+    "account_tokens_table_copied_to_clipboard": "Token akses disalin",
+    "account_tokens_table_cannot_delete_or_edit": "Tidak dapat menyunting atau menghapus token sesi saat ini",
+    "account_tokens_table_create_token_button": "Buat token akses",
+    "account_tokens_dialog_expires_unchanged": "Tinggalkan tanggal kedaluwarsa tidak terganti",
+    "account_tokens_dialog_expires_x_hours": "Token kedaluwarsa dalam {{hours}} jam",
+    "account_tokens_dialog_expires_x_days": "Token kedaluwarsa dalam {{days}} hari",
+    "account_tokens_dialog_expires_never": "Token tidak pernah kedaluwarsa",
+    "account_tokens_delete_dialog_title": "Hapus token akses",
+    "account_tokens_delete_dialog_description": "Sebelum menghapus sebuah token akses, pastikan bahwa tidak ada aplikasi atau skrip yang sedang menggunakannya secara aktif. <strong>Tindakan ini tidak dapat diurungkan</strong>.",
+    "account_tokens_delete_dialog_submit_button": "Hapus token secara permanan",
+    "prefs_reservations_title": "Topik yang direservasi",
+    "reservation_delete_dialog_action_keep_title": "Jaga tembolok pesan dan lampiran",
+    "reservation_delete_dialog_action_keep_description": "Tembolok pesan dan lampiran yang berada di server akan terlihat secara publik untuk orang-orang dengan pengetahuan nama topik.",
+    "reservation_delete_dialog_action_delete_title": "Hapus tembolok pesan dan lampiran",
+    "reservation_delete_dialog_action_delete_description": "Tembolok pesan dan lampiran akan dihapus secara permanen. Tindakan ini tidak dapat diurungkan.",
+    "reservation_delete_dialog_submit_button": "Hapus reservasi",
+    "prefs_reservations_table_everyone_read_only": "Saya dapat mengirim dan berlangganan, semuanya dapat berlangganan",
+    "prefs_reservations_dialog_title_edit": "Sunting reservasi topik",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Buat nama",
+    "account_basics_title": "Akun",
+    "account_basics_tier_admin_suffix_with_tier": "(dengan peringkat {{tier}})",
+    "account_basics_tier_free": "Gratis",
+    "account_tokens_dialog_expires_label": "Token akses kedaluwarsa dalam",
+    "account_basics_username_description": "Hei, itu Anda ❤",
+    "account_basics_password_dialog_new_password_label": "Kata sandi baru",
+    "account_basics_tier_admin": "Admin",
+    "account_basics_tier_upgrade_button": "Tingkatkan ke Pro",
+    "account_basics_tier_payment_overdue": "Pembayaran Anda telah jatuh tempo. Mohon perbarui metode pembayaran Anda, atau akun Anda akan segera diturunkan.",
+    "account_basics_tier_manage_billing_button": "Kelola pembayaran",
+    "account_tokens_dialog_title_delete": "Hapus token akses",
+    "account_usage_basis_ip_description": "Statistik dan batasan pengguna untuk akun ini berdasarkan alamat IP Anda, sehingga mereka mungkin terbagi dengan pengguna lain. Batasan yang ditampilkan di atas adalah perkiraan berdasarkan batas tarif yang sudah ada.",
+    "account_delete_dialog_description": "Ini akan menghapus akun Anda secara permanen, termasuk semua data yang telah disimpan di server ini. Setelah penghapusan, nama pengguna Anda akan tidak tersedia selama 7 hari. Jika Anda ingin melanjutkan, silakan mengonfirmasi dengan kata sandi Anda di kotak bawah.",
+    "account_upgrade_dialog_cancel_warning": "Ini akan <strong>membatalkan langganan Anda</strong>, dan menurunkan akun Anda pada tanggal {{date}}. Pada tanggal itu, reservasi topik maupun tembolok pesan di server <strong>akan dihapus</strong>.",
+    "prefs_reservations_table_everyone_write_only": "Saya dapat mengirim dan berlangganan, semuanya dapat mengirim",
+    "account_tokens_table_last_origin_tooltip": "Dari alamat IP {{ip}}, klik untuk melihat",
+    "account_tokens_dialog_label": "Label, mis. notifikasi Radarr",
+    "account_tokens_dialog_button_create": "Buat token",
+    "prefs_reservations_description": "Anda dapat mereservasi nama topik untuk penggunaan pribadi di sini. Mereservasikan sebuah topik memberikan Anda kemilikan pada topik, dan memungkinkan Anda untuk mendefinisikan perizinan akses untuk pengguna lain melalui topik.",
+    "account_upgrade_dialog_reservations_warning_one": "Peringkat yang dipilih memperbolehkan lebih sedikit reservasi topik daripada peringkat Anda saat ini. Sebelum mengubah peringkat Anda, <strong>silakan menghapus setidaknya satu reservasi</strong>. Anda dapat menghapus reservasi di <Link>Pengaturan</Link>.",
+    "account_tokens_dialog_button_cancel": "Batal",
+    "account_tokens_dialog_title_create": "Buat token akses",
+    "account_tokens_dialog_title_edit": "Sunting token akses",
+    "account_tokens_dialog_button_update": "Perbarui token",
+    "prefs_reservations_add_button": "Tambahkan reservasi topik",
+    "prefs_reservations_table": "Tabel topik yang telah direservasi",
+    "prefs_reservations_table_topic_header": "Topik",
+    "prefs_users_table_cannot_delete_or_edit": "Tidak dapat menghapus atau menyunting pengguna yang telah masuk",
+    "prefs_reservations_table_everyone_deny_all": "Hanya saya yang dapat mengirim dan berlangganan",
+    "prefs_reservations_table_everyone_read_write": "Semuanya dapat mengirim dan berlangganan",
+    "prefs_users_description_no_sync": "Pengguna dan kata sandi tidak disinkronkan ke akun Anda.",
+    "prefs_reservations_limit_reached": "Anda telah mencapai batasan reservasi topik.",
+    "prefs_reservations_edit_button": "Sunting akses topik",
+    "prefs_reservations_table_click_to_subscribe": "Klik untuk berlangganan",
+    "prefs_reservations_delete_button": "Atur ulang akses topik",
+    "prefs_reservations_table_access_header": "Akses",
+    "prefs_reservations_dialog_title_add": "Reservasi topik",
+    "prefs_reservations_dialog_title_delete": "Hapus reservasi topik",
+    "prefs_reservations_table_not_subscribed": "Tidak berlangganan",
+    "prefs_reservations_dialog_description": "Mereservasikan sebuah topik memberikan Anda kemilikan pada topik, dan memungkinkan Anda untuk mendefinisikan perizinan akses untuk pengguna lain melalui topik.",
+    "prefs_reservations_dialog_topic_label": "Topik",
+    "prefs_reservations_dialog_access_label": "Akses",
+    "reservation_delete_dialog_description": "Menghapus sebuah reservasi menghapus kemilikan pada topik, dan memperbolehkan orang-orang lain untuk mereservasinya.",
+    "account_upgrade_dialog_interval_yearly": "Setiap tahun",
+    "account_upgrade_dialog_tier_price_billed_yearly": "Ditagih {{price}} setiap tahun. Hemat {{save}}.",
+    "account_upgrade_dialog_interval_yearly_discount_save": "hemat {{discount}}%",
+    "account_upgrade_dialog_interval_monthly": "Setiap bulan",
+    "account_basics_tier_interval_monthly": "setiap bulan",
+    "account_basics_tier_interval_yearly": "setiap tahun",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "hemat sampai {{discount}}%",
+    "account_upgrade_dialog_tier_features_no_reservations": "Tidak ada topik yang direservasi",
+    "account_upgrade_dialog_tier_price_per_month": "bulan",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} per bulan. Ditagih setiap bulan.",
+    "account_upgrade_dialog_billing_contact_email": "Untuk pertanyaan penagihan, silakan <Link>hubungi kami</Link> secara langsung.",
+    "account_upgrade_dialog_billing_contact_website": "Untuk pertanyaan penagihan, silakan menuju ke <Link>situs web</Link> kami."
 }
--- a/web/public/static/langs/ja.json
+++ b/web/public/static/langs/ja.json
@@ -187,5 +187,170 @@
    "prefs_notifications_sound_play": "選択されたサウンドを再生",
    "prefs_users_table": "ユーザー一覧",
    "prefs_users_delete_button": "ユーザーを削除",
-    "error_boundary_unsupported_indexeddb_title": "プライベートブラウジングはサポートされていません"
+    "error_boundary_unsupported_indexeddb_title": "プライベートブラウジングはサポートされていません",
+    "signup_form_username": "ユーザー名",
+    "signup_form_password": "パスワード",
+    "signup_form_confirm_password": "パスワードを確認",
+    "signup_already_have_account": "アカウントをお持ちならサインイン",
+    "signup_disabled": "サインアップは無効化されています",
+    "signup_error_creation_limit_reached": "アカウント作成制限に達しました",
+    "login_title": "あなたのntfyアカウントにサインイン",
+    "login_link_signup": "サインアップ",
+    "login_disabled": "ログインは無効化されています",
+    "action_bar_account": "アカウント",
+    "action_bar_change_display_name": "表示名を変更する",
+    "action_bar_reservation_add": "トピックを予約する",
+    "action_bar_reservation_edit": "予約を編集する",
+    "action_bar_reservation_limit_reached": "制限に達しました",
+    "action_bar_profile_title": "プロファイル",
+    "action_bar_profile_settings": "設定",
+    "action_bar_profile_logout": "ログアウト",
+    "action_bar_sign_in": "サインイン",
+    "action_bar_sign_up": "サインアップ",
+    "nav_button_account": "アカウント",
+    "nav_upgrade_banner_label": "ntfy Proにアップグレード",
+    "display_name_dialog_title": "表示名を変更",
+    "display_name_dialog_placeholder": "表示名",
+    "signup_form_button_submit": "サインアップ",
+    "signup_form_toggle_password_visibility": "パスワードを表示/非表示",
+    "signup_title": "ntfyアカウントを作成する",
+    "login_form_button_submit": "サインイン",
+    "alert_not_supported_context_description": "通知はHTTPSのみサポートされています。これは<mdnLink>Notifications API</mdnLink>の制限によるものです。",
+    "nav_upgrade_banner_description": "トピックを予約、より多くのメッセージとメール、より大きい添付ファイル",
+    "signup_error_username_taken": "ユーザー名 {{username}} は既に使用されています",
+    "action_bar_reservation_delete": "予約を削除する",
+    "display_name_dialog_description": "購読リストに表示されるトピックの別名を設定して、複雑な名前のトピックの識別を容易にします。",
+    "reserve_dialog_checkbox_label": "トピックを保存してアクセスを編集",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "名前を生成",
+    "subscribe_dialog_error_topic_already_reserved": "このトピックは予約済みです",
+    "account_basics_title": "アカウント",
+    "account_basics_tier_description": "アカウントのパワーレベル",
+    "account_basics_tier_admin": "管理者",
+    "account_basics_tier_admin_suffix_with_tier": "（ティア {{tier}}）",
+    "account_basics_tier_free": "無料",
+    "account_usage_attachment_storage_description": "1ファイルあたり{{filesize}}、{{expiry}}を過ぎると削除",
+    "account_usage_basis_ip_description": "アカウントの使用量統計および制限はあなたのIPアドレスに基づいているため、他のユーザーと共有される可能性があります。上記制限は既存のレート制限に基づく概算値です。",
+    "account_usage_cannot_create_portal_session": "支払いポータルを開けませんでした",
+    "account_delete_title": "アカウントを削除",
+    "account_delete_description": "アカウントを永久的に削除",
+    "account_delete_dialog_description": "サーバーに保存されている全てのデータを含むあなたのアカウント情報を削除します。削除後、あなたのユーザー名は7日間利用できません。もし本当に先に進めたい場合、下の入力欄にパスワードを入力して確認して下さい。",
+    "account_delete_dialog_label": "パスワード",
+    "account_delete_dialog_button_cancel": "キャンセル",
+    "account_delete_dialog_button_submit": "永久的にアカウントを削除",
+    "account_delete_dialog_billing_warning": "アカウントを削除するとサブスクリプション支払いも即時キャンセルされます。支払いダッシュボードにもアクセスできなくなります。",
+    "account_upgrade_dialog_title": "アカウントティアを変更",
+    "account_upgrade_dialog_cancel_warning": "これにより<strong>サブスクリプションをキャンセルし</strong>{{date}}にアカウントをダウングレードします。同日、トピック予約およびサーバーにキャッシュされたメッセージは<strong>削除されます</strong>。",
+    "account_upgrade_dialog_proration_info": "<strong>追記</strong>。有料プランをアップグレードする場合、価格差は<strong>即座に請求されます</strong>。ダウングレードする場合、差額は次の請求期間の支払いに利用されます。",
+    "account_upgrade_dialog_tier_features_reservations": "予約のトピック{{reservations}}件",
+    "account_upgrade_dialog_tier_features_emails": "日次メール{{emails}}件",
+    "account_upgrade_dialog_tier_features_messages": "日次メッセージ{{messages}}件",
+    "account_upgrade_dialog_tier_selected_label": "選択",
+    "account_upgrade_dialog_tier_current_label": "現在",
+    "account_upgrade_dialog_button_cancel": "キャンセル",
+    "account_upgrade_dialog_button_redirect_signup": "サインアップ",
+    "account_upgrade_dialog_button_pay_now": "支払いしてサブスクライブする",
+    "account_upgrade_dialog_button_cancel_subscription": "サブスクリプションをキャンセル",
+    "account_upgrade_dialog_button_update_subscription": "サブスクリプションを更新",
+    "account_tokens_description": "ntfy APIで発行または購読する際にアクセストークンを使うことで、アカウント認証情報を送信する必要がなくなります。詳細は<Link>ドキュメント</Link>を確認して下さい。",
+    "account_tokens_table_token_header": "トークン",
+    "account_tokens_table_label_header": "ラベル",
+    "account_tokens_table_last_access_header": "最終アクセス",
+    "account_tokens_table_expires_header": "期限",
+    "account_tokens_table_never_expires": "無期限",
+    "account_tokens_table_current_session": "現在のブラウザセッション",
+    "account_tokens_table_copy_to_clipboard": "クリップボードにコピー",
+    "account_tokens_table_copied_to_clipboard": "アクセストークンをコピーしました",
+    "account_tokens_table_cannot_delete_or_edit": "現在のセッショントークンは編集または削除できません",
+    "account_tokens_table_create_token_button": "アクセストークンを生成",
+    "account_tokens_table_last_origin_tooltip": "IPアドレス {{ip}} から、クリックして参照",
+    "account_tokens_dialog_title_create": "アクセストークンを生成",
+    "account_tokens_dialog_title_edit": "アクセストークンを編集",
+    "account_tokens_dialog_title_delete": "アクセストークンを削除",
+    "account_tokens_dialog_label": "ラベル、例：Radarr通知",
+    "account_tokens_dialog_button_create": "トークンを生成",
+    "account_tokens_dialog_button_update": "トークンを更新",
+    "account_tokens_dialog_button_cancel": "キャンセル",
+    "account_tokens_dialog_expires_label": "アクセストークン有効期限",
+    "account_tokens_dialog_expires_unchanged": "有効期限を変更しない",
+    "account_tokens_dialog_expires_x_hours": "トークンは {{hours}} 時間後に失効します",
+    "account_tokens_dialog_expires_x_days": "トークンは {{days}} 日後に失効します",
+    "account_tokens_dialog_expires_never": "トークン失効なし",
+    "account_tokens_delete_dialog_title": "アクセストークンを削除",
+    "account_tokens_delete_dialog_submit_button": "トークンを永久削除",
+    "prefs_users_description_no_sync": "ユーザー名とパスワードはアカウントと同期されません。",
+    "prefs_users_table_cannot_delete_or_edit": "ログインしているユーザーは削除または編集できません",
+    "prefs_reservations_title": "予約されたトピック",
+    "prefs_reservations_description": "ここでトピック名を個人利用の為に予約する事ができます。トピックを予約する事でそのトピックの所有権が付与され、他のユーザーにアクセス権を付与する事ができるようになります。",
+    "prefs_reservations_add_button": "予約トピックを追加する",
+    "prefs_reservations_edit_button": "トピックへのアクセスを編集する",
+    "prefs_reservations_delete_button": "トピックへのアクセスをリセットする",
+    "prefs_reservations_table": "予約トピックの一覧",
+    "prefs_reservations_table_topic_header": "トピック",
+    "prefs_reservations_table_everyone_deny_all": "自分のみ発行と購読が可能",
+    "prefs_reservations_table_everyone_read_only": "自分は発行と購読が可能、誰でも購読可能",
+    "prefs_reservations_table_everyone_write_only": "自分は発行と購読可能、誰でも発行可能",
+    "prefs_reservations_table_everyone_read_write": "誰でも発行と購読が可能",
+    "prefs_reservations_table_not_subscribed": "購読されていません",
+    "prefs_reservations_table_click_to_subscribe": "クリックして購読",
+    "prefs_reservations_dialog_title_edit": "予約トピックを編集",
+    "prefs_reservations_dialog_title_delete": "トピック予約を削除",
+    "prefs_reservations_dialog_topic_label": "トピック",
+    "prefs_reservations_dialog_access_label": "アクセス",
+    "reservation_delete_dialog_action_keep_title": "キャッシュされたメッセージと添付ファイルを保持する",
+    "reservation_delete_dialog_action_keep_description": "サーバーにキャッシュされたメッセージと添付ファイルは公開されてトピック名を知っている人が閲覧できるようになります。",
+    "reservation_delete_dialog_action_delete_title": "キャッシュされたメッセージと添付ファイルを削除する",
+    "reservation_delete_dialog_action_delete_description": "キャッシュされたメッセージと添付ファイルは永久的に削除されます。この操作は元に戻せません。",
+    "account_basics_username_admin_tooltip": "あなたは管理者です",
+    "account_basics_password_title": "パスワード",
+    "account_basics_password_dialog_current_password_label": "現在のパスワード",
+    "account_usage_limits_reset_daily": "使用量制限は世界協定時 (UTC) の深夜に毎日リセットされます",
+    "account_basics_tier_basic": "ベーシック",
+    "account_basics_tier_paid_until": "サブスクリプションは{{date}}まで有効で、自動更新されます",
+    "account_basics_username_title": "ユーザー名",
+    "account_basics_username_description": "あなたのお名前です ❤",
+    "account_basics_password_description": "アカウントパスワードを変更",
+    "account_basics_password_dialog_title": "パスワード変更",
+    "account_basics_password_dialog_confirm_password_label": "パスワードを確認",
+    "account_basics_password_dialog_current_password_incorrect": "パスワードが異なります",
+    "account_usage_of_limit": "： {{limit}}",
+    "account_usage_unlimited": "無制限",
+    "account_basics_tier_upgrade_button": "プロにアップグレード",
+    "account_basics_tier_manage_billing_button": "支払い方法を管理",
+    "account_basics_password_dialog_new_password_label": "新しいパスワード",
+    "account_basics_password_dialog_button_submit": "パスワードを変更",
+    "account_usage_title": "使用量",
+    "account_basics_tier_title": "アカウントタイプ",
+    "account_basics_tier_admin_suffix_no_tier": "（ティアなし）",
+    "account_basics_tier_change_button": "変更",
+    "account_basics_tier_payment_overdue": "支払期限を過ぎています。支払い方法を更新しないと、近日中にアカウントはダウングレードされます。",
+    "account_basics_tier_canceled_subscription": "あなたのサブスクリプションはキャンセルされ{{date}}に無料アカウントにダウングレードされます。",
+    "account_usage_messages_title": "発行されたメッセージ",
+    "account_usage_reservations_none": "このアカウントで予約されたトピックはありません",
+    "account_usage_attachment_storage_title": "添付ストレージ",
+    "account_usage_emails_title": "送信済みメール",
+    "account_upgrade_dialog_reservations_warning_one": "選択されたティアは、現在のティアよりも少ない予約トピックを利用できます。ティアを変更する前に、<strong>少なくとも1つの予約を削除してください</strong>。予約の削除は、<Link>設定</Link>で行うことができます。",
+    "account_usage_reservations_title": "予約されたトピック",
+    "account_upgrade_dialog_reservations_warning_other": "選択されたティアは、現在のティアよりも少ない予約トピックを利用できます。ティアを変更する前に、<strong>少なくとも{{count}}個の予約を削除してください</strong>。予約の削除は、<Link>設定</Link>で行うことができます。",
+    "account_tokens_delete_dialog_description": "アクセストークンを削除する前に、アプリやスクリプトが利用中でないか確認して下さい。<strong>この操作は元に戻せません</strong>。",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "1ファイルあたり{{filesize}}",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "総ストレージ{{totalsize}}",
+    "account_tokens_title": "アクセストークン",
+    "prefs_reservations_limit_reached": "予約トピック数の上限に達しました。",
+    "prefs_reservations_table_access_header": "アクセス",
+    "prefs_reservations_dialog_title_add": "トピックを予約",
+    "prefs_reservations_dialog_description": "トピックを予約する事でそのトピックの所有権が付与され、他のユーザーにアクセス権を付与する事ができるようになります。",
+    "reservation_delete_dialog_description": "予約を削除するとトピックの所有権を失い、他の人が予約できるようになります。既存のメッセージや添付ファイルは保持または削除することができます。",
+    "reservation_delete_dialog_submit_button": "予約を削除",
+    "account_basics_tier_interval_monthly": "毎月",
+    "account_upgrade_dialog_interval_monthly": "毎月",
+    "account_upgrade_dialog_interval_yearly": "毎年",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "最大{{discount}}%節約",
+    "account_upgrade_dialog_tier_features_no_reservations": "予約トピックなし",
+    "account_upgrade_dialog_billing_contact_email": "支払いについての問い合わせは、直接<Link>お問い合わせください</Link>。",
+    "account_upgrade_dialog_interval_yearly_discount_save": "{{discount}}%節約",
+    "account_basics_tier_interval_yearly": "毎年",
+    "account_upgrade_dialog_tier_price_per_month": "月",
+    "account_upgrade_dialog_tier_price_billed_monthly": "年間{{price}}。月毎の支払い。",
+    "account_upgrade_dialog_tier_price_billed_yearly": "年間{{price}}の支払い。{{save}}節約。",
+    "account_upgrade_dialog_billing_contact_website": "支払いに関する質問は、<Link>ウェブサイト</Link>を参照して下さい。"
 }
--- a/web/public/static/langs/nb_NO.json
+++ b/web/public/static/langs/nb_NO.json
@@ -187,5 +187,8 @@
    "subscribe_dialog_subscribe_base_url_label": "Tjeneste-URL",
    "prefs_users_table": "Brukertabell",
    "prefs_users_edit_button": "Rediger bruker",
-    "error_boundary_unsupported_indexeddb_title": "Privat surfing støttes ikke"
+    "error_boundary_unsupported_indexeddb_title": "Privat surfing støttes ikke",
+    "action_bar_account": "Konto",
+    "action_bar_profile_settings": "Innstillinger",
+    "nav_button_account": "Konto"
 }
--- a/web/public/static/langs/nl.json
+++ b/web/public/static/langs/nl.json
@@ -1,6 +1,6 @@
 {
    "action_bar_settings": "Instellingen",
-    "action_bar_send_test_notification": "Verstuur  testnotificatie.",
+    "action_bar_send_test_notification": "Verstuur testnotificatie",
    "action_bar_clear_notifications": "Wis alle notificaties",
    "message_bar_type_message": "Typ hier een bericht",
    "action_bar_unsubscribe": "Afmelden",
@@ -187,5 +187,66 @@
    "priority_default": "standaard",
    "priority_high": "hoog",
    "priority_max": "max",
-    "error_boundary_unsupported_indexeddb_title": "Privé / incognito browservensters worden niet ondersteund"
+    "error_boundary_unsupported_indexeddb_title": "Privé / incognito browservensters worden niet ondersteund",
+    "signup_form_username": "Gebruikersnaam",
+    "signup_form_toggle_password_visibility": "Wachtwoord zichtbaar maken",
+    "signup_already_have_account": "Heb je al een account? Log in!",
+    "signup_form_button_submit": "Registreer",
+    "signup_disabled": "Registreren is uitgeschakeld",
+    "signup_error_username_taken": "Gebruikersnaam {{username}} is al bezet",
+    "signup_error_creation_limit_reached": "Limiet voor aanmaken account bereikt",
+    "login_title": "Aanmelden bij uw ntfy account",
+    "login_form_button_submit": "Inloggen",
+    "login_link_signup": "Registreer",
+    "login_disabled": "Inloggen is uitgeschakeld",
+    "action_bar_account": "Account",
+    "action_bar_reservation_add": "Onderwerp reserveren",
+    "action_bar_reservation_edit": "Reservatie wijzigen",
+    "action_bar_reservation_delete": "Verwijder reservatie",
+    "action_bar_reservation_limit_reached": "Limiet bereikt",
+    "action_bar_profile_title": "Profiel",
+    "nav_upgrade_banner_label": "Upgrade naar ntfy Pro",
+    "nav_upgrade_banner_description": "Onderwerpen reserveren, meer berichten & e-mails, en grotere bijlagen",
+    "alert_not_supported_context_description": "Notificaties worden alleen ondersteund via HTTPS. Dit is een beperking van de <mdnLink>Notificaties API</mdnLink>.",
+    "display_name_dialog_placeholder": "Weergavenaam",
+    "reserve_dialog_checkbox_label": "Onderwerp reserveren en toegang configureren",
+    "account_basics_title": "Account",
+    "account_basics_username_title": "Gebruikersnaam",
+    "account_basics_username_description": "Hé, dat ben jij ❤",
+    "account_basics_username_admin_tooltip": "Je bent beheerder",
+    "account_basics_password_title": "Wachtwoord",
+    "account_basics_password_description": "Wijzig het wachtwoord van je account",
+    "account_basics_password_dialog_current_password_label": "Huidig wachtwoord",
+    "account_basics_password_dialog_new_password_label": "Nieuw wachtwoord",
+    "account_basics_password_dialog_confirm_password_label": "Bevestig wachtwoord",
+    "account_basics_password_dialog_button_submit": "Wijzig wachtwoord",
+    "account_basics_password_dialog_current_password_incorrect": "Wachtwoord onjuist",
+    "account_usage_title": "Gebruik",
+    "account_usage_of_limit": "van {{limit}}",
+    "account_usage_unlimited": "Onbeperkt",
+    "account_basics_tier_title": "Account type",
+    "account_basics_tier_admin": "Beheerder",
+    "account_basics_tier_admin_suffix_with_tier": "",
+    "account_basics_tier_basic": "Basis",
+    "account_basics_tier_free": "Gratis",
+    "account_basics_tier_change_button": "Wijzig",
+    "account_basics_tier_paid_until": "Abonnement betaald tot {{date}}, en wordt automatisch verlengd",
+    "account_basics_tier_payment_overdue": "Je betaling is te laat. Update je betalingsmethode, anders wordt je account binnenkort gedowngraded.",
+    "account_basics_tier_canceled_subscription": "Je abonnement is opgezegd en wordt op {{date}} gedowngraded naar een gratis account.",
+    "signup_form_password": "Wachtwoord",
+    "signup_title": "Een ntfy account aanmaken",
+    "signup_form_confirm_password": "Bevestig wachtwoord",
+    "action_bar_change_display_name": "Weergavenaam wijzigen",
+    "action_bar_profile_logout": "Uitloggen",
+    "action_bar_profile_settings": "Instellingen",
+    "action_bar_sign_up": "Registreer",
+    "nav_button_account": "Account",
+    "action_bar_sign_in": "Inloggen",
+    "display_name_dialog_title": "Weergavenaam wijzigen",
+    "display_name_dialog_description": "Stel een alternatieve naam in voor een onderwerp dat wordt weergeven in de abonnementenlijst. Dit helpt onderwerpen met gecompliceerde namen gemakkelijker te identificeren.",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Naam genereren",
+    "subscribe_dialog_error_topic_already_reserved": "Onderwerp al gereserveerd",
+    "account_basics_password_dialog_title": "Wijzig wachtwoord",
+    "account_usage_limits_reset_daily": "Gebruikslimieten worden dagelijks om middernacht (UTC) gereset",
+    "account_basics_tier_upgrade_button": "Upgrade naar Pro"
 }
--- a/web/public/static/langs/pl.json
+++ b/web/public/static/langs/pl.json
@@ -187,5 +187,126 @@
    "prefs_notifications_delete_after_never": "Nigdy",
    "prefs_users_dialog_title_edit": "Edytuj użytkownika",
    "priority_min": "minimum",
-    "error_boundary_unsupported_indexeddb_description": "Aplikacja ntfy potrzebuje IndexedDB, aby działać poprawnie, a Twoja przeglądarka nie obsługuje IndexedDB w prywatnych zakładkach.<br/><br/>To denerwujące, ale używanie ntfy w prywatnej zakładce nie ma sensu, ponieważ wszystkie dane są przechowywane w przeglądarce. Więcej informacji można uzyskać <githubLink>w tym wydaniu GitHub</githubLink>, lub na czacie w <discordLink>Discord</discordLink> lub <matrixLink>Matrix</matrixLink>."
+    "error_boundary_unsupported_indexeddb_description": "Aplikacja ntfy potrzebuje IndexedDB, aby działać poprawnie, a Twoja przeglądarka nie obsługuje IndexedDB w prywatnych zakładkach.<br/><br/>To denerwujące, ale używanie ntfy w prywatnej zakładce nie ma sensu, ponieważ wszystkie dane są przechowywane w przeglądarce. Więcej informacji można uzyskać <githubLink>w tym wydaniu GitHub</githubLink>, lub na czacie w <discordLink>Discord</discordLink> lub <matrixLink>Matrix</matrixLink>.",
+    "signup_form_password": "Hasło",
+    "signup_title": "Załóż konto ntfy",
+    "signup_error_creation_limit_reached": "Przekroczono limit zakładania kont",
+    "action_bar_reservation_limit_reached": "Limit wyczerpany",
+    "display_name_dialog_title": "Zmień wyświetlaną nazwę",
+    "display_name_dialog_description": "Ustaw alternatywną nazwę dla tematu wyświetlanego na liście subskrybcji. To ułatwia identyfikację tematów o skomplikowanych nazwach.",
+    "account_basics_title": "Konto",
+    "account_basics_password_dialog_title": "Zmień hasło",
+    "signup_form_username": "Nawa użytkownika",
+    "signup_form_confirm_password": "Powtórz hasło",
+    "signup_form_button_submit": "Załóż konto",
+    "signup_form_toggle_password_visibility": "Pokaż lub ukryj hasło",
+    "signup_already_have_account": "Masz już konto? Zaloguj się!",
+    "signup_disabled": "Zakładanie kont jest wyłączone",
+    "signup_error_username_taken": "Nazwa użytkownika {{username}} jest już zajęta",
+    "login_title": "Zaloguj się do swojego konta ntfy",
+    "login_form_button_submit": "Zaloguj się",
+    "login_link_signup": "Załóż konto",
+    "login_disabled": "Logowanie jet wyłączone",
+    "action_bar_account": "Konto",
+    "action_bar_change_display_name": "Zmień wyświetlaną nazwę",
+    "action_bar_reservation_add": "Zarezerwuj temat",
+    "action_bar_reservation_edit": "Zmień rezerwację",
+    "action_bar_reservation_delete": "Usuń rezerwację",
+    "action_bar_profile_title": "Profil",
+    "action_bar_profile_settings": "Ustawienia",
+    "action_bar_profile_logout": "Wyloguj",
+    "action_bar_sign_in": "Zaloguj",
+    "action_bar_sign_up": "Załóż konto",
+    "nav_button_account": "Konto",
+    "display_name_dialog_placeholder": "Nazwa wyświetlana",
+    "reserve_dialog_checkbox_label": "Zarezerwuj temat i skonfiguruj dostęp",
+    "subscribe_dialog_subscribe_button_generate_topic_name": "Wygeneruj nazwę",
+    "subscribe_dialog_error_topic_already_reserved": "Temat już jest zarezerwowany",
+    "account_basics_username_title": "Nazwa użytkownika",
+    "account_basics_username_description": "Hej, to Ty ❤",
+    "account_basics_username_admin_tooltip": "Jesteś Administratorem",
+    "account_basics_password_title": "Hasło",
+    "account_basics_password_description": "Zmień hasło do konta",
+    "account_basics_password_dialog_current_password_label": "Aktualne hasło",
+    "account_basics_password_dialog_new_password_label": "Nowe hasło",
+    "account_basics_password_dialog_confirm_password_label": "Powtórz hasło",
+    "account_basics_password_dialog_button_submit": "Zmień hasło",
+    "account_basics_password_dialog_current_password_incorrect": "Błędne hasło",
+    "account_usage_title": "Użycie",
+    "account_usage_of_limit": "z {{limit}}",
+    "account_usage_unlimited": "Bez limitu",
+    "account_usage_limits_reset_daily": "Limity są resetowane codziennie o północy (UTC)",
+    "account_delete_dialog_button_submit": "Nieodwracalnie usuń konto",
+    "account_upgrade_dialog_tier_features_no_reservations": "Brak rezerwacji tematów",
+    "account_upgrade_dialog_tier_features_attachment_file_size": "{{filesize}} na plik",
+    "account_upgrade_dialog_tier_features_attachment_total_size": "{{totalsize}} pamięci łącznie",
+    "account_upgrade_dialog_tier_price_per_month": "miesiąc",
+    "account_upgrade_dialog_tier_price_billed_monthly": "{{price}} na rok. Płatne miesięcznie.",
+    "account_upgrade_dialog_billing_contact_email": "W razie pytań dotyczących rozliczeń <Link>skontaktuj się z nami</Link> bezpośrednio.",
+    "account_upgrade_dialog_billing_contact_website": "W razie pytań dotyczących rozliczeń sprawdź naszą <Link>stronę</Link>.",
+    "account_upgrade_dialog_button_cancel_subscription": "Anuluj subskrypcję",
+    "account_upgrade_dialog_button_update_subscription": "Zmień subskrypcję",
+    "account_tokens_title": "Tokeny dostępowe",
+    "account_tokens_table_token_header": "Token",
+    "account_tokens_table_label_header": "Etykieta",
+    "account_tokens_table_last_access_header": "Ostatnie użycie",
+    "account_tokens_table_expires_header": "Termin ważności",
+    "account_tokens_table_never_expires": "Bezterminowy",
+    "account_tokens_table_current_session": "Aktualna sesja przeglądarki",
+    "account_tokens_table_copy_to_clipboard": "Kopiuj do schowka",
+    "account_tokens_table_copied_to_clipboard": "Token został skopiowany",
+    "account_tokens_table_cannot_delete_or_edit": "Nie można edytować ani usunąć tokenu aktualnej sesji",
+    "account_tokens_table_create_token_button": "Utwórz token dostępowy",
+    "account_tokens_dialog_label": "Etykieta, np. Powiadomienia Radarr",
+    "account_tokens_dialog_button_update": "Zmień token",
+    "account_basics_tier_interval_monthly": "miesięcznie",
+    "account_basics_tier_interval_yearly": "rocznie",
+    "account_upgrade_dialog_interval_monthly": "Miesięcznie",
+    "account_upgrade_dialog_title": "Zmień plan konta",
+    "account_delete_dialog_description": "Konto, wraz ze wszystkimi związanymi z nim danymi przechowywanymi na serwerze, będzie nieodwracalnie usunięte. Po usunięciu Twoja nazwa użytkownika będzie niedostępna jeszcze przez 7 dni. Jeśli chcesz kontynuować, potwierdź wpisując swoje hasło w polu poniżej.",
+    "account_delete_dialog_billing_warning": "Usunięcie konta powoduje natychmiastowe anulowanie subskrypcji. Nie będziesz już mieć dostępu do strony z rachunkami.",
+    "account_upgrade_dialog_interval_yearly": "Rocznie",
+    "account_upgrade_dialog_interval_yearly_discount_save": "taniej o {{discount}}%",
+    "account_upgrade_dialog_interval_yearly_discount_save_up_to": "nawet {{discount}}% taniej",
+    "account_upgrade_dialog_button_cancel": "Anuluj",
+    "account_tokens_description": "Używaj tokenów do publikowania wiadomości i subskrybowania tematów przez API ntfy, żeby uniknąć konieczności podawania danych do logowania. Szczegóły znajdziesz w <Link>dokumentacji</Link>.",
+    "account_tokens_dialog_title_create": "Utwórz token dostępowy",
+    "account_tokens_table_last_origin_tooltip": "Z adresu IP {{ip}}, kliknij żeby sprawdzić",
+    "account_upgrade_dialog_tier_price_billed_yearly": "{{price}} płatne jednorazowo. Oszczędzasz {{save}}.",
+    "account_tokens_dialog_title_edit": "Edytuj token dostępowy",
+    "account_tokens_dialog_title_delete": "Usuń token dostępowy",
+    "account_tokens_dialog_button_create": "Utwórz token",
+    "nav_upgrade_banner_label": "Przejdź na ntfy Pro",
+    "nav_upgrade_banner_description": "Rezerwuj tematy, więcej powiadomień i maili oraz większe załączniki",
+    "alert_not_supported_context_description": "Powiadomienia działają tylko przez HTTPS. To jest ograniczenie <mdnLink>Notifications API</mdnLink>.",
+    "account_basics_tier_canceled_subscription": "Twoja subskrypcja została anulowana i konto zostanie ograniczone do wersji darmowej w dniu {{date}}.",
+    "account_basics_tier_manage_billing_button": "Zarządzaj rachunkami",
+    "account_usage_messages_title": "Wysłane wiadomości",
+    "account_usage_emails_title": "Wysłane maile",
+    "account_basics_tier_title": "Rodzaj konta",
+    "account_basics_tier_description": "Mocarność Twojego konta",
+    "account_basics_tier_admin": "Administrator",
+    "account_basics_tier_admin_suffix_with_tier": "(plan {{tier}})",
+    "account_basics_tier_admin_suffix_no_tier": "(brak planu)",
+    "account_basics_tier_basic": "Podstawowe",
+    "account_basics_tier_free": "Darmowe",
+    "account_basics_tier_upgrade_button": "Przejdź na Pro",
+    "account_basics_tier_change_button": "Zmień",
+    "account_basics_tier_paid_until": "Subskrypcja opłacona do {{date}} i będzie odnowiona automatycznie",
+    "account_basics_tier_payment_overdue": "Minął termin płatności. Zaktualizuj metodę płatności, w przeciwnym razie Twoje konto wkrótce zostanie ograniczone.",
+    "account_usage_reservations_title": "Zarezerwowane tematy",
+    "account_usage_reservations_none": "Brak zarezerwowanych tematów na tym koncie",
+    "account_usage_attachment_storage_title": "Miejsce na załączniki",
+    "account_usage_attachment_storage_description": "{{filesize}} na każdy plik, przechowywane przez {{expiry}}",
+    "account_usage_basis_ip_description": "Statystyki i limity dla tego konta bazują na Twoim adresie IP, więc mogą być współdzielone z innymi użytkownikami. Limity pokazane powyżej to wartości przybliżone bazujące na rzeczywistych limitach.",
+    "account_usage_cannot_create_portal_session": "Nie można otworzyć portalu z rachunkami",
+    "account_delete_title": "Usuń konto",
+    "account_delete_description": "Usuń swoje konto nieodwracalnie",
+    "account_delete_dialog_label": "Hasło",
+    "account_delete_dialog_button_cancel": "Anuluj",
+    "account_upgrade_dialog_button_redirect_signup": "Załóż konto",
+    "account_upgrade_dialog_button_pay_now": "Zapłać i aktywuj subskrypcję",
+    "account_tokens_dialog_button_cancel": "Anuluj",
+    "account_tokens_dialog_expires_label": "Token dostępowy wygasa po",
+    "account_tokens_dialog_expires_unchanged": "Pozostaw termin ważności bez zmian"
 }
--- a/web/public/static/langs/pt.json
+++ b/web/public/static/langs/pt.json
@@ -187,5 +187,32 @@
    "priority_high": "alta",
    "priority_max": "máxima",
    "error_boundary_title": "Oh não, o ntfy parou de funcionar",
-    "error_boundary_button_copy_stack_trace": "Copiar erro (\"stack trace\")"
+    "error_boundary_button_copy_stack_trace": "Copiar erro (\"stack trace\")",
+    "signup_title": "Criar uma conta ntfy",
+    "signup_form_username": "Nome de utilizador",
+    "signup_form_confirm_password": "Confirmar palavra-passe",
+    "signup_form_button_submit": "Registar",
+    "signup_form_toggle_password_visibility": "Alternar visibilidade da palavra-passe",
+    "signup_already_have_account": "Já tem uma conta? Inicie sessão!",
+    "signup_disabled": "Novos registos desativados",
+    "signup_error_username_taken": "O nome \"{{username}}\" já está em uso",
+    "signup_error_creation_limit_reached": "Limite de criação de contas atingido",
+    "login_title": "Inicie sessão na sua conta ntfy",
+    "login_form_button_submit": "Iniciar sessão",
+    "login_disabled": "Início de sessão desativado",
+    "action_bar_account": "Conta",
+    "action_bar_change_display_name": "Alterar nome de exibição",
+    "action_bar_reservation_delete": "Remover reserva",
+    "action_bar_reservation_limit_reached": "Limite alcançado",
+    "action_bar_profile_title": "Perfil",
+    "action_bar_profile_settings": "Configurações",
+    "action_bar_profile_logout": "Terminar sessão",
+    "action_bar_sign_in": "Iniciar sessão",
+    "nav_upgrade_banner_description": "Reserve tópicos, envie mais mensagens, emails e anexos maiores",
+    "signup_form_password": "Palavra-passe",
+    "action_bar_reservation_edit": "Alterar reserva",
+    "login_link_signup": "Registar",
+    "action_bar_reservation_add": "Reservar tópico",
+    "action_bar_sign_up": "Registar",
+    "nav_button_account": "Conta"
 }
--- a/Show More
+++ b/Show More