diff --git a/net/server/internal/api_account.go b/net/server/internal/api_account.go
index a5d1c76a..853301a8 100644
--- a/net/server/internal/api_account.go
+++ b/net/server/internal/api_account.go
@@ -13,11 +13,6 @@ import (
 	"net/http"
 )
 
-func AddAccountAuthentication(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	w.WriteHeader(http.StatusOK)
-}
-
 func GetAccountApps(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
 	w.WriteHeader(http.StatusOK)
@@ -58,11 +53,6 @@ func RemoveAccountApp(w http.ResponseWriter, r *http.Request) {
 	w.WriteHeader(http.StatusOK)
 }
 
-func SetAccountAuthentication(w http.ResponseWriter, r *http.Request) {
-	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
-	w.WriteHeader(http.StatusOK)
-}
-
 func SetAccountExport(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json; charset=UTF-8")
 	w.WriteHeader(http.StatusOK)
diff --git a/net/server/internal/api_addAccount.go b/net/server/internal/api_addAccount.go
index 5701ae59..d6a31f81 100644
--- a/net/server/internal/api_addAccount.go
+++ b/net/server/internal/api_addAccount.go
@@ -12,7 +12,7 @@ import (
 func AddAccount(w http.ResponseWriter, r *http.Request) {
 
   token, res := BearerAccountToken(r);
-  if res != nil || token.TokenType != "create" {
+  if res != nil || token.TokenType != APP_ACCOUNTCREATE {
     ErrResponse(w, http.StatusUnauthorized, res)
     return
   }
diff --git a/net/server/internal/api_addAccountApp.go b/net/server/internal/api_addAccountApp.go
index f0bc37d1..8ace1fa6 100644
--- a/net/server/internal/api_addAccountApp.go
+++ b/net/server/internal/api_addAccountApp.go
@@ -25,15 +25,15 @@ func AddAccountApp(w http.ResponseWriter, r *http.Request) {
 
   accountToken := store.AccountToken{
     AccountID: id,
-    TokenType: "attach",
+    TokenType: APP_ACCOUNTATTACH,
     Token: token,
     Expires: time.Now().Unix() + APP_ATTACHEXPIRE,
-  };
+  }
   if err := store.DB.Create(&accountToken).Error; err != nil {
     ErrResponse(w, http.StatusInternalServerError, err)
     return
   }
 
-  WriteResponse(w, token);
+  WriteResponse(w, token)
 }
 
diff --git a/net/server/internal/api_addAccountAuthentication.go b/net/server/internal/api_addAccountAuthentication.go
new file mode 100644
index 00000000..2fedaf8d
--- /dev/null
+++ b/net/server/internal/api_addAccountAuthentication.go
@@ -0,0 +1,41 @@
+package databag
+
+import (
+  "net/http"
+  "time"
+  "encoding/hex"
+  "databag/internal/store"
+  "github.com/theckman/go-securerandom"
+)
+
+func AddAccountAuthentication(w http.ResponseWriter, r *http.Request) {
+
+  id, err := AccountLogin(r)
+  if err != nil {
+    ErrResponse(w, http.StatusUnauthorized, err)
+    return
+  }
+
+  data, res := securerandom.Bytes(4)
+  if res != nil {
+    ErrResponse(w, http.StatusInternalServerError, res)
+    return
+  }
+  token := hex.EncodeToString(data)
+
+  accountToken := store.AccountToken{
+    AccountID: id,
+    TokenType: APP_ACCOUNTRESET,
+    Token: token,
+    Expires: time.Now().Unix() + APP_RESETEXPIRE,
+  }
+  if err := store.DB.Create(&accountToken).Error; err != nil {
+    ErrResponse(w, http.StatusInternalServerError, err)
+    return
+  }
+
+  WriteResponse(w, token)
+}
+
+
+
diff --git a/net/server/internal/api_setAccountApp.go b/net/server/internal/api_setAccountApp.go
index 22417998..6e3be705 100644
--- a/net/server/internal/api_setAccountApp.go
+++ b/net/server/internal/api_setAccountApp.go
@@ -11,25 +11,22 @@ import (
 func SetAccountApp(w http.ResponseWriter, r *http.Request) {
 
   token, res := BearerAccountToken(r);
-  if res != nil || token.TokenType != "attach" {
-    LogMsg("invalid bearer token")
-    w.WriteHeader(http.StatusUnauthorized)
+  if res != nil || token.TokenType != APP_ACCOUNTATTACH {
+    ErrResponse(w, http.StatusUnauthorized, res)
     return
   }
 
   // parse app data
   var appData AppData
-  if ParseRequest(r, w, &appData) != nil {
-    LogMsg("invalid request data")
-    w.WriteHeader(http.StatusBadRequest)
+  if res = ParseRequest(r, w, &appData); res != nil {
+    ErrResponse(w, http.StatusBadRequest, res)
     return
   }
 
   // gernate app token  
   data, err := securerandom.Bytes(APP_TOKENSIZE)
   if err != nil {
-    LogMsg("failed to generate token")
-    w.WriteHeader(http.StatusInternalServerError);
+    ErrResponse(w, http.StatusInternalServerError, err)
     return
   }
   access := hex.EncodeToString(data)
@@ -55,8 +52,7 @@ func SetAccountApp(w http.ResponseWriter, r *http.Request) {
     return nil;
   });
   if err != nil {
-    LogMsg("failed to save app")
-    w.WriteHeader(http.StatusInternalServerError)
+    ErrResponse(w, http.StatusInternalServerError, err)
     return
   }
 
diff --git a/net/server/internal/api_setAccountAuthentication.go b/net/server/internal/api_setAccountAuthentication.go
new file mode 100644
index 00000000..e0a89226
--- /dev/null
+++ b/net/server/internal/api_setAccountAuthentication.go
@@ -0,0 +1,37 @@
+package databag
+
+import (
+  "errors"
+  "net/http"
+  "databag/internal/store"
+)
+
+func SetAccountAuthentication(w http.ResponseWriter, r *http.Request) {
+
+  token, res := BearerAccountToken(r)
+  if res != nil || token.TokenType != APP_ACCOUNTRESET {
+    ErrResponse(w, http.StatusUnauthorized, res)
+    return
+  }
+  if token.Account == nil {
+    ErrResponse(w, http.StatusUnauthorized, errors.New("invalid reset token"))
+    return
+  }
+
+  username, password, ret := BasicCredentials(r)
+  if ret != nil {
+    ErrResponse(w, http.StatusUnauthorized, ret)
+    return
+  }
+
+  token.Account.Username = username;
+  token.Account.Password = password;
+  if err := store.DB.Save(token.Account).Error; err != nil {
+    ErrResponse(w, http.StatusInternalServerError, err)
+    return
+  }
+
+  WriteResponse(w, nil)
+}
+
+
diff --git a/net/server/internal/appValues.go b/net/server/internal/appValues.go
index 5933cc66..5b8c6c5b 100644
--- a/net/server/internal/appValues.go
+++ b/net/server/internal/appValues.go
@@ -5,6 +5,7 @@ const APP_BODYLIMIT = 1048576
 const APP_VERSION = "0.0.1"
 const APP_ATTACHEXPIRE = 300
 const APP_CREATEEXPIRE = 86400
+const APP_RESETEXPIRE = 86400
 const APP_CONNECTEXPIRE = 30
 const APP_KEYSIZE = 4096
 const APP_RSA4096 = "RSA4096"
@@ -40,6 +41,9 @@ const APP_QUEUEAUDIO = "audio"
 const APP_QUEUEVIDEO = "video"
 const APP_QUEUEPHOTO = "photo"
 const APP_QUEUEDEFAULT = ""
+const APP_ACCOUNTATTACH = "attach"
+const APP_ACCOUNTCREATE = "create"
+const APP_ACCOUNTRESET = "reset"
 
 func AppCardStatus(status string) bool {
   if status == APP_CARDPENDING {
diff --git a/net/server/internal/store/schema.go b/net/server/internal/store/schema.go
index 309d23b4..2df64f05 100644
--- a/net/server/internal/store/schema.go
+++ b/net/server/internal/store/schema.go
@@ -48,7 +48,7 @@ type AccountToken struct {
   Token             string          `gorm:"not null;uniqueIndex"`
   Expires           int64           `gorm:"not null"`
   Created           int64           `gorm:"autoCreateTime"`
-  Account           Account
+  Account           *Account
 }
 
 // NOTE: card & app reference account by guid, all other tables by id