3.6 KiB
Recovering Immich Admin Access via PostgreSQL
Companion for the
immich-serverskill. Covers the "locked out of admin" scenario — looking up user info, resetting passwords, and understanding how API keys are stored. Assumes you have shell access to the Docker host where Immich runs.
Prerequisites
- Shell access to the machine running Immich Docker containers
- The
immich_postgrescontainer is running - The DB credentials from
/opt/immich/.env(or wherever your compose lives)
Find the Immich PostgreSQL Table Structure
The user table (note: lowercase, not users) stores everything:
docker exec immich_postgres psql -U postgres -d immich -c "\dt"
Full list of tables (61+ as of Immich v2.7.x):
activity, album, album_asset, album_user, api_key, asset, asset_exif, asset_face,
asset_file, asset_job_status, asset_metadata, asset_ocr, face_search, library,
memory, person, session, shared_link, smart_search, stack, tag, tag_asset,
user, user_metadata, workflow, ...
Find Your Admin Email
docker exec immich_postgres psql -U postgres -d immich -c \
"SELECT id, email, name, \"isAdmin\", \"oauthId\" FROM \"user\";"
Output:
id | email | name | isAdmin
--------------------+---------------------------+------+---------
523cab1b-... | you@gmail.com | You | t
4defcb72-... | partner@gmail.com | Name | f
isAdmin = t= admin accountisAdmin = f= user account / partner share
Reset an Admin Password
If you don't know the password and can't log in:
Step 1 — Install bcrypt on the host:
sudo apt install -y python3-bcrypt
Step 2 — Generate a bcrypt hash for your new password:
HASH=$(python3 -c "
import bcrypt
# Use 'admin123' or whatever you want
pw_hash = bcrypt.hashpw(b'admin123', bcrypt.gensalt(rounds=10))
print(pw_hash.decode())
")
Step 3 — Update the password in the database:
docker exec immich_postgres psql -U postgres -d immich -c \
"UPDATE \"user\" SET \"password\"='$HASH' WHERE email='you@gmail.com';"
Step 4 — Log in with the new password at http://192.168.x.x:2283.
⚠️ The Immich server may cache the old session — refresh the login page or use a private browser window.
API Keys: Storage & Recovery
API keys are stored hashed (PBKDF2-SHA256) — you CANNOT recover the raw key from the DB.
List all API keys (who owns what)
docker exec immich_postgres psql -U postgres -d immich -c \
"SELECT ak.id, ak.name, u.name as owner, \"userId\" FROM \"api_key\" ak LEFT JOIN \"user\" u ON ak.\"userId\" = u.id;"
The key column stores the hash — no way to reverse it. If you lost the raw key, you must:
- Log in to Immich web UI as admin
- Go to Settings → API Keys
- Delete the old key and create a new one
If you can't log in at all
Reset the admin password (above), then use the web UI to create a new API key.
Finding the DB Credentials
Immich stores them in the compose directory:
cat /opt/immich/.env
Expected vars:
DB_USERNAME=postgres
DB_PASSWORD=...
DB_DATABASE_NAME=immich
If the .env file path differs, find it:
find / -name "docker-compose.yml" -path "*immich*" 2>/dev/null
Then check the same directory for the .env file.
Test DB Connection Directly
# Simple auth test (no password prompt):
docker exec immich_postgres psql -U postgres -d immich -c "SELECT 1 as connected;"
# If that fails with authentication error, try with password:
docker exec -e PGPASSWORD=your_db_password immich_postgres psql \
-U postgres -d immich -c "SELECT 1 as connected;"