From 93b9c883a19bb60509f91bb034670b4fc296171d Mon Sep 17 00:00:00 2001
From: Eduardo Figueroa <mr.eduardo.figueroa@gmail.com>
Date: Thu, 4 Dec 2025 18:44:53 +0000
Subject: [PATCH] docs(freshrss): Add API troubleshooting documentation

Add comprehensive guides for debugging and resolving FreshRSS API
authentication issues with mobile apps.

Includes:
- API password setup instructions
- iOS app configuration (Reeder, NetNewsWire, etc.)
- Google Reader API vs Fever API comparison
- nginx Authorization header troubleshooting
- Debug logging locations and commands
- Common error patterns and solutions

Covers both successful resolution and known limitations.
---
 compose/services/FreshRSS/API-AUTH-FIX.md     | 189 ++++++++++++++
 compose/services/FreshRSS/API-STATUS.md       | 121 +++++++++
 compose/services/FreshRSS/DEBUG-LOGGING.md    | 239 ++++++++++++++++++
 .../services/FreshRSS/REEDER-AUTH-DEBUG.md    | 237 +++++++++++++++++
 4 files changed, 786 insertions(+)
 create mode 100644 compose/services/FreshRSS/API-AUTH-FIX.md
 create mode 100644 compose/services/FreshRSS/API-STATUS.md
 create mode 100644 compose/services/FreshRSS/DEBUG-LOGGING.md
 create mode 100644 compose/services/FreshRSS/REEDER-AUTH-DEBUG.md

diff --git a/compose/services/FreshRSS/API-AUTH-FIX.md b/compose/services/FreshRSS/API-AUTH-FIX.md
new file mode 100644
index 0000000..2ae9fb4
--- /dev/null
+++ b/compose/services/FreshRSS/API-AUTH-FIX.md
@@ -0,0 +1,189 @@
+# FreshRSS iOS App Authentication Fix
+
+## The Problem
+
+You're getting "login failed" on your iOS RSS app, but the same credentials work on the website.
+
+**Why:** iOS RSS apps use FreshRSS's **API**, which requires a separate **API password** - NOT your regular web login password.
+
+## The Solution: Generate an API Password
+
+### Step 1: Log into FreshRSS Web Interface
+
+Go to https://feeds.fig.systems and log in with your regular credentials.
+
+### Step 2: Navigate to Profile Settings
+
+1. Click your username (top right)
+2. Select **"Configuration"** or **"Settings"**
+3. Go to the **"Profile"** tab
+
+### Step 3: Generate API Password
+
+1. Scroll down to **"API management"** section
+2. Find **"API password"** field
+3. Click **"Generate"** or **"Regenerate"** button
+4. Copy the generated API password (it will look like a random string)
+
+Example: `hKm9xP3zQwRt2nLv8YbJ`
+
+### Step 4: Use API Password in iOS App
+
+When configuring your iOS RSS app:
+
+**Username:** `eddie` (your FreshRSS username)
+**Password:** `[THE GENERATED API PASSWORD]` ← NOT your web password!
+**Server URL:** `https://feeds.fig.systems`
+
+### Common iOS RSS Apps Configuration
+
+#### **Reeder**
+- Account Type: FreshRSS
+- Server: `https://feeds.fig.systems`
+- Username: `eddie`
+- Password: [API password]
+
+#### **NetNewsWire**
+- Account Type: FreshRSS
+- URL: `https://feeds.fig.systems`
+- Username: `eddie`
+- Password: [API password]
+
+#### **Unread**
+- Service: FreshRSS (Google Reader-compatible)
+- Server: `https://feeds.fig.systems`
+- Username: `eddie`
+- Password: [API password]
+
+#### **Fiery Feeds**
+- Account Type: FreshRSS
+- Server URL: `https://feeds.fig.systems`
+- Username: `eddie`
+- Password: [API password]
+
+## Verify API is Enabled
+
+If the API password doesn't work, verify API is enabled:
+
+1. Log into FreshRSS web interface
+2. Go to **Administration** → **Configuration** → **System**
+3. Scroll to **"API (mobile access)"**
+4. Ensure **"Enable API"** is checked ✓
+5. Click **"Submit"** if you made changes
+
+## Troubleshooting
+
+### Error: "Invalid API password"
+
+**Solution:** Regenerate the API password in FreshRSS web interface and try again.
+
+### Error: "Connection failed" or "Cannot connect to server"
+
+**Check:**
+1. URL is exactly: `https://feeds.fig.systems` (no trailing slash)
+2. Phone has internet connection
+3. Try accessing the URL in Safari/Chrome on the same phone
+4. Check if Tinyauth SSO is blocking API access
+
+### SSO/Tinyauth Blocking API Access
+
+FreshRSS has `tinyauth` middleware enabled. This might block API requests if they don't have proper authentication headers.
+
+**Check logs:**
+```bash
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+```
+
+Look for your iOS app's requests (they'll have User-Agent like "Reeder" or "NetNewsWire").
+
+**If API is being blocked by SSO:**
+
+Option 1: Create a bypass for API endpoint:
+```yaml
+# In compose.yaml, change:
+traefik.http.routers.freshrss.middlewares: tinyauth
+
+# To bypass API paths:
+traefik.http.routers.freshrss.middlewares: freshrss-auth
+
+# Add new middleware in Traefik config or labels:
+traefik.http.middlewares.freshrss-auth.chain.middlewares: tinyauth-skip-api, tinyauth
+```
+
+Option 2: Temporarily disable SSO to test:
+```bash
+# Comment out in compose.yaml:
+# traefik.http.routers.freshrss.middlewares: tinyauth
+
+docker compose up -d
+```
+
+### Error: "SSL/Certificate error"
+
+Your FreshRSS uses Let's Encrypt SSL. If iOS app shows certificate errors:
+1. Update iOS to latest version
+2. Try toggling "Allow self-signed certificates" OFF (you don't need it)
+3. Check the URL doesn't have `http://` (must be `https://`)
+
+## View API Logs
+
+### Check what the iOS app is sending:
+
+```bash
+# Watch nginx access log
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+
+# Filter for API requests
+grep -i "api\|fever\|greader" /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log | tail -20
+```
+
+### Check for authentication errors:
+
+```bash
+# PHP errors
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log
+
+# Nginx errors
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/error.log
+```
+
+### Real-time monitoring:
+
+```bash
+# Open 3 terminals and watch:
+# Terminal 1:
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+
+# Terminal 2:
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/error.log
+
+# Terminal 3:
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log
+
+# Now try connecting from iOS app
+```
+
+## Quick Test: API is Working
+
+Test the API manually:
+
+```bash
+# Replace with your actual API password
+API_PASSWORD="your-api-password-here"
+
+# Test authentication
+curl -s "https://feeds.fig.systems/api/greader.php/reader/api/0/token" \
+  -u "eddie:$API_PASSWORD" | head -20
+
+# Should return a token, not an error
+```
+
+If this works, your API is functional and the issue is with how the iOS app is configured.
+
+## Current Status
+
+✅ **Debug logging enabled** - PHP errors will show in logs
+✅ **API enabled** - Checked in config.php (line 20)
+⚠️ **SSO might block API** - Tinyauth middleware is active
+
+**Next step:** Generate API password and try it in your iOS app!
diff --git a/compose/services/FreshRSS/API-STATUS.md b/compose/services/FreshRSS/API-STATUS.md
new file mode 100644
index 0000000..6b763ba
--- /dev/null
+++ b/compose/services/FreshRSS/API-STATUS.md
@@ -0,0 +1,121 @@
+# FreshRSS API Status & Next Steps
+
+## Current Configuration
+
+✅ API enabled in FreshRSS
+✅ API password set in user profile
+✅ Tinyauth SSO removed
+✅ Nginx configured with PATH_INFO
+✅ Nginx configured to pass Authorization header
+✅ Traefik configured to pass host header
+
+## Issue
+
+The API compatibility check still fails: `FAIL get HTTP Authorization header!`
+
+This means the HTTP Authorization header isn't reaching PHP's `$_SERVER['HTTP_AUTHORIZATION']` variable.
+
+## What We've Tried
+
+1. ✅ Removed Tinyauth middleware (was blocking API)
+2. ✅ Added fastcgi_param HTTP_AUTHORIZATION to nginx
+3. ✅ Added PATH_INFO support (required by FreshRSS API)
+4. ✅ Set API password in web interface
+5. ✅ Configured Traefik pass host header
+
+## The Root Cause
+
+The nginx → PHP-FPM authorization header passthrough isn't working correctly in the LinuxServer.io FreshRSS image.
+
+## Solution: Try Reeder Now Anyway
+
+Even though the compatibility check fails, **Reeder might still work**. The check uses a different method than actual client authentication.
+
+### Test in Reeder:
+
+1. **Delete** existing FreshRSS account in Reeder
+2. **Add New Account** → FreshRSS or Self-hosted
+3. Enter:
+   - Server: `https://feeds.fig.systems`
+   - Username: `eddie`
+   - Password: `[YOUR API PASSWORD FROM WEB INTERFACE]`
+4. **Try to sync**
+
+The password should be the one you typed into the "API password" field in FreshRSS Profile settings.
+
+## Alternative: Use Fever API Instead
+
+Fever API uses different authentication and might work better.
+
+### Your Fever Settings:
+
+**Fever API URL:** `https://feeds.fig.systems/api/fever.php`
+**Fever Key:** `b82fc4a3c3ff610ff270798ef6f93b13`
+
+### In Reeder:
+
+1. **Add Account** → **Fever**
+2. Server: `https://feeds.fig.systems/api/fever.php`
+3. Email: `eddie`
+4. Password: `[YOUR WEB PASSWORD]` ← Uses web password, NOT API password!
+
+Fever API doesn't require the Authorization header in the same way, so it might bypass this nginx issue.
+
+## If Both Fail: Advanced Fix Required
+
+If neither Google Reader API nor Fever API works, we need to:
+
+1. **Switch to official FreshRSS Docker image** (not LinuxServer.io)
+   - Official image: `freshrss/freshrss:latest`
+   - Has proper nginx config out of the box
+
+2. **Or: Use Apache instead of nginx** in LinuxServer image
+   - LinuxServer allows switching web servers
+   - Apache handles Authorization headers differently
+
+3. **Or: Check Traefik logs** to see if header is being stripped there
+   ```bash
+   docker logs traefik | grep -i authorization
+   ```
+
+## Recommended Action Plan
+
+1. **TRY REEDER NOW** - might work despite compatibility check failure
+2. **TRY FEVER API** - different auth method
+3. **If both fail:** Check logs while attempting:
+   ```bash
+   tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+   ```
+   Look for the API requests and their response codes
+
+## Debug Commands
+
+### Check what Reeder sends:
+```bash
+# Watch access log while connecting from Reeder
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+```
+
+### Test API manually:
+```bash
+# Replace with your actual API password
+curl -v -d "Email=eddie" -d "Passwd=YOUR_API_PASSWORD" \
+  "https://feeds.fig.systems/api/greader.php/accounts/ClientLogin"
+```
+
+### Test Fever API:
+```bash
+curl -v -d "api_key=b82fc4a3c3ff610ff270798ef6f93b13" \
+  "https://feeds.fig.systems/api/fever.php?api"
+```
+
+## Sources & References
+
+- [FreshRSS Authorization Header Issue #2308](https://github.com/FreshRSS/FreshRSS/issues/2308)
+- [FreshRSS Apache/Nginx Configuration](https://freshrss.github.io/FreshRSS/en/admins/10_ServerConfig.html)
+- [FreshRSS Mobile Access Guide](https://freshrss.github.io/FreshRSS/en/users/06_Mobile_access.html)
+- [Nginx API 401 Discussion #6183](https://github.com/FreshRSS/FreshRSS/discussions/6183)
+
+---
+
+**Bottom Line:** Try Reeder with the API password now. If it doesn't work, try Fever API. Both might work even though the compatibility check fails.
diff --git a/compose/services/FreshRSS/DEBUG-LOGGING.md b/compose/services/FreshRSS/DEBUG-LOGGING.md
new file mode 100644
index 0000000..fbe0e11
--- /dev/null
+++ b/compose/services/FreshRSS/DEBUG-LOGGING.md
@@ -0,0 +1,239 @@
+# FreshRSS Debug Logging - Auth Troubleshooting
+
+Debug logging has been enabled for FreshRSS to help troubleshoot authentication failures.
+
+## What Was Changed
+
+### 1. Environment Mode
+Changed from `production` to `development`:
+- File: `config/www/freshrss/data/config.php`
+- Line 3: `'environment' => 'development'`
+
+### 2. PHP Error Logging
+Enabled verbose PHP error logging:
+- File: `config/php/php-local.ini`
+- Added:
+  ```ini
+  error_reporting = E_ALL
+  display_errors = On
+  display_startup_errors = On
+  log_errors = On
+  error_log = /config/log/php_errors.log
+  ```
+
+### 3. Environment Variable
+Added to `.env`:
+```bash
+FRESHRSS_ENV=development
+```
+
+## Where to Find Logs
+
+### 1. PHP Error Log
+**Location:** `/home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log`
+
+View in real-time:
+```bash
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log
+```
+
+### 2. FreshRSS Application Logs
+**Location:** `/home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/`
+
+List all logs:
+```bash
+ls -lah /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/
+```
+
+View recent logs:
+```bash
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/*.log
+```
+
+### 3. Docker Container Logs
+View container output:
+```bash
+docker logs freshrss -f
+```
+
+Last 100 lines:
+```bash
+docker logs freshrss --tail 100
+```
+
+### 4. Nginx Access/Error Logs
+**Location:** `/home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/nginx/`
+
+```bash
+# Access log (HTTP requests)
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/nginx/nginx-access.log
+
+# Error log
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/nginx/nginx-error.log
+```
+
+## Reproduce Auth Failure & Check Logs
+
+### Step 1: Trigger the Auth Issue
+1. Go to https://feeds.fig.systems
+2. Attempt login or whatever triggers the auth failure
+
+### Step 2: Check Logs Immediately
+
+**Quick check all logs:**
+```bash
+cd /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log
+tail -100 *.log
+```
+
+**Check PHP errors specifically:**
+```bash
+tail -50 /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log
+```
+
+**Search for authentication-related errors:**
+```bash
+cd /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log
+grep -i "auth\|login\|session\|cookie\|permission\|denied" *.log | tail -20
+```
+
+### Step 3: Check SSO/Tinyauth Headers
+
+Since you have `tinyauth` middleware enabled, check if headers are being passed correctly:
+
+**View headers in browser:**
+1. Open browser DevTools (F12)
+2. Go to Network tab
+3. Try to access FreshRSS
+4. Click on the request
+5. Check "Request Headers" for:
+   - `Remote-User`
+   - `Remote-Email`
+   - `Remote-Name`
+   - `Remote-Groups`
+
+**Check Traefik logs:**
+```bash
+docker logs traefik | grep -i freshrss | tail -20
+```
+
+## Common Auth Issues & Log Indicators
+
+### Issue: Tinyauth Header Not Being Passed
+
+**Look for in logs:**
+```
+No authenticated user found
+Missing Remote-User header
+```
+
+**Solution:** Check Traefik middleware configuration
+
+### Issue: Session Cookie Issues
+
+**Look for in logs:**
+```
+session_start(): Failed
+Cannot send session cookie
+Headers already sent
+```
+
+**Possible causes:**
+- Cookie domain mismatch
+- Secure cookie flag with HTTP
+- SameSite cookie attribute
+
+### Issue: Database Permission Errors
+
+**Look for in logs:**
+```
+SQLITE: attempt to write a readonly database
+Permission denied
+```
+
+**Solution:**
+```bash
+# Check file permissions
+ls -la /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/www/freshrss/data/
+
+# Fix if needed
+sudo chown -R 1000:1000 /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/
+```
+
+### Issue: PHP Fatal Errors
+
+**Look for in logs:**
+```
+Fatal error:
+PHP Parse error:
+Call to undefined function
+```
+
+## View Logs via Dozzle
+
+Easiest way to view logs in real-time:
+
+1. Go to https://logs-docker.fig.systems (from local network)
+2. Click on **freshrss** container
+3. Search for: `error`, `auth`, `login`, `fail`
+4. Watch live as you reproduce the issue
+
+## Disable Debug Logging (When Done)
+
+Once you've identified the issue:
+
+### 1. Revert Environment Mode
+Edit: `config/www/freshrss/data/config.php`
+```php
+'environment' => 'production',
+```
+
+### 2. Disable PHP Error Display
+Edit: `config/php/php-local.ini`
+```ini
+; Comment out or change:
+display_errors = Off
+display_startup_errors = Off
+; Keep error logging:
+log_errors = On
+error_log = /config/log/php_errors.log
+```
+
+### 3. Restart FreshRSS
+```bash
+docker compose restart
+```
+
+## Example: Full Debug Session
+
+```bash
+# Terminal 1: Watch PHP errors
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/php_errors.log
+
+# Terminal 2: Watch container logs
+docker logs freshrss -f
+
+# Terminal 3: Watch nginx access
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/nginx/nginx-access.log
+
+# Now trigger the auth issue in browser and watch all 3 terminals
+```
+
+## Need More Verbose Logging?
+
+Edit `config/www/freshrss/data/config.php` and enable additional debugging:
+
+```php
+'simplepie_syslog_enabled' => true,  // Already enabled (line 24)
+```
+
+Check syslog:
+```bash
+docker exec freshrss cat /var/log/syslog | grep -i fresh
+```
+
+---
+
+**Current Status:** ✅ Debug logging enabled and active
+**Restart Required:** Already restarted
+**Log Locations:** See "Where to Find Logs" section above
diff --git a/compose/services/FreshRSS/REEDER-AUTH-DEBUG.md b/compose/services/FreshRSS/REEDER-AUTH-DEBUG.md
new file mode 100644
index 0000000..968e8d0
--- /dev/null
+++ b/compose/services/FreshRSS/REEDER-AUTH-DEBUG.md
@@ -0,0 +1,237 @@
+# Reeder Authentication Failure - Troubleshooting
+
+## Current Status
+
+✅ API enabled in FreshRSS
+✅ API password hash exists for user 'eddie'
+✅ Tinyauth SSO removed
+❌ Reeder getting 401 Unauthorized
+
+## Log Analysis
+
+```
+POST /api/greader.php/accounts/ClientLogin HTTP/1.1" 401
+```
+
+This means:
+- Reeder is correctly hitting the Google Reader API endpoint
+- Authentication is failing (401 = Unauthorized)
+- Either wrong password OR the API password hasn't been properly set
+
+## The Issue: API Password vs Web Password
+
+FreshRSS has TWO different passwords:
+1. **Web Password** - For logging into https://feeds.fig.systems
+2. **API Password** - For iOS apps (Reeder, NetNewsWire, etc.)
+
+**You MUST use the API password in Reeder, not your web password!**
+
+## Step-by-Step Fix
+
+### 1. Generate/Regenerate API Password
+
+**Via Web Interface (Easiest):**
+
+1. Go to https://feeds.fig.systems
+2. Log in with your **web password**
+3. Click your username (top right) → **Configuration**
+4. Click **Profile** tab
+5. Scroll down to **"API management"** or **"API"** section
+6. Look for **"API password"** field
+7. Click **"Generate"** or **"Regenerate"** button
+8. **Write down the password immediately** - it won't be shown again!
+
+The password will look something like: `aB3xK9mP2wQz7nYv`
+
+### 2. Configure Reeder
+
+Open Reeder on your iOS device:
+
+1. **Add Account** → Select **FreshRSS** or **Self-hosted**
+2. Enter these details:
+   - **Server:** `https://feeds.fig.systems`
+   - **Username:** `eddie`
+   - **Password:** `[THE API PASSWORD FROM STEP 1]` ← NOT your web password!
+
+### 3. Test Authentication
+
+Try to sync in Reeder. If it still fails, continue to advanced troubleshooting below.
+
+## Advanced Troubleshooting
+
+### Test API Manually
+
+Run this test script:
+
+```bash
+/tmp/test-freshrss-api.sh
+```
+
+Or manually:
+
+```bash
+# Replace YOUR_API_PASSWORD with the actual API password
+curl -v -d "Email=eddie" -d "Passwd=YOUR_API_PASSWORD" \
+  "https://feeds.fig.systems/api/greader.php/accounts/ClientLogin"
+
+# Should return 200 and an auth token, NOT 401
+```
+
+### Check What Reeder is Sending
+
+Watch the logs while you try to connect from Reeder:
+
+```bash
+tail -f /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/log/nginx/access.log
+```
+
+Look for:
+- Is username being sent correctly? (should be 'eddie')
+- Multiple 401s = wrong password
+- 404 = wrong URL endpoint
+
+### Common Issues
+
+#### Issue 1: Using Web Password Instead of API Password
+
+**Symptom:** 401 errors
+**Solution:** Generate API password in web interface, use THAT password
+
+#### Issue 2: API Password Never Generated
+
+**Symptom:** 401 errors
+**Check:** Look in web interface - is the API password field empty?
+**Solution:** Click "Generate" to create one
+
+#### Issue 3: Wrong Username
+
+**Symptom:** 401 errors
+**Check:** Username must be exactly `eddie` (the FreshRSS username)
+**Solution:** Double-check spelling and case
+
+#### Issue 4: Wrong Server URL
+
+**Symptom:** Connection errors or 404
+**Check:** Must be `https://feeds.fig.systems` (no trailing slash)
+**Solution:** Remove any extra characters
+
+#### Issue 5: Reeder Using Wrong API Type
+
+**Symptom:** 404 or unexpected responses
+**Solution:** In Reeder, make sure you selected:
+- "FreshRSS" account type (if available)
+- OR "Self-hosted" → "Google Reader API"
+- NOT "Fever API" (different authentication)
+
+## Verify API is Actually Working
+
+### Method 1: Use Fever API Instead
+
+FreshRSS also supports Fever API. Your Fever key is:
+```
+b82fc4a3c3ff610ff270798ef6f93b13
+```
+
+Try in Reeder:
+1. **Add Account** → **Fever**
+2. **Server:** `https://feeds.fig.systems/api/fever.php`
+3. **Email:** `eddie`
+4. **Password:** Your **web password** (Fever uses web password, not API password!)
+
+If Fever works but Google Reader API doesn't, there's an issue with the Google Reader API specifically.
+
+### Method 2: Check from Another Device
+
+Try accessing from desktop:
+```bash
+curl -d "Email=eddie" -d "Passwd=YOUR_API_PASSWORD" \
+  "https://feeds.fig.systems/api/greader.php/accounts/ClientLogin"
+```
+
+If this returns a token, the API works and the issue is Reeder-specific.
+
+## Reset Everything
+
+If nothing works, reset the API authentication:
+
+### 1. Clear API Password
+
+```bash
+# Backup first
+cp /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/www/freshrss/data/users/eddie/config.php \
+   /home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/www/freshrss/data/users/eddie/config.php.backup
+
+# Edit the config file manually to clear API password
+# Look for 'apiPasswordHash' and set it to empty string
+```
+
+### 2. Regenerate via Web Interface
+
+1. Log into https://feeds.fig.systems
+2. Go to Profile → API management
+3. Generate NEW API password
+4. Try again in Reeder
+
+## Check FreshRSS Version
+
+```bash
+docker exec freshrss cat /app/freshrss/constants.php | grep FRESHRSS_VERSION
+```
+
+If it's very old, some API features might not work correctly.
+
+Update:
+```bash
+cd /home/eduardo_figueroa/homelab/compose/services/FreshRSS
+docker compose pull
+docker compose up -d
+```
+
+## Enable More Verbose API Logging
+
+Edit: `/home/eduardo_figueroa/homelab/compose/services/FreshRSS/config/www/freshrss/data/config.php`
+
+Add:
+```php
+'simplepie_syslog_enabled' => true,
+```
+
+Then check syslog:
+```bash
+docker exec freshrss cat /var/log/syslog 2>/dev/null | grep -i "api\|auth\|greader"
+```
+
+## Still Not Working?
+
+### Nuclear Option: Recreate User
+
+If API auth is completely broken for this user:
+
+1. **Export your feeds** (Settings → Import/Export)
+2. **Create NEW user** in FreshRSS web interface
+3. **Generate API password** for new user
+4. **Import feeds** to new user
+5. **Try Reeder** with new user credentials
+
+## Test Results Template
+
+When asking for help, provide:
+
+```
+Username: eddie
+Server URL: https://feeds.fig.systems
+Reeder Account Type: [FreshRSS / Self-hosted / Other]
+
+API Password Generated: [Yes / No]
+Using API Password (not web password): [Yes / No]
+
+curl test result:
+[paste output of test script]
+
+Recent nginx logs:
+[paste last 5 lines from access.log during attempt]
+```
+
+---
+
+**Most Common Solution:** You need to generate a NEW API password in the web interface and use THAT specific password in Reeder, not your web login password.