diff --git a/cmd/tgbot/internal/bot/bot.go b/cmd/tgbot/internal/bot/bot.go
index b0285a2..3d7aae1 100644
--- a/cmd/tgbot/internal/bot/bot.go
+++ b/cmd/tgbot/internal/bot/bot.go
@@ -508,7 +508,7 @@ func (b *Bot) rename(msg *tgbotapi.Message) {
 }
 
 func (b *Bot) download(msg *tgbotapi.Message) {
-	texts, err := b.service.FullTexts(msg.From.ID)
+	texts, err := b.service.FullTexts(msg.From.ID, nil)
 	if err != nil {
 		b.replyErrorWithI18n(msg, errorOnListMsgId, err)
 		return
diff --git a/cmd/tgbot/main.go b/cmd/tgbot/main.go
index 92de5d4..27e8a70 100644
--- a/cmd/tgbot/main.go
+++ b/cmd/tgbot/main.go
@@ -7,10 +7,14 @@ import (
 	"os/signal"
 	"syscall"
 
+	"github.com/go-chi/chi/v5"
+	"github.com/pechorka/adhd-reader/internal/handler"
+	"github.com/pechorka/adhd-reader/internal/handler/mw/auth"
 	"github.com/pechorka/adhd-reader/internal/service"
 	"github.com/pechorka/adhd-reader/internal/storage"
 
 	"github.com/pechorka/adhd-reader/cmd/tgbot/internal/bot"
+	"github.com/pechorka/adhd-reader/pkg/encryptor"
 	"github.com/pechorka/adhd-reader/pkg/fileloader"
 	"github.com/pechorka/adhd-reader/pkg/i18n"
 	"github.com/pechorka/adhd-reader/pkg/queue"
@@ -30,6 +34,7 @@ type config struct {
 	Debug   bool    `json:"debug"`
 	DbPath  string  `json:"db_path"`
 	Admins  []int64 `json:"admins"`
+	Secret  string  `json:"secret"`
 }
 
 func readCfg(path string) (*config, error) {
@@ -89,7 +94,8 @@ func run() error {
 	defer watcher.Close()
 
 	scrapper := webscraper.New()
-	service := service.NewService(store, scrapper, 500)
+	encryptor := encryptor.NewEncryptor(cfg.Secret)
+	service := service.NewService(store, 500, scrapper, encryptor)
 	msgQueue := queue.NewMessageQueue(queue.Config{})
 	fileLoader := fileloader.NewLoader(fileloader.Config{
 		MaxFileSize: defaultMaxFileSize,
@@ -108,6 +114,14 @@ func run() error {
 	}
 	go b.Run()
 
+	handlers := handler.NewHandlers(service)
+	mx := chi.NewRouter()
+	authMW := auth.NewAuthMW(service)
+	mx.With(authMW.Auth)
+	mx.Route("/api/v1", func(r chi.Router) {
+		handlers.Register(r)
+	})
+
 	terminate := make(chan os.Signal, 1)
 	signal.Notify(terminate, syscall.SIGINT, syscall.SIGTERM)
 
diff --git a/go.mod b/go.mod
index f9ba969..384f2d7 100644
--- a/go.mod
+++ b/go.mod
@@ -5,13 +5,16 @@ go 1.19
 require (
 	github.com/PuerkitoBio/goquery v1.8.1
 	github.com/fsnotify/fsnotify v1.6.0
+	github.com/go-chi/chi/v5 v5.0.10
 	github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1
 	github.com/google/uuid v1.3.0
+	github.com/gtank/cryptopasta v0.0.0-20170601214702-1f550f6f2f69
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.8.1
 	github.com/valyala/fasttemplate v1.2.2
 	go.etcd.io/bbolt v1.3.7
 	golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0
+	golang.org/x/net v0.10.0
 )
 
 require (
@@ -20,8 +23,8 @@ require (
 	github.com/kr/pretty v0.1.0 // indirect
 	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/valyala/bytebufferpool v1.0.0 // indirect
-	golang.org/x/net v0.7.0 // indirect
-	golang.org/x/sys v0.6.0 // indirect
+	golang.org/x/crypto v0.11.0 // indirect
+	golang.org/x/sys v0.10.0 // indirect
 	gopkg.in/check.v1 v1.0.0-20180628173108-788fd7840127 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )
diff --git a/go.sum b/go.sum
index fe5548d..ed84d8d 100644
--- a/go.sum
+++ b/go.sum
@@ -7,10 +7,14 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY=
 github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw=
+github.com/go-chi/chi/v5 v5.0.10 h1:rLz5avzKpjqxrYwXNfmjkrYYXOyLJd37pz53UFHC6vk=
+github.com/go-chi/chi/v5 v5.0.10/go.mod h1:DslCQbL2OYiznFReuXYUmQ2hGd1aDpCnlMNITLSKoi8=
 github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1 h1:wG8n/XJQ07TmjbITcGiUaOtXxdrINDz1b0J1w0SzqDc=
 github.com/go-telegram-bot-api/telegram-bot-api/v5 v5.5.1/go.mod h1:A2S0CWkNylc2phvKXWBBdD3K0iGnDBGbzRpISP2zBl8=
 github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I=
 github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo=
+github.com/gtank/cryptopasta v0.0.0-20170601214702-1f550f6f2f69 h1:7xsUJsB2NrdcttQPa7JLEaGzvdbk7KvfrjgHZXOQRo0=
+github.com/gtank/cryptopasta v0.0.0-20170601214702-1f550f6f2f69/go.mod h1:YLEMZOtU+AZ7dhN9T/IpGhXVGly2bvkJQ+zxj3WeVQo=
 github.com/kr/pretty v0.1.0 h1:L/CwN0zerZDmRFUapSPitk6f+Q3+0za1rQkzVuMiMFI=
 github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo=
 github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
@@ -36,6 +40,8 @@ go.etcd.io/bbolt v1.3.7 h1:j+zJOnnEjF/kyHlDDgGnVL/AIqIJPq8UoB2GSNfkUfQ=
 go.etcd.io/bbolt v1.3.7/go.mod h1:N9Mkw9X8x5fupy0IKsmuqVtoGDyxsaDlbk4Rd05IAQw=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
 golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc=
+golang.org/x/crypto v0.11.0 h1:6Ewdq3tDic1mg5xRO4milcWCfMVQhI4NkqWWvqejpuA=
+golang.org/x/crypto v0.11.0/go.mod h1:xgJhtzW8F9jGdVFWZESrid1U1bjeNy4zgy5cRr/CIio=
 golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0 h1:pVgRXcIictcr+lBQIFeiwuwtDIs4eL21OuM9nyAADmo=
 golang.org/x/exp v0.0.0-20230315142452-642cacee5cc0/go.mod h1:CxIveKay+FTh1D0yPZemJVgC/95VzuuOLq5Qi4xnoYc=
 golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4=
@@ -43,8 +49,9 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg=
 golang.org/x/net v0.0.0-20210916014120-12bc252f5db8/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
 golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c=
-golang.org/x/net v0.7.0 h1:rJrUqqhjsgNp7KqAIc25s9pZnjU7TUcSY7HcVZjdn1g=
 golang.org/x/net v0.7.0/go.mod h1:2Tu9+aMcznHK/AK1HMvgo6xiTLG5rD5rZLDS+rp2Bjs=
+golang.org/x/net v0.10.0 h1:X2//UzNDwYmtCLn7To6G58Wr6f5ahEAQgKNzv9Y951M=
+golang.org/x/net v0.10.0/go.mod h1:0qNGK6F8kojg2nk9dLZ2mShWaEBan6FAoqfSigmmuDg=
 golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
@@ -55,8 +62,8 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220722155257-8c9f86f7a55f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220908164124-27713097b956/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.5.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.6.0 h1:MVltZSvRTcU2ljQOhs94SXPftV6DCNnZViHeQps87pQ=
-golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/sys v0.10.0 h1:SqMFp9UcQJZa+pmYuAKjd9xq1f0j5rLcDIk0mj4qAsA=
+golang.org/x/sys v0.10.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8=
 golang.org/x/term v0.5.0/go.mod h1:jMB1sMXY+tzblOD4FWmEbocvup2/aLOaQEp7JmGp78k=
diff --git a/internal/handler/handler.go b/internal/handler/handler.go
new file mode 100644
index 0000000..dbba611
--- /dev/null
+++ b/internal/handler/handler.go
@@ -0,0 +1,201 @@
+package handler
+
+import (
+	"errors"
+	"net/http"
+	"time"
+
+	"github.com/go-chi/chi/v5"
+	"github.com/pechorka/adhd-reader/internal/handler/internal/request"
+	"github.com/pechorka/adhd-reader/internal/handler/internal/respond"
+	"github.com/pechorka/adhd-reader/internal/handler/mw/auth"
+	"github.com/pechorka/adhd-reader/internal/service"
+	"github.com/pechorka/adhd-reader/internal/storage"
+)
+
+type Service interface {
+	FullTexts(userID int64, after *time.Time) ([]storage.FullText, error)
+	SyncTexts(userID int64, texts []service.SyncText) ([]service.SyncText, error)
+	NextChunk(userID int64) (storage.Text, string, service.ChunkType, error)
+	PrevChunk(userID int64) (storage.Text, string, service.ChunkType, error)
+}
+
+type Handlers struct {
+	svc Service
+}
+
+func NewHandlers(svc Service) *Handlers {
+	return &Handlers{svc: svc}
+}
+
+func (h *Handlers) Register(mx chi.Router) {
+	mx.Get("/text", h.GetTexts)
+	mx.Post("/text/sync", h.SyncTexts)
+	mx.Post("/text/chunk/next", h.NextChunk)
+	mx.Post("/text/chunk/prev", h.PrevChunk)
+}
+
+type GetTextsResponse struct {
+	Texts []GetTextsResponseItem `json:"texts"`
+}
+
+type GetTextsResponseItem struct {
+	TextUUID     string   `json:"id"`
+	Name         string   `json:"name"`
+	CurrentChunk int64    `json:"currentChunk"`
+	Chunks       []string `json:"chunks"`
+}
+
+func (h *Handlers) GetTexts(w http.ResponseWriter, r *http.Request) {
+	userID := auth.GetUserID(r.Context())
+	var after *time.Time
+	if afterQ := r.URL.Query().Get("after"); afterQ != "" {
+		afterT, err := time.Parse(time.RFC3339, afterQ)
+		if err != nil {
+			respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_INVALID_DATE_FORMAT)
+			return
+		}
+		after = &afterT
+	}
+	texts, err := h.svc.FullTexts(userID, after)
+	if err != nil {
+		respond.ErrorWithCode(w, http.StatusInternalServerError, respond.CODE_INTERNAL_ERROR)
+		return
+	}
+	resp := GetTextsResponse{Texts: make([]GetTextsResponseItem, 0, len(texts))}
+	for _, text := range texts {
+		resp.Texts = append(resp.Texts, GetTextsResponseItem{
+			TextUUID:     text.UUID,
+			Name:         text.Name,
+			CurrentChunk: text.CurrentChunk,
+			Chunks:       text.Chunks,
+		})
+	}
+	respond.JSON(w, resp)
+}
+
+type SyncTextsRequest struct {
+	Items []SyncItem `json:"items"`
+}
+
+type SyncItem struct {
+	TextUUID     string `json:"id"`
+	ModifiedAt   string `json:"modifiedAt"`
+	CurrentChunk int64  `json:"currentChunk"`
+	Deleted      bool   `json:"deleted"`
+}
+
+type SyncTextsResponse struct {
+	Items []SyncItem `json:"items"`
+}
+
+func (h *Handlers) SyncTexts(w http.ResponseWriter, r *http.Request) {
+	userID := auth.GetUserID(r.Context())
+	var req SyncTextsRequest
+	err := request.DecodeJSON(r.Body, &req)
+	if err != nil {
+		respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_INVALID_JSON)
+		return
+	}
+	syncTexts := make([]service.SyncText, 0, len(req.Items))
+	for _, item := range req.Items {
+		modifiedAt, err := time.Parse(time.RFC3339, item.ModifiedAt)
+		if err != nil {
+			respond.RespondErrorWithText(w, http.StatusBadRequest, respond.CODE_INVALID_DATE_FORMAT, "invalid date format for item: "+item.TextUUID)
+			return
+		}
+		syncTexts = append(syncTexts, service.SyncText{
+			TextUUID:     item.TextUUID,
+			ModifiedAt:   modifiedAt,
+			CurrentChunk: item.CurrentChunk,
+			Deleted:      item.Deleted,
+		})
+	}
+	syncOnMobile, err := h.svc.SyncTexts(userID, syncTexts)
+	if err != nil {
+		respond.ErrorWithCode(w, http.StatusInternalServerError, respond.CODE_INTERNAL_ERROR)
+		return
+	}
+	resp := SyncTextsResponse{Items: make([]SyncItem, 0, len(syncOnMobile))}
+	for _, item := range syncOnMobile {
+		resp.Items = append(resp.Items, SyncItem{
+			TextUUID:     item.TextUUID,
+			ModifiedAt:   item.ModifiedAt.Format(time.RFC3339),
+			CurrentChunk: item.CurrentChunk,
+			Deleted:      item.Deleted,
+		})
+	}
+	respond.JSON(w, resp)
+}
+
+type NextChunkRequest struct {
+	TextUUID string `json:"id"`
+}
+
+type NextChunkResponse struct {
+	TextUUID string `json:"id"`
+	Chunk    string `json:"chunk"`
+	Type     string `json:"type"`
+}
+
+func (h *Handlers) NextChunk(w http.ResponseWriter, r *http.Request) {
+	userID := auth.GetUserID(r.Context())
+	var req NextChunkRequest
+	err := request.DecodeJSON(r.Body, &req)
+	if err != nil {
+		respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_INVALID_JSON)
+		return
+	}
+	text, chunk, chunkType, err := h.svc.NextChunk(userID)
+	if err != nil {
+		switch {
+		case errors.Is(err, service.ErrTextFinished):
+			respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_ALREADY_AT_LAST_CHUNK)
+		default:
+			respond.ErrorWithCode(w, http.StatusInternalServerError, respond.CODE_INTERNAL_ERROR)
+		}
+		return
+	}
+	resp := NextChunkResponse{
+		TextUUID: text.UUID,
+		Chunk:    chunk,
+		Type:     chunkType.String(),
+	}
+	respond.JSON(w, resp)
+}
+
+type PrevChunkRequest struct {
+	TextUUID string `json:"id"`
+}
+
+type PrevChunkResponse struct {
+	TextUUID string `json:"id"`
+	Chunk    string `json:"chunk"`
+	Type     string `json:"type"`
+}
+
+func (h *Handlers) PrevChunk(w http.ResponseWriter, r *http.Request) {
+	userID := auth.GetUserID(r.Context())
+	var req PrevChunkRequest
+	err := request.DecodeJSON(r.Body, &req)
+	if err != nil {
+		respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_INVALID_JSON)
+		return
+	}
+	text, chunk, chunkType, err := h.svc.PrevChunk(userID)
+	if err != nil {
+		switch {
+		case errors.Is(err, service.ErrFirstChunk):
+			respond.ErrorWithCode(w, http.StatusBadRequest, respond.CODE_ALREADY_AT_FIRST_CHUNK)
+		default:
+			respond.ErrorWithCode(w, http.StatusInternalServerError, respond.CODE_INTERNAL_ERROR)
+		}
+		return
+	}
+	resp := PrevChunkResponse{
+		TextUUID: text.UUID,
+		Chunk:    chunk,
+		Type:     chunkType.String(),
+	}
+	respond.JSON(w, resp)
+}
diff --git a/internal/handler/internal/request/request.go b/internal/handler/internal/request/request.go
new file mode 100644
index 0000000..681faa2
--- /dev/null
+++ b/internal/handler/internal/request/request.go
@@ -0,0 +1,10 @@
+package request
+
+import (
+	"encoding/json"
+	"io"
+)
+
+func DecodeJSON(r io.Reader, v interface{}) error {
+	return json.NewDecoder(r).Decode(v)
+}
diff --git a/internal/handler/internal/respond/codes.go b/internal/handler/internal/respond/codes.go
new file mode 100644
index 0000000..b410d57
--- /dev/null
+++ b/internal/handler/internal/respond/codes.go
@@ -0,0 +1,11 @@
+package respond
+
+const (
+	CODE_AUTH_HEADER_MISSING    = 1
+	CODE_AUTH_TOKEN_INVALID     = 2
+	CODE_INVALID_DATE_FORMAT    = 3
+	CODE_INTERNAL_ERROR         = 4
+	CODE_INVALID_JSON           = 5
+	CODE_ALREADY_AT_FIRST_CHUNK = 6
+	CODE_ALREADY_AT_LAST_CHUNK  = 7
+)
diff --git a/internal/handler/internal/respond/herror.go b/internal/handler/internal/respond/herror.go
new file mode 100644
index 0000000..97590c3
--- /dev/null
+++ b/internal/handler/internal/respond/herror.go
@@ -0,0 +1,30 @@
+package respond
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+)
+
+type Error struct {
+	Code int    `json:"code"`
+	Text string `json:"text,omitempty"`
+}
+
+func ErrorWithCode(w http.ResponseWriter, httpCode, appCode int) {
+	w.WriteHeader(httpCode)
+	JSON(w, Error{Code: appCode})
+}
+
+func RespondErrorWithText(w http.ResponseWriter, httpCode, appCode int, errText string) {
+	w.WriteHeader(httpCode)
+	JSON(w, Error{Code: appCode, Text: errText})
+}
+
+func JSON(w http.ResponseWriter, v interface{}) {
+	w.Header().Set("Content-Type", "application/json")
+	err := json.NewEncoder(w).Encode(v)
+	if err != nil {
+		log.Printf("failed to encode response: %v", err)
+	}
+}
diff --git a/internal/handler/mw/auth/auth.go b/internal/handler/mw/auth/auth.go
new file mode 100644
index 0000000..09cd80f
--- /dev/null
+++ b/internal/handler/mw/auth/auth.go
@@ -0,0 +1,57 @@
+package auth
+
+import (
+	"context"
+	"net/http"
+
+	"github.com/pechorka/adhd-reader/internal/handler/internal/respond"
+)
+
+type AuthService interface {
+	ParseToken(token string) (int64, error)
+}
+
+type AuthMW struct {
+	svc AuthService
+}
+
+var ctxKeyUser struct{}
+var NotFoundUserID = int64(-1)
+
+func NewAuthMW(svc AuthService) *AuthMW {
+	return &AuthMW{svc: svc}
+}
+
+const basicPrefix = "Basic "
+
+func (mw *AuthMW) Auth(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		authHeader := r.Header.Get("Authorization")
+		if authHeader == "" || len(authHeader) < len(basicPrefix) {
+			respond.ErrorWithCode(w,
+				http.StatusUnauthorized,
+				respond.CODE_AUTH_HEADER_MISSING,
+			)
+			return
+		}
+		token := authHeader[len(basicPrefix):]
+		userID, err := mw.svc.ParseToken(token)
+		if err != nil {
+			respond.ErrorWithCode(w,
+				http.StatusUnauthorized,
+				respond.CODE_AUTH_TOKEN_INVALID,
+			)
+			return
+		}
+		ctx := context.WithValue(r.Context(), ctxKeyUser, userID)
+		next.ServeHTTP(w, r.WithContext(ctx))
+	})
+}
+
+func GetUserID(ctx context.Context) int64 {
+	userID, ok := ctx.Value(ctxKeyUser).(int64)
+	if !ok {
+		return NotFoundUserID
+	}
+	return userID
+}
diff --git a/internal/service/service.go b/internal/service/service.go
index 320ab10..3fb3858 100644
--- a/internal/service/service.go
+++ b/internal/service/service.go
@@ -9,6 +9,7 @@ import (
 	"github.com/pechorka/adhd-reader/internal/storage"
 
 	"github.com/pechorka/adhd-reader/pkg/chance"
+	"github.com/pechorka/adhd-reader/pkg/randstring"
 	"github.com/pechorka/adhd-reader/pkg/textspliter"
 	"github.com/pechorka/adhd-reader/pkg/webscraper"
 	"github.com/pkg/errors"
@@ -18,6 +19,7 @@ var ErrTextFinished = errors.New("text finished")
 var ErrFirstChunk = errors.New("first chunk")
 var ErrTextNotSelected = errors.New("text is not selected")
 var ErrTextNotUTF8 = errors.New("text is not valid utf8")
+var ErrInvalidToken = errors.New("invalid token")
 
 const telegramMessageLengthLimit = 4096
 
@@ -26,19 +28,31 @@ type Chancer interface {
 	PickWin(inputs ...chance.WinInput)
 }
 
+type Encryptor interface {
+	EncryptString(plaintext string) (string, error)
+	DecryptString(ciphertext string) (string, error)
+}
+
 type Service struct {
 	s         *storage.Storage
 	scrapper  *webscraper.WebScrapper
 	chancer   Chancer
+	encryptor Encryptor
 	chunkSize int64
 }
 
-func NewService(s *storage.Storage, scrapper *webscraper.WebScrapper, chunkSize int64) *Service {
+func NewService(
+	s *storage.Storage,
+	chunkSize int64,
+	scrapper *webscraper.WebScrapper,
+	encryptor Encryptor,
+) *Service {
 	return &Service{
 		s:         s,
-		scrapper:  scrapper,
 		chunkSize: chunkSize,
 		chancer:   chance.Default,
+		encryptor: encryptor,
+		scrapper:  scrapper,
 	}
 }
 
@@ -192,8 +206,8 @@ func paginateTexts(texts []storage.TextWithChunkInfo, page, pageSize int) ([]sto
 	return texts[start:end], end < len(texts)
 }
 
-func (s *Service) FullTexts(userID int64) ([]storage.FullText, error) {
-	return s.s.GetFullTexts(userID)
+func (s *Service) FullTexts(userID int64, after *time.Time) ([]storage.FullText, error) {
+	return s.s.GetFullTexts(userID, after)
 }
 
 func calculateCompletionPercent(text storage.TextWithChunkInfo) int {
@@ -236,7 +250,6 @@ func (s *Service) SelectText(userID int64, textUUID string) (storage.Text, error
 		for i, t := range texts.Texts {
 			if t.UUID == textUUID {
 				texts.Current = i
-				texts.Texts[i].ModifiedAt = time.Now()
 				text = t
 				return nil
 			}
@@ -268,6 +281,62 @@ func (s *Service) RenameText(userID int64, newName string) (string, error) {
 	return oldName, err
 }
 
+type SyncText struct {
+	TextUUID     string
+	CurrentChunk int64
+	ModifiedAt   time.Time
+	Deleted      bool
+}
+
+func (s *Service) SyncTexts(userID int64, texts []SyncText) ([]SyncText, error) {
+	syncTextMap := make(map[string]SyncText, len(texts))
+	for _, t := range texts {
+		if t.Deleted {
+			err := s.s.DeleteTextByUUID(userID, t.TextUUID)
+			if err != nil {
+				return nil, err
+			}
+			continue
+		}
+		syncTextMap[t.TextUUID] = t
+	}
+	var result []SyncText
+	err := s.s.UpdateTexts(userID, func(texts *storage.UserTexts) error {
+		for i := range texts.Texts {
+			t := texts.Texts[i]
+			syncText, ok := syncTextMap[t.UUID]
+			if !ok {
+				continue
+			}
+			delete(syncTextMap, t.UUID)
+			if syncText.ModifiedAt.After(t.ModifiedAt) {
+				t.CurrentChunk = syncText.CurrentChunk
+				t.ModifiedAt = syncText.ModifiedAt
+				texts.Texts[i] = t
+				continue
+			}
+			// text on server is newer
+			result = append(result, SyncText{
+				TextUUID:     t.UUID,
+				CurrentChunk: t.CurrentChunk,
+				ModifiedAt:   t.ModifiedAt,
+			})
+		}
+		return nil
+	})
+	if err != nil {
+		return nil, errors.Wrap(err, "failed to update texts")
+	}
+	// all texts that are left in syncTextMap are not found on server
+	for _, t := range syncTextMap {
+		result = append(result, SyncText{
+			TextUUID: t.TextUUID,
+			Deleted:  true,
+		})
+	}
+	return result, err
+}
+
 func (s *Service) SetPage(userID, page int64) error {
 	_, err := s.s.SelectChunk(userID, func(_ storage.Text, _, totalChunks int64) (nextChunk int64, err error) {
 		if page >= totalChunks || page < 0 {
@@ -307,13 +376,18 @@ func (s *Service) CurrentOrFirstChunk(userID int64) (storage.Text, string, Chunk
 
 type ChunkType string
 
+func (c ChunkType) String() string {
+	return string(c)
+}
+
 const (
 	ChunkTypeFirst ChunkType = "first"
 	ChunkTypeLast  ChunkType = "last"
+	ChunkTypeOther ChunkType = "other"
 )
 
 func (s *Service) selectChunk(userID int64, selectChunk storage.SelectChunkFunc) (storage.Text, string, ChunkType, error) {
-	var chunkType ChunkType
+	var chunkType ChunkType = ChunkTypeOther
 	var curText storage.Text
 	text, err := s.s.SelectChunk(userID, func(text storage.Text, curChunk, totalChunks int64) (nextChunk int64, err error) {
 		curText = text
@@ -829,3 +903,51 @@ func (s *Service) GetStatsAndLevel(userID int64) (*Stat, *Level, error) {
 	}
 	return mapDbStatToServiceStat(&dbStat), mapDbLevelToServiceLevel(&dbLevel), nil
 }
+
+func (s *Service) GetAuthToken(userID int64) (string, error) {
+	token, err := s.s.GetTokenByUserID(userID)
+	switch err {
+	case nil:
+		return token, nil
+	case storage.ErrNotFound:
+	default:
+		return "", err
+	}
+	return s.newToken(userID)
+}
+
+func (s *Service) ReIssueAuthToken(userID int64) (string, error) {
+	err := s.s.DeleteAuthToken(userID)
+	if err != nil && err != storage.ErrNotFound {
+		return "", errors.Wrap(err, "failed to delete auth token")
+	}
+	return s.newToken(userID)
+}
+
+func (s *Service) ParseToken(token string) (int64, error) {
+	rawToken, err := s.encryptor.DecryptString(token)
+	if err != nil {
+		return 0, ErrInvalidToken
+	}
+	userID, err := s.s.GetUserIDByAuthToken(rawToken)
+	if err != nil {
+		if err == storage.ErrNotFound {
+			return 0, ErrInvalidToken
+		}
+		return 0, errors.Wrap(err, "failed to get user id by auth token")
+	}
+	return userID, nil
+}
+
+func (s *Service) newToken(userID int64) (string, error) {
+	rawToken := randstring.Generate(32)
+	token, err := s.encryptor.EncryptString(rawToken)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to encrypt token")
+	}
+	err = s.s.SetAuthToken(userID, rawToken)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to set auth token")
+	}
+	return token, nil
+}
diff --git a/internal/service/service_integration_test.go b/internal/service/service_integration_test.go
index 73cd343..a2d3296 100644
--- a/internal/service/service_integration_test.go
+++ b/internal/service/service_integration_test.go
@@ -6,6 +6,7 @@ import (
 	"os"
 	"path/filepath"
 	"testing"
+	"time"
 
 	"github.com/pechorka/adhd-reader/internal/storage"
 	"github.com/pechorka/adhd-reader/pkg/chance"
@@ -15,7 +16,7 @@ import (
 )
 
 func TestService_ListTexts(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 100)
+	srv := NewService(testStorage(t), 100, nil, nil)
 	userID := rand.Int63()
 
 	text1ID, err := srv.AddText(userID, "text1Name", "text1")
@@ -34,7 +35,7 @@ func TestService_ListTexts(t *testing.T) {
 }
 
 func TestService_ListTextsPagination(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 100)
+	srv := NewService(testStorage(t), 100, nil, nil)
 	userID := rand.Int63()
 
 	text1ID, err := srv.AddText(userID, "text1Name", "text1")
@@ -64,7 +65,7 @@ func TestService_ListTextsPagination(t *testing.T) {
 }
 
 func TestService_SelectText(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 100)
+	srv := NewService(testStorage(t), 100, nil, nil)
 	userID := rand.Int63()
 
 	text1ID, err := srv.AddText(userID, "text1Name", "text1")
@@ -91,7 +92,7 @@ func TestService_SelectText(t *testing.T) {
 }
 
 func TestService_DeleteTextByUUID(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 100)
+	srv := NewService(testStorage(t), 100, nil, nil)
 	userID := rand.Int63()
 
 	text1ID, err := srv.AddText(userID, "text1Name", "text1")
@@ -124,7 +125,7 @@ func TestService_DeleteTextByUUID(t *testing.T) {
 }
 
 func TestService_DeleteTextByName(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 100)
+	srv := NewService(testStorage(t), 100, nil, nil)
 	userID := rand.Int63()
 
 	_, err := srv.AddText(userID, "text1Name", "text1")
@@ -157,7 +158,7 @@ func TestService_DeleteTextByName(t *testing.T) {
 }
 
 func TestService_PageNavigation(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 5)
+	srv := NewService(testStorage(t), 5, nil, nil)
 	userID := rand.Int63()
 	textID, err := srv.AddText(
 		userID, "textName",
@@ -192,7 +193,7 @@ func TestService_PageNavigation(t *testing.T) {
 }
 
 func TestService_SetPage(t *testing.T) {
-	srv := NewService(testStorage(t), nil, 5)
+	srv := NewService(testStorage(t), 5, nil, nil)
 	userID := rand.Int63()
 	textID, err := srv.AddText(
 		userID, "textName",
@@ -223,7 +224,7 @@ func TestService_SetPage(t *testing.T) {
 
 func TestService_SetChunkSize(t *testing.T) {
 	store := testStorage(t)
-	srv := NewService(store, nil, 5)
+	srv := NewService(store, 5, nil, nil)
 	userID := rand.Int63()
 
 	err := srv.SetChunkSize(userID, -1)
@@ -235,10 +236,48 @@ func TestService_SetChunkSize(t *testing.T) {
 	require.NoError(t, err)
 }
 
+func TestService_SyncTexts(t *testing.T) {
+	srv := NewService(testStorage(t), 100, nil, nil)
+	userID := rand.Int63()
+
+	text1ID, err := srv.AddText(userID, "text1Name", "text1")
+	require.NoError(t, err)
+	text2ID, err := srv.AddText(userID, "text2Name", "text2")
+	require.NoError(t, err)
+	text3ID, err := srv.AddText(userID, "text3Name", "text3")
+	require.NoError(t, err)
+	nonExistentTextID := "nonexistent"
+
+	now := time.Now()
+	syncTexts := []SyncText{
+		// date on server is newer, so mobile should be updated
+		{TextUUID: text1ID, ModifiedAt: now.AddDate(0, 0, -1), CurrentChunk: 10},
+		// date on server is older, so server should be updated
+		{TextUUID: text2ID, ModifiedAt: now.AddDate(0, 0, 1), CurrentChunk: 20},
+		// text is deleted on mobile
+		{TextUUID: text3ID, Deleted: true},
+		// text is deleted on server
+		{TextUUID: nonExistentTextID, ModifiedAt: now.AddDate(0, 0, -1), CurrentChunk: 10},
+	}
+
+	syncOnMobile, err := srv.SyncTexts(userID, syncTexts)
+	require.NoError(t, err)
+	require.Len(t, syncOnMobile, 2)
+	require.Equal(t, text1ID, syncOnMobile[0].TextUUID)
+	require.EqualValues(t, storage.NotSelected, syncOnMobile[0].CurrentChunk)
+	require.Equal(t, nonExistentTextID, syncOnMobile[1].TextUUID)
+	require.True(t, syncOnMobile[1].Deleted)
+
+	texts, more, err := srv.ListTexts(userID, 1, 50)
+	require.NoError(t, err)
+	require.False(t, more)
+	require.Len(t, texts, 2)
+}
+
 func TestDustOnNextChunk(t *testing.T) {
 	t.Run("dust is added", func(t *testing.T) {
 		store := testStorage(t)
-		srv := NewService(store, nil, 5)
+		srv := NewService(store, 5, nil, nil)
 		srv.chancer = &mockChancer{
 			winResult:          true,
 			pickWinResultIndex: 0, // index of red dust
@@ -254,7 +293,7 @@ func TestDustOnNextChunk(t *testing.T) {
 
 	t.Run("dust is not added", func(t *testing.T) {
 		store := testStorage(t)
-		srv := NewService(store, nil, 5)
+		srv := NewService(store, 5, nil, nil)
 		srv.chancer = &mockChancer{
 			winResult: false,
 		}
diff --git a/internal/storage/storage.go b/internal/storage/storage.go
index 3d5bd8c..e2bf00f 100644
--- a/internal/storage/storage.go
+++ b/internal/storage/storage.go
@@ -15,7 +15,10 @@ import (
 	bolt "go.etcd.io/bbolt"
 )
 
-var ErrNotFound = errors.New("not found")
+var (
+	ErrNotFound      = errors.New("not found")
+	ErrAlreadyExists = errors.New("already exists")
+)
 
 const NotSelected = -1
 
@@ -28,6 +31,7 @@ var (
 	bktStat           = []byte("stat")
 	bktRecipe         = []byte("recipe")
 	bktUserRecipe     = []byte("user_recipe")
+	bktAuth           = []byte("auth")
 )
 
 var (
@@ -204,7 +208,7 @@ func (s *Storage) GetTexts(id int64) ([]TextWithChunkInfo, error) {
 	return result, err
 }
 
-func (s *Storage) GetFullTexts(id int64) ([]FullText, error) {
+func (s *Storage) GetFullTexts(id int64, after *time.Time) ([]FullText, error) {
 	var result []FullText
 	err := s.db.View(func(tx *bolt.Tx) error {
 		b := tx.Bucket(bktUserInfo)
@@ -216,6 +220,11 @@ func (s *Storage) GetFullTexts(id int64) ([]FullText, error) {
 		if err != nil {
 			return err
 		}
+		if after != nil {
+			texts.Texts = filterTexts(texts.Texts, func(text Text) bool {
+				return text.CreatedAt.After(*after)
+			})
+		}
 		result, err = fullTexts(tx, texts)
 		return err
 	})
@@ -342,6 +351,9 @@ func (s *Storage) deleteTextBy(userID int64, predicate func(Text) bool) error {
 				if texts.Current == i {
 					texts.Current = NotSelected
 				}
+				if texts.Current > i {
+					texts.Current--
+				}
 				found = true
 				break
 			}
@@ -605,6 +617,88 @@ func (s *Storage) UpdateUserRecipe(userID int64, recipeName string, updFunc func
 	return &userRecipe, err
 }
 
+func (s *Storage) SetAuthToken(userID int64, token string) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b, err := tx.CreateBucketIfNotExists(bktAuth)
+		if err != nil {
+			return err
+		}
+		byteUserID := int64ToBytes(userID)
+		if b.Get(byteUserID) != nil {
+			return ErrAlreadyExists
+		}
+		byteToken := []byte(token)
+		if dbUserID := b.Get(byteToken); dbUserID != nil {
+			if bytes.Equal(dbUserID, byteUserID) {
+				return nil
+			}
+			return ErrAlreadyExists
+		}
+		if err = b.Put(byteToken, byteUserID); err != nil {
+			return errors.Wrap(err, "failed to put user id by token")
+		}
+		if err = b.Put(byteUserID, byteToken); err != nil {
+			return errors.Wrap(err, "failed to put token by user id")
+		}
+		return nil
+	})
+}
+
+func (s *Storage) GetUserIDByAuthToken(token string) (int64, error) {
+	var userID int64
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket(bktAuth)
+		if b == nil {
+			return ErrNotFound
+		}
+		byteUserID := b.Get([]byte(token))
+		if byteUserID == nil {
+			return ErrNotFound
+		}
+		userID = bytesToInt64(byteUserID)
+		return nil
+	})
+	return userID, err
+}
+
+func (s *Storage) GetTokenByUserID(userID int64) (string, error) {
+	var token string
+	err := s.db.View(func(tx *bolt.Tx) error {
+		b := tx.Bucket(bktAuth)
+		if b == nil {
+			return ErrNotFound
+		}
+		byteToken := b.Get(int64ToBytes(userID))
+		if byteToken == nil {
+			return ErrNotFound
+		}
+		token = string(byteToken)
+		return nil
+	})
+	return token, err
+}
+
+func (s *Storage) DeleteAuthToken(userID int64) error {
+	return s.db.Update(func(tx *bolt.Tx) error {
+		b := tx.Bucket(bktAuth)
+		if b == nil {
+			return ErrNotFound
+		}
+		byteUserID := int64ToBytes(userID)
+		byteToken := b.Get(byteUserID)
+		if byteToken == nil {
+			return ErrNotFound
+		}
+		if err := b.Delete(byteToken); err != nil {
+			return errors.Wrap(err, "failed to delete token by user id")
+		}
+		if err := b.Delete(byteUserID); err != nil {
+			return errors.Wrap(err, "failed to delete user id by token")
+		}
+		return nil
+	})
+}
+
 // helper functions
 
 var textsPrefix = []byte("texts-")
@@ -621,6 +715,16 @@ func getTexts(b *bolt.Bucket, id []byte) (texts UserTexts, err error) {
 	return unmarshalTexts(v)
 }
 
+func filterTexts(texts []Text, predicate func(Text) bool) []Text {
+	result := make([]Text, 0, len(texts))
+	for _, text := range texts {
+		if predicate(text) {
+			result = append(result, text)
+		}
+	}
+	return result
+}
+
 func unmarshalTexts(v []byte) (texts UserTexts, err error) {
 	err = json.Unmarshal(v, &texts)
 	if err != nil {
diff --git a/pkg/encryptor/encryptor.go b/pkg/encryptor/encryptor.go
new file mode 100644
index 0000000..b6f683f
--- /dev/null
+++ b/pkg/encryptor/encryptor.go
@@ -0,0 +1,39 @@
+package encryptor
+
+import (
+	"encoding/base64"
+
+	"github.com/gtank/cryptopasta"
+	"github.com/pkg/errors"
+)
+
+type Encryptor struct {
+	secret *[32]byte
+}
+
+func NewEncryptor(secretString string) *Encryptor {
+	secret := &[32]byte{}
+	copy(secret[:], secretString)
+	return &Encryptor{secret: secret}
+}
+
+func (e *Encryptor) EncryptString(plaintext string) (string, error) {
+	encryptedBytes, err := cryptopasta.Encrypt([]byte(plaintext), e.secret)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to encrypt string")
+	}
+	b64 := base64.StdEncoding.EncodeToString(encryptedBytes)
+	return b64, nil
+}
+
+func (e *Encryptor) DecryptString(ciphertext string) (string, error) {
+	decodedBytes, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to decode string")
+	}
+	decryptedBytes, err := cryptopasta.Decrypt(decodedBytes, e.secret)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to decrypt string")
+	}
+	return string(decryptedBytes), nil
+}
diff --git a/pkg/randstring/randstring.go b/pkg/randstring/randstring.go
new file mode 100644
index 0000000..7f346bc
--- /dev/null
+++ b/pkg/randstring/randstring.go
@@ -0,0 +1,13 @@
+package randstring
+
+import "math/rand"
+
+var alphabet = []rune("abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789")
+
+func Generate(n int) string {
+	b := make([]rune, n)
+	for i := range b {
+		b[i] = alphabet[rand.Intn(len(alphabet))]
+	}
+	return string(b)
+}