What you’re about to do
You’ll create a Google Sheet, paste in a small script that turns it into your private database, and publish it so only Murmur (with your secret token) can talk to it. Nothing is installed on your computer, and no one else — including us — can read it.
Step 1 — Create your Sheet
- Go to sheets.new — a blank Google Sheet opens. Give it a name like “Murmur Data”.
- In the menu, click Extensions ▸ Apps Script. A new tab opens with a code editor containing
function myFunction() {}.
Step 2 — Paste the script
- Open user.gs — it’s plain text. Select all (
Ctrl+A/⌘A) and copy (Ctrl+C). - Back in the Apps Script tab, select everything in the editor and paste over it, so the script is the only thing there.
- Near the top you’ll see:
var TOKEN = 'CHANGE_ME_to_a_long_random_secret';
ReplaceCHANGE_ME_to_a_long_random_secretwith your own long random string (e.g. mash the keyboard — 30+ characters). This is your secret token — keep it safe, you’ll paste it into Murmur in a minute. - Save with
Ctrl+S(or the 💾 icon).
Step 3 — Publish it
- Click Deploy ▸ New deployment (top right).
- Click the ⚙️ gear next to “Select type” and choose Web app.
- Set Execute as: Me and Who has access: Anyone.
“Anyone” means anyone can reach the URL — but every request must carry your secret token, so without it they get rejected. This is required for your browser to talk to the sheet. - Click Deploy. Google will ask you to authorize. Choose your account → you may see “Google hasn’t verified this app” → click Advanced ▸ Go to (your project) → Allow. (You’re authorizing your own script to use your own sheet.)
- Copy the Web app URL. It ends in
/exec.
Step 4 — Connect Murmur
- Open Murmur → Create account.
- Enter your email, a password, and your display name.
Your password never leaves your device — it derives the key that encrypts your sheet connection. If you lose it, it cannot be recovered. - Paste the Web app URL and the secret token you chose in Step 2.
- Click Create account & sync. Murmur pings your script first, so a wrong URL or token is caught immediately.
Updating the script later ⚠️
This trips up almost everyone. When you paste in a newer version of the script, you must update your existing deployment — otherwise your old URL keeps running the old code:
- ✅ Deploy ▸ Manage deployments ▸ ✏️ Edit ▸ Version: New version ▸ Deploy — same URL, new code.
- ❌ Deploy ▸ New deployment — creates a different URL. Your account still points at the old one, so nothing appears to change.
If Murmur says “Your Apps Script is out of date”, this is the fix.
Image uploads (optional)
The script can upload images to a “Murmur Uploads” folder in your Drive. Because it uses Drive, redeploying will ask you to authorize Drive access as well. To render in a browser, uploaded files are set to “anyone with the link”— unlisted, but reachable by anyone who has the URL. If you’d rather not, just paste image URLs instead; both options are offered in the composer.
For operators (hosting Murmur yourself)
If you’re deploying Murmur for others, you also need the master script — the login directory. It stores only ciphertext, so it can’t read anyone’s notes.
- Create a second Sheet → Apps Script → paste master.gs → deploy as a Web app (Execute as Me, access Anyone).
- Set the URL as
NEXT_PUBLIC_MASTER_SCRIPT_URLin your host’s environment variables. The setup screen then disappears for your users.
Troubleshooting
- “Could not reach your private Apps Script” — the URL must end in
/exec(not/dev), and access must be Anyone. - “Your sheet rejected the request”— the token in Murmur doesn’t match
TOKENin your script. - “Your Apps Script is out of date” — redeploy via Manage deployments ▸ Edit ▸ New version (see above).
- Still stuck? Open an issue on GitHub — happy to help.