Joplin Review: The Open-Source, Privacy-First Note App for Developers

If you’ve spent any time evaluating note-taking apps as a developer, you’ve likely landed on the same shortlist: Notion for teams, Obsidian for the graph-obsessed, Bear or Apple Notes if you’re entrenched in the Apple ecosystem. Joplin rarely shows up in the first breath of that conversation — which is strange, because it solves a specific set of problems better than any of them. It’s fully open source, stores notes in an open format, supports end-to-end encrypted sync across every major platform, and exposes a plugin API that lets you extend it with JavaScript or TypeScript. It’s been in active development since 2016 and has a real community around it.

This review focuses on what Joplin actually delivers for developer workflows: how its sync and encryption work in practice, where the plugin ecosystem stands, what the pricing looks like if you want managed sync, and what you should know before committing your notes to it.

What Joplin Gets Right

Markdown as a first-class citizen

Joplin’s editor handles Markdown natively. You can write in raw Markdown with a live preview pane, switch to a rich-text (WYSIWYG) mode, or toggle between the two. Code blocks render with syntax highlighting. Math expressions work via KaTeX. Diagrams are supported through Mermaid. If you’re the kind of developer who already writes everything in Markdown — READMEs, runbooks, design docs — Joplin’s editor won’t fight you.

The note format is standard Markdown stored in a local SQLite database, with attachments saved alongside. That means you can always extract your notes without proprietary tooling. Joplin supports export to Markdown files, HTML, and PDF, and it can import Evernote’s .enex format if you’re migrating from there.

Sync with actual encryption

This is where Joplin earns its reputation. When you enable sync — whether to Joplin Cloud, Dropbox, OneDrive, WebDAV, or a self-hosted Nextcloud — you can enable end-to-end encryption. E2EE uses AES-256, with a key derived from your master password via PBKDF2. Both note content and attachments are encrypted before they leave your device. The cloud provider, and Joplin itself if you use Joplin Cloud, cannot read your notes.

The setup requires a few manual steps: you generate a master key, save the password somewhere safe (losing it means losing access to your encrypted notes), and E2EE is enabled per-client. It’s not quite automatic, but it’s significantly more straightforward than rolling your own encrypted sync.

The free tier here is meaningful: you don’t need to pay anything to use Joplin with E2EE. You can point it at your own Dropbox or Nextcloud and get encrypted sync at no cost. Joplin Cloud’s paid plans (roughly €3/month for Basic, €6/month for Pro at the time of writing) exist primarily for managed storage and collaboration features, not for unlocking encryption — that stays free regardless.

A real plugin API

Joplin exposes a JavaScript/TypeScript plugin API that runs plugins in isolated processes, which keeps them from destabilizing the main app. Plugins can access note content, manipulate the editor, add toolbar buttons, and interact with the data layer. The development workflow is standard Node.js: you scaffold a plugin project, run Joplin in a development mode that uses a sandboxed profile, iterate, and package.

There are well over a hundred community plugins available. Practically useful ones include enhanced Markdown rendering, integration with task managers, note templates, and various import/export tools. The plugin repository lives in the Joplin app itself under Tools → Options → Plugins — installation is one click.

If you want to go further, Joplin ships a terminal application and a Data API that can be queried programmatically. There are community-built CLI wrappers around the Data API for scripting workflows from the command line. This is not a full API-first tool the way Notion is, but for automating note capture or extraction from shell scripts, it’s functional.

Cross-platform and offline-first

Joplin runs on Windows, macOS, Linux, iOS, and Android. Desktop and mobile clients are all available. “Offline first” is a genuine design constraint, not marketing copy: all your notes exist locally on every synced device, and sync resolves conflicts when you reconnect. If you work on a plane, in a building with spotty connectivity, or just don’t want cloud dependency for daily use, this matters.

Where Joplin Falls Short

Inconsistent mobile experience

The desktop app is polished. The mobile apps, especially iOS, have historically lagged behind. The rich-text editor is not available on iOS; you write in Markdown only. The interface on mobile is functional but not optimized for tablets or larger screens. If mobile note capture is a frequent part of your workflow, you’ll notice the gap.

Local notes are not encrypted at rest

This is a genuine limitation worth stating plainly. E2EE protects notes in transit and at the sync target, but notes stored locally on your device are not encrypted at rest. The local SQLite database sits on disk in readable form. Joplin offers biometric locking to protect against casual access, but that’s app-level access control, not encryption. If your device is compromised or imaged, your local notes are readable. For most developer use cases this is acceptable — your OS disk encryption (FileVault, BitLocker) provides a first layer — but it’s not the same as end-to-end encryption of the local store.

No web client

There is no browser-based way to access your Joplin notes. If you’re on a machine where you can’t install the desktop app, you’re locked out. For some workflows this is fine; for others — shared machines, jump servers, quick access from a colleague’s computer — it’s a meaningful gap.

Collaboration is limited

Joplin supports shared notebooks on Joplin Cloud’s paid plans, and notes can be published to the web as read-only links. But there’s no real-time collaborative editing. If you’re writing runbooks or documentation with a team that expects simultaneous editing, Joplin isn’t the right tool. That’s Notion or Confluence territory.

Storage limits on Joplin Cloud Basic

The Basic plan’s 1 GB storage limit with a 10 MB per-note cap is tight if you’re attaching large files or storing a lot of images. The Pro plan’s 10 GB and 200 MB per-note limits are more practical. If you’re using Dropbox or your own WebDAV server for sync, these limits don’t apply — but then you’re managing that infrastructure yourself.

Who Should Use Joplin

Joplin fits well if you want a self-contained note-taking tool that you fully control, works offline, and doesn’t require trusting a SaaS company with unencrypted note data. It’s a reasonable choice for developers who:

• Write primarily in Markdown and don’t need database-style structured content (that’s Notion’s domain).
• Want encrypted sync without paying for it, and are comfortable pointing Joplin at their own cloud storage.
• Value open-source auditability — you can read the source, build from it, and extend it.
• Work mostly on desktop and treat mobile as secondary.

It’s a worse fit if you need real-time collaboration, a web client, heavy mobile use, or the kind of linked-graph navigation that Obsidian’s approach provides. Obsidian stores notes as flat .md files in a folder you control, which makes it easier to use with other tools like Git or external editors; Joplin’s SQLite-based local store is less composable with the broader file-system toolchain.

PCMag has previously awarded Joplin its Editors’ Choice for open-source note-taking, and the app’s GitHub repository shows consistent, active maintenance. The project is real and not going anywhere. But it’s also not trying to be everything — it has a clear scope, and working within that scope is the condition for having a good experience with it.