diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
index 4616804..c1e22b9 100644
--- a/RELEASE_NOTES.md
+++ b/RELEASE_NOTES.md
@@ -1,3 +1,86 @@
+## Stegasoo v4.2.1
+
+### API Security
+
+#### API Key Authentication
+- All protected endpoints now require `X-API-Key` header
+- Keys stored hashed (SHA-256) in `~/.stegasoo/api_keys.json`
+- Auth disabled when no keys configured (easy onboarding)
+- Public endpoints remain open: `/`, `/docs`, `/modes`, `/auth/status`
+
+#### TLS Support
+- Self-signed certificates auto-generated on first run
+- Certs valid for localhost, all local IPs, hostname.local
+- Stored in `~/.stegasoo/certs/`
+- CLI: `stegasoo api tls generate` to pre-generate
+
+### CLI Improvements
+
+#### New API Management Commands
+```bash
+stegasoo api keys list           # List API keys
+stegasoo api keys create NAME    # Create new key (shown once!)
+stegasoo api keys delete NAME    # Delete key
+stegasoo api tls generate        # Generate TLS cert
+stegasoo api tls info            # Show cert info
+stegasoo api serve               # Start with TLS (default)
+```
+
+#### New Image Tools
+```bash
+stegasoo tools compress IMG -q 75   # JPEG compression
+stegasoo tools rotate IMG -r 90     # Rotation (jpegtran for JPEGs)
+stegasoo tools rotate IMG --flip-h  # Flip-only
+stegasoo tools convert IMG -f png   # Format conversion
+```
+
+### Bug Fixes
+
+- **DCT rotation**: Portrait photos no longer export rotated 90 degrees
+- **jpegtran**: Removed `-trim` flag that destroyed DCT stego data
+- **CLI encode**: Now outputs JPEG when carrier is JPEG (was always PNG)
+- **EXIF viewer**: Redesigned with card-based grid layout
+
+### AUR Packages
+
+Three package options now available:
+
+| Package | Size | Contents |
+|---------|------|----------|
+| `stegasoo-git` | 79MB | Full (Web UI + API + CLI) |
+| `stegasoo-api-git` | 74MB | REST API + CLI only |
+| `stegasoo-cli-git` | 68MB | CLI only |
+
+### Quick Start
+
+```bash
+# Create API key
+stegasoo api keys create mykey
+
+# Start API server (TLS by default)
+stegasoo api serve
+
+# Use API
+curl -k -H "X-API-Key: stegasoo_xxxx_..." https://localhost:8000/
+```
+
+### Raspberry Pi Image
+Download `stegasoo-rpi-4.2.1.img.zst` from Releases.
+
+```bash
+# Flash (auto-detects SD card)
+sudo ./rpi/flash-image.sh stegasoo-rpi-4.2.1.img.zst
+```
+
+Default login: `admin` / `stegasoo`
+
+### Docker
+```bash
+docker-compose -f docker/docker-compose.yml up -d
+```
+
+---
+
 ## Stegasoo v4.2.0
 
 ### Performance Optimizations
@@ -55,32 +138,8 @@ Major performance improvements for Raspberry Pi and resource-constrained deploym
 |--------|--------|--------|-------------|
 | Decode (1MB) | ~2.6s | ~0.8s | **70% faster** |
 | Peak RAM | 211 MB | 107 MB | **50% less** |
-| Concurrent API | No | Yes | ✓ |
+| Concurrent API | No | Yes | check |
 | QR Compression | zlib | zstd | **~15% smaller** |
 
-### Raspberry Pi Image
-Download `stegasoo-rpi-4.2.0_final.img.zst` from Releases.
-
-```bash
-# Flash (auto-detects SD card)
-sudo ./rpi/flash-image.sh stegasoo-rpi-4.2.0_final.img.zst
-
-# Or manual
-zstdcat stegasoo-rpi-4.2.0_final.img.zst | sudo dd of=/dev/sdX bs=4M status=progress
-```
-
-Default login: `admin` / `stegasoo`
-
-### Docker
-```bash
-# Build and run
-docker build -f docker/Dockerfile.base -t stegasoo-base:latest .
-docker-compose -f docker/docker-compose.yml up -d
-
-# Or individual services
-docker-compose -f docker/docker-compose.yml up -d web  # Web UI on :5000
-docker-compose -f docker/docker-compose.yml up -d api  # REST API on :8000
-```
-
 ### Full Changelog
 See [CHANGELOG.md](CHANGELOG.md) for complete version history.
diff --git a/aur-cli/PKGBUILD b/aur-cli/PKGBUILD
index 1cdc5ec..55224a4 100644
--- a/aur-cli/PKGBUILD
+++ b/aur-cli/PKGBUILD
@@ -29,7 +29,7 @@ sha256sums=('SKIP')
 pkgver() {
     cd "$pkgname"
     git describe --long --tags 2>/dev/null | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g' || \
-    printf "%s.r%s.g%s" "4.2.0" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+    printf "%s.r%s.g%s" "4.2.1" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 
 build() {
diff --git a/aur/PKGBUILD b/aur/PKGBUILD
index 242176c..1152a79 100644
--- a/aur/PKGBUILD
+++ b/aur/PKGBUILD
@@ -27,7 +27,7 @@ sha256sums=('SKIP')
 pkgver() {
     cd "$pkgname"
     git describe --long --tags 2>/dev/null | sed 's/^v//;s/\([^-]*-g\)/r\1/;s/-/./g' || \
-    printf "%s.r%s.g%s" "4.2.0" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
+    printf "%s.r%s.g%s" "4.2.1" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)"
 }
 
 build() {
diff --git a/docker/Dockerfile.base b/docker/Dockerfile.base
index 6f29021..c174e68 100644
--- a/docker/Dockerfile.base
+++ b/docker/Dockerfile.base
@@ -54,4 +54,4 @@ RUN python -c "import jpegio; import scipy; import numpy; import zstandard; prin
 # Label for tracking
 LABEL org.opencontainers.image.title="Stegasoo Base"
 LABEL org.opencontainers.image.description="Pre-compiled dependencies for Stegasoo"
-LABEL org.opencontainers.image.version="4.2.0"
+LABEL org.opencontainers.image.version="4.2.1"
diff --git a/frontends/api/main.py b/frontends/api/main.py
index e06937a..ae7fb1d 100644
--- a/frontends/api/main.py
+++ b/frontends/api/main.py
@@ -1,10 +1,15 @@
 #!/usr/bin/env python3
 """
-Stegasoo REST API (v4.2.0)
+Stegasoo REST API (v4.2.1)
 
 FastAPI-based REST API for steganography operations.
 Supports both text messages and file embedding.
 
+CHANGES in v4.2.1:
+- API key authentication (X-API-Key header)
+- TLS support with self-signed certificates
+- /auth/* endpoints for key management
+
 CHANGES in v4.2.0:
 - Async encode/decode operations (run in thread pool)
 - Server can handle concurrent requests without blocking
diff --git a/frontends/web/templates/about.html b/frontends/web/templates/about.html
index 95a413c..9686b9e 100644
--- a/frontends/web/templates/about.html
+++ b/frontends/web/templates/about.html
@@ -340,13 +340,13 @@
                 <!-- Current Version - Prominent -->
                 <div class="alert alert-success mb-4">
                     <div class="d-flex align-items-center">
-                        <span class="badge bg-success fs-6 me-3">v4.2.0</span>
+                        <span class="badge bg-success fs-6 me-3">v4.2.1</span>
                         <div>
-                            <strong>Performance optimizations:</strong>
-                            ~70% faster decode (vectorized DCT),
-                            50% less RAM (float32),
-                            async API endpoints,
-                            decode progress callbacks
+                            <strong>Security & API improvements:</strong>
+                            API key authentication,
+                            TLS with self-signed certs,
+                            CLI tools (compress, rotate, convert),
+                            jpegtran lossless JPEG rotation
                         </div>
                     </div>
                 </div>
diff --git a/pyproject.toml b/pyproject.toml
index 793d811..f8d4b84 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "hatchling.build"
 
 [project]
 name = "stegasoo"
-version = "4.2.0"
+version = "4.2.1"
 description = "Secure steganography with hybrid photo + passphrase + PIN authentication"
 readme = "README.md"
 license = "MIT"
diff --git a/rpi/BUILD_IMAGE.md b/rpi/BUILD_IMAGE.md
index 9fdb861..18096ce 100644
--- a/rpi/BUILD_IMAGE.md
+++ b/rpi/BUILD_IMAGE.md
@@ -106,7 +106,7 @@ Remove SD card, insert into your Linux machine:
 lsblk
 
 # Pull image (auto-resizes to 16GB, compresses with zstd)
-sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.0.img.zst
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.1.img.zst
 ```
 
 The script automatically resizes rootfs to 16GB (for smaller download), preserves auto-expand, and compresses.
@@ -173,5 +173,5 @@ curl -k https://localhost:5000
 sudo /opt/stegasoo/rpi/sanitize-for-image.sh
 
 # On host (pull image - auto-resizes to 16GB):
-sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.0.img.zst
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.1.img.zst
 ```
diff --git a/rpi/README.md b/rpi/README.md
index 28f239f..6e52ce8 100644
--- a/rpi/README.md
+++ b/rpi/README.md
@@ -207,7 +207,7 @@ After Pi shuts down, remove SD card and on another Linux machine:
 lsblk
 
 # Pull image (auto-resizes to 16GB, compresses with zstd)
-sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.0.img.zst
+sudo ./rpi/pull-image.sh /dev/sdX stegasoo-rpi-4.2.1.img.zst
 ```
 
 The `pull-image.sh` script automatically:
diff --git a/rpi/flash-image.sh b/rpi/flash-image.sh
index ee34b6b..e04bd1e 100755
--- a/rpi/flash-image.sh
+++ b/rpi/flash-image.sh
@@ -80,9 +80,9 @@ if [ -z "$1" ]; then
     echo "Supported formats: .img, .img.zst, .img.xz, .img.gz, .img.zst.zip"
     echo ""
     echo "Examples:"
-    echo "  $0 stegasoo-rpi-4.2.0.img.zst             # auto-detect SD card"
-    echo "  $0 stegasoo-rpi-4.2.0.img.zst.zip         # from GitHub release"
-    echo "  $0 stegasoo-rpi-4.2.0.img.zst /dev/sdb    # specify device"
+    echo "  $0 stegasoo-rpi-4.2.1.img.zst             # auto-detect SD card"
+    echo "  $0 stegasoo-rpi-4.2.1.img.zst.zip         # from GitHub release"
+    echo "  $0 stegasoo-rpi-4.2.1.img.zst /dev/sdb    # specify device"
     exit 1
 fi
 
diff --git a/rpi/pull-image.sh b/rpi/pull-image.sh
index 8bcb788..a3d53d7 100755
--- a/rpi/pull-image.sh
+++ b/rpi/pull-image.sh
@@ -3,7 +3,7 @@
 # Resizes rootfs to 16GB for consistent image size, then pulls
 #
 # Usage: ./pull-image.sh <device> <output.img.zst>
-# Example: ./pull-image.sh /dev/sdb stegasoo-rpi-4.2.0.img.zst
+# Example: ./pull-image.sh /dev/sdb stegasoo-rpi-4.2.1.img.zst
 
 set -e
 
@@ -15,7 +15,7 @@ NC='\033[0m'
 
 if [ $# -ne 2 ]; then
     echo "Usage: $0 <device> <output.img.zst>"
-    echo "Example: $0 /dev/sdb stegasoo-rpi-4.2.0.img.zst"
+    echo "Example: $0 /dev/sdb stegasoo-rpi-4.2.1.img.zst"
     exit 1
 fi
 
diff --git a/rpi/setup.sh b/rpi/setup.sh
index 09a18af..d74b62f 100755
--- a/rpi/setup.sh
+++ b/rpi/setup.sh
@@ -273,7 +273,7 @@ fi
 
 # Pre-built venv tarball (skips pip compile time)
 PREBUILT_TARBALL="$INSTALL_DIR/rpi/stegasoo-rpi-venv-arm64.tar.zst"
-PREBUILT_URL="${PREBUILT_URL:-https://github.com/adlee-was-taken/stegasoo/releases/download/v4.2.0/stegasoo-rpi-venv-arm64.tar.zst}"
+PREBUILT_URL="${PREBUILT_URL:-https://github.com/adlee-was-taken/stegasoo/releases/download/v4.2.1/stegasoo-rpi-venv-arm64.tar.zst}"
 USE_PREBUILT=true
 
 # Use local tarball if present, otherwise will download
diff --git a/src/stegasoo/__init__.py b/src/stegasoo/__init__.py
index cb20d64..829f755 100644
--- a/src/stegasoo/__init__.py
+++ b/src/stegasoo/__init__.py
@@ -7,7 +7,7 @@ Changes in v4.0.0:
 - encode() and decode() now accept channel_key parameter
 """
 
-__version__ = "4.2.0"
+__version__ = "4.2.1"
 
 # Core functionality
 # Channel key management (v4.0.0)
diff --git a/src/stegasoo/constants.py b/src/stegasoo/constants.py
index e0ff3bf..9b9a161 100644
--- a/src/stegasoo/constants.py
+++ b/src/stegasoo/constants.py
@@ -31,7 +31,7 @@ from pathlib import Path
 # VERSION
 # ============================================================================
 
-__version__ = "4.2.0"
+__version__ = "4.2.1"
 
 # ============================================================================
 # FILE FORMAT