End-to-end Encryption

Private encrypted channels keep payload access inside the clients that should actually see it.

How It Works

Encrypted channels use the private-encrypted- prefix. When a client subscribes, your auth endpoint returns a sharedSecret in addition to the subscription token. This secret is used for AES-256-GCM encryption on the client side.

The socket server never sees plaintext payloads. It relays the encrypted envelope between clients. Only clients with the shared secret can decrypt the data.

Auth Response

Your auth endpoint must return the shared secret for encrypted channels:

{

"token": "app-key:signature",

"sharedSecret": "base64-encoded-channel-secret"

}

Encrypted Payload Format

Events on encrypted channels are transmitted as an AES-GCM envelope:

{

"ciphertext": "<base64>",

"nonce": "<base64>"

}

Encryption and decryption happen entirely on the client using the Web Crypto API. The nonce is unique per message.

Key Management

Shared secrets are per-channel and derived by your auth backend. You control the key generation and distribution. The SummonFlow server and platform never have access to the plaintext secret or payload.