Security

partyline sessions are encrypted. The relay that connects participants is blind — it forwards ciphertext and holds no key, so it cannot read or modify your session.

How it works

  • Each session generates a random 256-bit key on the host machine.
  • That key travels in the join link's #k= fragment. The relay never receives it — it only ever sees ciphertext.
  • So your team can share the join link from the web app and invites, the host also escrows the key with the control plane, which stores it and returns it to people authorized to see the session. This means partyline (the control plane) holds the key — sessions are encrypted in transit and the relay is blind, but this is not a zero-knowledge service.
  • Host and joiners run a Noise NNpsk0 handshake (DH25519 / ChaCha20-Poly1305 / BLAKE2s) keyed by the link key. The relay just splices ciphertext between them.
  • Identity: a signed-in joiner presents a control-plane-signed Ed25519 assertion over the encrypted channel, which the host verifies — so the host knows who joined, not just a self-claimed name.

What the relay vs. the control plane can see

  • The relay ❌ cannot see your terminal contents, keystrokes, or the key — it forwards ciphertext only. ✅ It sees routing metadata: the code, connection timing, and data volume.
  • The control plane stores the session key (to power the web app and invites) and session metadata. It does not receive your terminal stream — but because it holds the key, it is not a zero-knowledge boundary.

Authenticated, not just encrypted

The channel is authenticated (Noise + Poly1305), so a compromised or malicious relay can't tamper with bytes undetected — a stronger guarantee than tools that use an unauthenticated cipher.

Treat the link like a password

Anyone with the full link (code + key) can join and decrypt the session. For sensitive sessions, host with --invite-only so only verified, invited partyline users may join.

Diagnostics

Crash/error reports (Sentry) are scrubbed of session content — we don't attach your terminal data, and the relay never has it to begin with.