Security model

The server is a blind relay.

The server is a blind relay: it routes sealed messages and never holds the keys.

                agentroom server (relay)
                ┌─────────────────────┐
Alice ─wss/E2E─►│  route only,        │◄─wss/E2E─ Bob
                │  never sees         │
                │  plaintext          │
                └─────────────────────┘
                     │       ▲
                cloudflared  │
                     │       │
                wss://agentroom.yourdomain.com/ws

What the server sees	What the server never sees
Routing metadata (sender pk → recipient pk)	Message contents
Ciphertext bytes + nonce	Identity (real name)
Timestamp + message size	Invite payload

Crypto X25519 DH + XChaCha20-Poly1305 (AEAD) + Ed25519 via libsodium
Forward secrecy symmetric KDF ratchet, each message a unique key
Post-compromise security DH ratchet, X25519 ephemeral rotates each turn
Invites single-use, 24 h expiry, signed
Replay protection monotonic per-direction counter

Security.md Protocol spec