Encrypted channels

Encrypted channels

Channels prefixed with private-encrypted- are end-to-end encrypted. Mawjly’s servers see only opaque ciphertext — they can route the message but cannot read its contents.

When to use

  • HIPAA / PCI / regulated payloads
  • Anything where Mawjly being subpoena-able for content is unacceptable
  • Inter-service messaging where you already have a key-distribution mechanism

How it works

  1. You generate a 32-byte master key in the dashboard (Keys → Encryption master key → Generate) or via the API.
  2. You distribute the master key to your client apps through any secure channel (env var on a backend that injects it into the browser, MDM-pushed mobile config, etc.).
  3. Both server-side trigger code and client-side subscribe code receive the same master key and use it as input to a per-channel symmetric key.
  4. Sockudo verifies the channel auth signature like a private channel, but the payload bytes are encrypted with NaCl secretbox by the publisher and decrypted by subscribers. Sockudo cannot read them.

Generate / rotate the key

Dashboard: Apps → your app → Keys → Encryption master key → Generate (or Rotate).

The plaintext is shown once. Save it in a vault. Rotation invalidates in-flight messages; coordinate the rollout.

Client-side

const pusher = new Pusher('YOUR_KEY', {
  // ... usual options
  channelAuthorization: { endpoint: '/broadcasting/auth' },
  encryptionMasterKeyBase64: 'YOUR_BASE64_ENCODED_32_BYTE_KEY',
});
 
const channel = pusher.subscribe('private-encrypted-orders.42');
channel.bind('order.shipped', (data) => console.log(data));

Server-side

const pusher = new Pusher({
  appId: 'YOUR_APP_ID',
  key: 'YOUR_KEY',
  secret: 'YOUR_SECRET',
  cluster: 'sa',
  host: 'ws-sa.mawjly.com',
  port: '443',
  useTLS: true,
  encryptionMasterKeyBase64: process.env.MAWJLY_ENCRYPTION_KEY,
});
 
await pusher.trigger('private-encrypted-orders.42', 'order.shipped', {
  orderId: '12345',
  trackingNumber: 'PII_HERE',
});

The data payload is encrypted before leaving your server and decrypted on each subscriber.

Plan availability

Encrypted channels are enabled on the Startup tier and above. The Free tier returns 403 if you try to generate a key.

Presence channelsWebhooks