D

DOMVIA

realtime

Console
← Back to docs

E2EE guide

Use end-to-end encryption for private chat.

Use DomVia Realtime E2EE where message content must stay readable only by the intended participants. Keep it scoped and intentional.

Package

@domvia/realtime-e2ee

install

npm install @domvia/realtime-e2ee

@domvia/realtime-e2ee

Built for focused realtime use cases.

Keep the SDK modular, documented, and safe to extend as new products are added.

Architecture

How this guide should be used.

Step 01

Start with private channels

E2EE should sit on top of private channel authorization. The channel still needs server-side access control before any encrypted payload is delivered.

Step 02

Encrypt message content first

Private chat content is the strongest first E2EE target. Typing state, read receipts, delivery status, and normal location updates usually work better as protected operational events.

Step 03

Bind encryption to room context

Use additional authenticated data such as room, message, and key version context so encrypted payloads cannot be safely replayed in the wrong room.

Step 04

Plan key lifecycle before launch

Key generation, exchange, backup, rotation, recovery, and lost-device behavior must be clear before production E2EE rollout.

Examples

Focused implementation notes.

Encrypt private chat JSON

This keeps the payload unreadable outside the room key while still letting DomVia Realtime deliver the event instantly.

Encrypt private chat JSON

import {
  decryptChatJson,
  encryptChatJson,
  generateAesGcmKey,
} from "@domvia/realtime-e2ee";

const roomKey = await generateAesGcmKey();

const encrypted = await encryptChatJson(
  {
    body: "Private message",
    sender_id: "user-1",
  },
  roomKey,
  {
    roomId: "room-42",
    messageId: "msg-1",
    keyId: "room-42-v1",
    keyVersion: 1,
  },
);

const message = await decryptChatJson(encrypted, roomKey, {
  roomId: "room-42",
  messageId: "msg-1",
});

Export and import room key material

Use this only inside your own secure key-management flow. Do not place room keys in public environment variables or normal app config.

Export and import room key material

import {
  exportAesGcmKeyToBase64,
  importAesGcmKeyFromBase64,
} from "@domvia/realtime-e2ee";

const rawRoomKey = await exportAesGcmKeyToBase64(roomKey);

// Store or exchange rawRoomKey only through your secure key flow.
const restoredRoomKey = await importAesGcmKeyFromBase64(rawRoomKey);

Safety

Rules before production traffic.

Use E2EE for private chat payloads first.

Do not encrypt every event by default.

Do not store encryption keys in public client configuration.

Use private channels and server authorization before encrypted events.

Make recovery and key-loss behavior clear before production rollout.

Continue

Keep reading without crowding the main docs page.

Read chat guideRead location guideBack to public docs