Encrypted Channels
ART's encrypted channels provide end-to-end encryption for confidential communications. Built on industry-standard cryptography, encrypted channels ensure that only intended recipients can read your messages, with automatic key management and seamless integration into the standard messaging connection.
Unlike regular channels where messages are transmitted in plaintext, secure channels encrypt every message on the sender's device and decrypt it only on the recipient's device. ART uses ECDH (Elliptic Curve Diffie-Hellman) and authenticated encryption to provide:
- End-to-End Encryption: Messages are encrypted before leaving your device
- Perfect Forward Secrecy: Each message uses a unique cryptographic nonce
- Authentication: Built-in message integrity verification prevents tampering
- Zero-Knowledge: ART servers cannot read your encrypted messages
Subscribing to secure channel
Subscribing to an encrypted channel requires key-pair setup before subscription, but otherwise follows the same process as regular channels.
1. Generate Key Pair
The generateKeyPair() method creates a new Curve25519 key pair which is used for encryption and decryption.
// Generate a new key pair and register the public key with the ART server
try await adk.generateKeyPair()
generateKeyPair() automatically:
- Validates key format and length
- Saves your public key to ART servers
- Stores the private key in memory on the
Adkinstance for encryption/decryption
2. Subscribe to Encrypted Channel
// Subscribe to encrypted channel
let subscription = try await adk.subscribe(
channel: "YOUR_ENCRYPTED_CHANNEL"
)
Message Passing Through Encrypted Channel
Encrypted message passing involves automatic key exchange, encryption, transmission, and decryption.
1. Pushing messages
When a message is pushed into an encrypted channel, it is encrypted automatically.
let payload: [String: Any] = [
"content": "Hello from ART ADK!"
]
try await subscription.push(
event: "message",
data: payload,
options: PushConfig(to: ["recipient-username"]) //Exactly one recipient required
)
What happens behind the scenes:
- Recipient Key Lookup — the SDK requests the recipient's public key from the ART server.
- Key Exchange — secure exchange of public keys via the encrypted control channel.
- Message Encryption — your message is encrypted using the recipient's public key + your private key.
// Low-level primitive — called internally; you don't need to call this directly
let encrypted = try await adk.encrypt(
secretMessage,
recipientPublicKey
)
- Secure Transmission — the encrypted payload is sent through the regular channel infrastructure.
- Delivery Confirmation — an acknowledgment confirms encrypted message delivery.
Encrypted (and targeted) channels require exactly one recipient in the to list. Sending to multiple users or broadcasting on a secure channel will throw an error.
2. Receiving Encrypted Messages
When the recipient receives the message it is automatically decrypted and made available to the event handler.
// Listen for encrypted messages
subscription.emitter.on("message") { decryptedMessage in
// Message is already decrypted when it reaches your callback
print("Received:", decryptedMessage)
}
What happens behind the scenes:
- Encrypted Message Received — the ADK receives the encrypted payload from the sender.
- Sender Key Lookup — the SDK automatically requests the sender's public key.
- Message Decryption — the payload is decrypted using the sender's public key + your private key.
// Low-level primitive — called internally; you don't need to call this directly
let decrypted = try await adk.decrypt(
encryptedDataReceived,
senderPublicKey
)
- Authentication Verification — the Poly1305 MAC verifies message integrity.
- Content Delivery — the decrypted message is delivered to your event handler.
The entire encryption/decryption process is transparent to your application — you work with plain [String: Any] objects while the ADK handles all cryptographic operations automatically.