Encrypted Channels

Encrypted channels are private channels where compatible SDKs encrypt event payloads before they leave your server and decrypt them only inside authorized clients.

Use encrypted channels for sensitive realtime payloads that should not be readable by Vask infrastructure.

#Channel names

Encrypted channel names start with:

private-encrypted-

Encrypted cache channel names start with:

private-encrypted-cache-

#Server SDK setup

Use a 32-byte encryption master key encoded as base64.

openssl rand -base64 32

Node example:

import Pusher from 'pusher';

const pusher = new Pusher({
    appId: 'app_key',
    key: 'app_key',
    secret: 'app_secret',
    host: 'api.vask.dev',
    useTLS: true,
    encryptionMasterKeyBase64: process.env.PUSHER_ENCRYPTION_KEY,
});

#Client setup

const pusher = new Pusher('app_key', {
    wsHost: 'wss.vask.dev',
    wsPort: 443,
    forceTLS: true,
    enabledTransports: ['ws', 'wss'],
    channelAuthorization: {
        endpoint: '/broadcasting/auth',
    },
});

const channel = pusher.subscribe('private-encrypted-chat.42');

#Authorization

Encrypted subscriptions use the private-channel auth flow. Compatible SDKs add the encrypted-channel shared secret to the auth response.

{
    "auth": "app_key:hmac_signature",
    "shared_secret": "base64_shared_secret"
}

Most application code should let the server SDK generate this response.

#Publishing

Trigger one encrypted channel at a time.

await pusher.trigger('private-encrypted-chat.42', 'message.created', {
    body: 'hello',
});

Encrypted channels do not support client events.

#Cache variant

Use private-encrypted-cache- when the latest encrypted event should be replayed to new subscribers.

const channel = pusher.subscribe('private-encrypted-cache-chat.42');

#Related docs

• Authentication and signatures
• Cache channels
• HTTP API reference