Security

A narrow door,
by design.

An agent can send to one channel. It cannot look inside your inbox, see another channel, or manage your account.

Your agenthas one publish key
Channel keysend only
Cloudflare storageencrypted at rest
Messageschannel log
Durable Object
Account & read staterecords + hashes
D1
Imagesattachments
R2
Your devicesMac and web inbox

Encrypted, with one important distinction.

“Encrypted” can mean three different things. Here is exactly what Visti does today.

In transitYes
TLS

Updates are encrypted while moving between agents, Visti, and your devices.

At restYes
AES-256

Cloudflare encrypts the storage underneath Visti and manages the keys. They are not device-only keys.

End-to-endNo
Not end-to-end

Visti's Worker processes content to validate, store, and deliver it. Do not treat it as a secrets vault.

What protects the door.

Access is deliberately small, observable, and replaceable.

Send-only by default

A channel key can publish to one channel. It cannot read messages or reach anything else.

Raw credentials are not kept

The server stores publish keys, device credentials, and pairing codes as peppered hashes.

Revoke one key

Each agent gets an independent key. Remove one without interrupting the rest, and see when it was last used.

Abuse has limits

Publishing is rate-limited. Pairing codes work once, expire after ten minutes, and are rate-limited too.

Where each thing lives.

Notification contentA per-channel Durable Object logTLS + AES-256 at rest
Account and read stateCloudflare D1, with credential hashesTLS + AES-256-GCM at rest
Attached imagesCloudflare R2TLS + AES-256-GCM at rest

Storage protections are documented by Cloudflare for Durable Objects, D1, R2, and SSL/TLS.

Today's boundaries.

Security is also knowing where the edges are.

  • Images use shareable capability links. The URL is unguessable, but anyone who receives it can fetch the image. Uploads are limited to PNG, JPEG, GIF, or WebP up to 5 MB; SVG is not accepted.
  • Publish keys last until revoked. They do not expire automatically.
  • Device credentials live locally. The Mac app currently uses its Application Support configuration; the web inbox uses browser local storage.
  • Retention controls are not here yet. Visti does not currently offer self-service message deletion or retention settings.
  • Pairing is the account recovery path. There is no email or OAuth recovery flow today.