QR Auth Features
End-to-End Encryption

End-to-End Encryption for QR-Based Communications

Keyri employs end-to-end encryption for sending data from your mobile app to your web client that hosts the Keyri Widget. This allows the Keyri API to efficiently transmit data between your two client applications without endangering any sensitive customer information and still providing powerful privacy-preserving risk analytics.

The Keyri Widget uses the SubtleCrypto API (opens in a new tab) built into every modern browser to generate a P-256 key pair. Once the Widget connects to the Keyri WebSocket API to generate a unique session, it passes along the browser's public key, and the Keyri API in turn associates the session with the browser's public key. When the mobile app containing the Keyri SDK connects to that session by scanning the session's QR code, the API sends it the browser's public key.

The Keyri SDK in turn generates its own P-256 key pair using either iOS's CryptoKit (opens in a new tab) or Android's Cryptography API (opens in a new tab) and generates a symmetric encryption key by passing its private key and the browser's public key into an ECDH+HKDF algorithm. The payload is encrypted using that encryption key, and when the SDK transmits the payload to the API, it passes along the phone's public key with it.

Once both the payload and phone's public key land in the Keyri Widget, the Widget runs a similar ECDH+HKDF algorithm using SubtleCrypto to derive the same symmetric encryption key. That key is then used to decrypt the payload in the browser. The decrypted payload can then be used by the browser in any way you specify.

And with that, sensitive data (payload) has been successfully transmitted through the Keyri API fully encrypted with no way for the API to decipher its contents!