The client builds the envelope
It generates a fresh 32-byte session key and 24-byte XChaCha nonce, then encrypts UTF-8 message bytes with XChaCha20-Poly1305.
Technology
Velixnet’s message layer uses libsodium with Curve25519 identity keys and XChaCha20-Poly1305 authenticated encryption. Each message gets a fresh session key, then travels as a Base64URL envelope that the PHP server stores unchanged and cannot read as plaintext.
Message path
The important part is not mystery. The client creates a real cryptographic envelope, the server validates public routing fields, and only the intended devices can open the wrapped session key.
It generates a fresh 32-byte session key and 24-byte XChaCha nonce, then encrypts UTF-8 message bytes with XChaCha20-Poly1305.
Curve25519 crypto_box wraps one copy for the recipient and one copy for the sender, so sent history can decrypt after restart.
The server checks session identity and public envelope fields, then stores the original Base64URL payload unchanged.
Technical position
XChaCha20-Poly1305 means altered ciphertext, wrong keys, changed identities, or malformed envelopes fail instead of displaying random text.
The long-term private key is generated on the client and protected by Android Keystore or macOS Keychain-backed storage.
If the device key is lost, secure recovery cannot be guessed into existence. It needs a deliberately designed recovery or key-rotation protocol.
Encryption protects content, but every delivery server still sees some routing facts. Velixnet minimises those facts, separate them from message content, and keep retention narrow.
QR verification lets two real devices compare identity keys directly, reducing reliance on the server as the only source of contact-key truth.
velixnet.com is served with a trusted Let's Encrypt certificate, valid TLS protects transport; it does not replace end-to-end encryption.
Production honesty
Velixnet is not a pile of random GitHub pieces. It has a defined protocol and test coverage around the message envelope, sender binding, spoof rejection, malformed payload rejection, sent-history decryption, and QR identity verification. The next standard is operational discipline: keep the server honest, keep certificate renewal monitored, and keep metadata retention narrow.