Group Calls¶
Purpose¶
A group call lets one host invite multiple participants into one encrypted media room. The app uses one call session key, then encrypts that key separately for each participant device.
Business Flow¶
Host selects participants
-> app verifies each participant device key
-> app creates one fresh call session key
-> app encrypts the session key per participant
-> backend creates the call and sends invitations
-> participants answer through system call UI
-> each participant decrypts the session key locally
-> everyone joins the LiveKit room with E2EE enabled
Invite During Active Call¶
Host invites more people
-> app verifies new participants
-> app reuses the active call session key
-> app encrypts that key for newly invited devices
-> backend sends invite notifications
-> new participants join the same encrypted room
Key Rules¶
- One call session key is shared by the call, but never sent raw.
- Each participant receives only their own encrypted copy of the session key.
- New participants must pass key verification before they receive the active session key.
- Participant list refresh keeps UI state aligned with backend call state.
Security Highlights¶
- Prefer P-256 device keys.
- Keep RSA fallback for legacy devices.
- Warn when verified peer keys differ from previous local trust.
- Block invite when no verified key is available for the new participant.