Skip to content

Calls (Dev)

Scope

This folder documents call flows and security for:

  • 1-1 calls (audio/video)
  • Group calls (audio/video)
  • Join / Rejoin

It intentionally excludes Janus/WebRTC transport internals.

Security Highlights

  • Identity Verification: Key Transparency (KT) Merkle proofs + Zero-Trust PeerTrustStore caching
  • Media encryption: AES-256-GCM
  • Key agreement (preferred): P-256 (secp256r1) via Secure Enclave
  • Fallback/legacy: RSA-2048 (RSA-OAEP-SHA256)
  • Transport security: SSL public-key pinning enforced (staging/production)

Canonical security docs: - ../security/ssl-pinning.md

Call Docs (folder-based)

  • 1-1 calls: ./one-to-one.md
  • Group calls: ./group-call.md
  • Join & Rejoin: ./join-rejoin.md
  • Call E2EE details: ./e2ee.md

Diagrams

  • 1-1 flow: ./diagrams/one-to-one-flow.md
  • Group call flow: ./diagrams/group-call-flow.md
  • Join/Rejoin flow: ./diagrams/join-rejoin-flow.md

API Endpoints (code-aligned)

All call endpoints are under /app/api/...:

  • Start: /app/api/call/start
  • Join: /app/api/call/{id}/join
  • Rejoin: /app/api/call/{id}/rejoin
  • Request rejoin: /app/api/call/{id}/request-rejoin
  • Invite: /app/api/call/{id}/invite
  • End: /app/api/call/end
  • Participants: /app/api/call/{id}/participants

(See APIEndpoint.path in codebase.)