How End-to-End Encryption Works in ClipToss

Privacy isn't a feature, it's a foundation. Here's how ClipToss ensures that nobody (not even us) can read your clips.

The Encryption Flow

1. Key Generation: When you create a room, a 256-bit AES key is generated using the Web Crypto API 2. Key Sharing: The key is shared with the other device via QR code (encoded in the URL fragment) or derived from a passphrase 3. Encryption: Every clip is encrypted client-side using AES-256-GCM before transmission 4. Transmission: Only the encrypted ciphertext reaches our server 5. Decryption: The receiving device decrypts the clip using the shared key

Why AES-256-GCM?

• •AES-256: Military-grade encryption, resistant to brute force
• •GCM mode: Provides both confidentiality and integrity (authenticated encryption)
• •Web Crypto API: Browser-native implementation, no JavaScript crypto libraries needed

What We Can't See

Since the encryption key never leaves your devices:

• •We can't read your clips
• •We can't read your file contents
• •We can't decrypt anything on our server
• •Even a data breach wouldn't expose your content

The URL Fragment Trick

When sharing a room via link, the encryption key is placed in the URL fragment (after `#`). URL fragments are never sent to the server. They stay in the browser. This means the key travels through the link but never reaches our infrastructure.

Try It Yourself

Open your browser's developer tools on cliptoss.com/bridge and inspect the network traffic. You'll see that all clip content is encrypted ciphertext.