NyxSecurity Model Deep Dive
Back to App

Zero-knowledge architecture

Nyx is built on a simple principle: the server should never be able to read the secrets it stores. All encryption happens in your browser before any data is sent over the network. The decryption key is never transmitted to the server.
Because the server only holds meaningless ciphertext, even in the event of a total database breach, the stored secrets remain secure.

Data flow diagram

1. Sender's Browser
- Generates strong random key
- Encrypts payload completely (AES-GCM)
- Puts key directly into URL hash fragment (#)
2. Nyx Server (Combine Infrastructure)
- Receives only encrypted ciphertext
- Never sees the URL hash (#)
- Holds payload until revealed or expired
3. Recipient's Browser
- Requests encrypted ciphertext from server
- Extracts key directly from their URL hash
- Decrypts and shows payload locally

Verify it yourself

You do not have to take our word for it. Open your browser's Developer Tools, go to the Network tab, create a secret, and inspect the POST /api/secrets request. You will see ciphertext in the JSON body and the request URL without the fragment key, because everything after the # symbol stays strictly in the browser.