End-to-end encryption for every agent session
AI agent sessions carry source code, implementation plans, debugging output, and file diffs. MuxAgent encrypts all of that traffic so the relay infrastructure never handles plaintext — your code stays between your devices.
How the encryption works
Device pairing generates the root of trust
When you pair a machine with the mobile app, you scan a QR code that contains the machine's public signing key fingerprint. This is a direct, out-of-band verification — no certificate authority, no centralized account, no trust delegation. Both devices generate their own X25519 keypairs locally. The QR scan binds the machine's identity to its cryptographic material on your phone, so every future connection from that machine is verified against the fingerprint you physically confirmed.
X25519 key exchange establishes the session key
Each encrypted session begins with an X25519 Diffie-Hellman key exchange between your phone and the target machine. Both sides contribute ephemeral key material, producing a shared secret that neither the relay nor any observer can derive. The shared secret is used to derive the symmetric encryption key for the session. If the WebSocket connection drops and reconnects, a new key exchange runs — forward secrecy is maintained because old session keys are discarded.
ChaCha20-Poly1305 AEAD encrypts every message
Once the session key is established, every RPC payload — prompts, agent output, tool calls, approval decisions, file diffs — is encrypted with ChaCha20-Poly1305 authenticated encryption with associated data (AEAD). This cipher provides both confidentiality (the relay cannot read the content) and integrity (any tampering is detected and the message is rejected). The associated data binds each encrypted message to its session context, preventing replay or reordering attacks across sessions.
The relay is a zero-knowledge router
The relay server routes encrypted blobs between connected devices. It sees connection metadata — which machine IDs are connected, when they connect and disconnect, and the size of encrypted messages. It cannot see message content, source code, agent output, file paths, prompt text, or any other payload data. This is zero-knowledge by architecture, not by policy promise. The relay does not possess the keys needed to decrypt traffic, and the encryption implementation is open source for you to verify.
What the relay sees vs. what it cannot
Visible to the relay
- Machine connection IDs and timing
- Encrypted message sizes and frequency
- Connection state (online/offline)
Hidden from the relay
- Source code and file contents
- Agent prompts and output text
- Tool call details and file paths
- Approval decisions and plan content
- Session configuration and workflow graphs
When encryption matters most
Working with proprietary codebases
When your agent session touches proprietary source code, the encryption pipeline ensures that code never appears as plaintext on any intermediate server. The relay handles routing, not inspection. Teams working on closed-source products can use the hosted relay without exposing intellectual property to infrastructure they don't control.
Compliance and regulatory environments
Organizations with compliance requirements (SOC 2, HIPAA, GDPR data handling) need to demonstrate that sensitive data is encrypted in transit and that third-party infrastructure cannot access it. MuxAgent's zero-knowledge relay model satisfies this requirement architecturally. For the strictest requirements, the relay is self-hostable — run it on your own infrastructure and eliminate third-party involvement entirely.
Approving agent work from untrusted networks
When you approve an agent's plan from your phone on public Wi-Fi, the approval decision and the plan content it references are both encrypted end-to-end. Network-level observers see an encrypted WebSocket stream to the relay. They cannot determine whether you are reviewing code, approving a deployment, or reading agent output. The encryption protects not just confidentiality but also the integrity of your mobile control workflow.
Related reading
- End-to-end encryption for AI agent traffic
A concrete technical explanation of how MuxAgent encrypts communication between your phone and your machines, what the relay can and cannot see, and why zero-knowledge infrastructure is the right baseline for AI coding tools.
- Why trust boundaries matter for remote AI agent control
Remote control only becomes credible when the trust model is explicit. Encryption, relay design, open source, and self-hosting options are part of the product, not extras.
- Getting started with MuxAgent in five minutes
Install the CLI, pair via QR code, and run your first encrypted agent session — the pairing step is where device-to-device authentication happens.
- FAQ: Security & Privacy
Quick answers about what the relay can see, self-hosting options, and the zero-knowledge architecture.
Verify it yourself
The encryption implementation is open source. Read the code on GitHub, inspect the key exchange, and confirm how your data is protected. If your organization requires it, self-host the relay for complete control over every piece of infrastructure in the chain.