API Introduction

Danger

This API is NOT stable yet. Expect breaking changes often.

I’m still figuring a few things out API-wise. :D

Complete API Specification

v0.0.2

Cryptid defines a minimal server API for decentralized, federated, secure messaging built on device-centric cryptographic identities and the Messaging Layer Security (MLS) protocol. The specification is designed around the following core principles:

• Minimal Server State: Servers act as “dumb pipes”, storing only temporary delivery mappings and encrypted message queues. No user accounts, no persistent data, no cryptographic material.

• No Cryptographic Operations: Servers never decrypt messages or verify signatures beyond basic token validation.

• Automatic Cleanup: All server data expires automatically.

• Client-Side Operations: Contact management, group state, trust verification all happen on devices.

This architecture ensures that server compromise reveals minimal metadata and no user data. Servers function purely as message routing infrastructure, with all security-critical operations performed by client devices using Ed25519 signatures and MLS encryption (RFC 9420).

About This Specification

This document describes the server-to-client API and server-to-server federation protocol. Client implementations must handle all cryptographic operations, contact verification, MLS group management, and trust establishment locally. The server API provides only the minimal infrastructure needed for reliable message delivery across federated domains.

This spec consists of the following parts:

• Device Management
• Message Routing
• Authentication Management
• Real-Time Delivery
• Federation
• Server Discovery
• Error Handling
• Server Administration