Under the hood

How Haven works,
in human terms.

Haven is open about exactly how it's built. Below is a friendly overview of the big ideas, each linking out to the full technical document in the repository. Read as deep as you like.

The big picture

One shared core, every platform.

At Haven's heart is a single piece of trusted code β€” a Rust core that handles your identity, the encryption, your circles, and the social engine (posts, stories, messages, reactions). Every app, on every platform, runs the same core, so the security never depends on which device you're holding. The user interface on top is native to each platform (SwiftUI on Apple, Jetpack Compose on Android, a lightweight web view on Windows/Linux), but the trust layer is one and the same everywhere.

When you share something, Haven automatically picks the best route to your friend: nearby first (Bluetooth/Wi-Fi, even with no internet), then a direct peer-to-peer connection, and only a relay if nothing else reaches them. Above that transport, everything is just opaque encrypted bytes.

πŸ›‘οΈ Threat model β†—

Who Haven protects, against whom, and the honest non-goals. Includes the real story on IP addresses, post-quantum encryption, abuse resistance, and lost-device protection.

πŸ›°οΈ Relays & deployment β†—

The two relay roles (switchboard and mailbox), the zero-operator-cost storage model, the IP-privacy guarantees, and the one-command deployment tool.

πŸ”Œ Relay over Haven Net β†—

How a volunteer's storage runs with no public host at all β€” the encrypted tunnel that lets a relay live on a phone or laptop behind a normal home router.

πŸ—„οΈ Bring your own storage β†—

iCloud, S3, Google Drive, Dropbox or a NAS β€” with no secrets we host. How PKCE lets the app sign you in without ever holding a client secret.

🎞️ Media & music β†—

The in-app camera, film filters, Apple Music on posts (references only, never audio), and the music ↔ video crossfade β€” each with its security audit.

πŸ”— Multi-device β†—

One identity, many authorized devices, each with its own key that never leaves it. Linking, receiving everywhere, and instant revocation of a lost device.

πŸ”” Notifications β†—

Why reliable push needs some server, and how Haven keeps it zero-knowledge: a blind relay that forwards an encrypted blob your device decrypts on its own.

πŸ”— The link & QR system β†—

Why your public key is your permanent address, how a reach-me link works with no backend, and why every connection is approved, never automatic.

πŸ’Έ Operating costs β†—

Why Haven is a one-time price with no subscription and no monthly operator cost, ever β€” and the honest trade-offs that make that possible.

πŸ€– Android parity β†—

How each feature reaches Android by sharing the same Rust core β€” what's full-parity, what's redesigned (and healthier for it), and what's parked.

πŸ—ΊοΈ Roadmap β†—

What's done, what's in progress, and what's next β€” milestone by milestone, including the features still being wired up.

🐧 Linux β†—

First-class desktop app and relay daemon across Ubuntu, Debian, Raspbian, Arch and SteamOS β€” packages, services, and a Pi relay path.

Plain-language glossary

A few words, demystified.

  • End-to-end encrypted β€” locked on your device and only unlockable by the people you're sharing with. No one in the middle has a key.
  • Peer-to-peer β€” your devices talk directly to each other instead of through a company's servers.
  • Post-quantum β€” extra-future-proof encryption that even a future quantum computer can't crack, defending against "save it now, decrypt it later" attacks.
  • Relay β€” an optional always-on helper that holds your circle's encrypted messages for offline friends and forwards calls. It can never read your content.
  • Circle β€” one of your private groups. Everything in a circle is sealed to exactly the people in it.
  • Seed / key β€” the secret that proves you're you and unlocks your content. It lives only on your devices, wrapped by the hardware Secure Enclave.
Want the whole library at once? Browse the full docs folder on GitHub β†—, or read the source for the relay tooling in relay/ β†—.