Getting started

Getting started


Secsync is defining a contract between a central backend service and clients. There are helpers to setup secsync using the following technologies:

  • Client/server communication: Websocket
  • CRDT: Yjs or Automerge
  • Backend language: JavaScript
  • Client rendering: React

Secsync is not bound to these technologies and all utitlies are exposed to implement different technologies. If you are looking for a different combination please reach out.


npm install secsync


Let's build an end-to-end encrypted to-do list.

We start from a Yjs To-Dos application that currently only manages a To-Do list locally in a Yjs document. The whole application is built in one component.

import React, { useRef, useState } from "react";
import { useY } from "react-yjs";
import * as Yjs from "yjs";
export const YjsUnsyncedTodosExample: React.FC = () => {
  // initialize Yjs document
  const yDocRef = useRef<Yjs.Doc>(new Yjs.Doc());
  // get/define the array in the Yjs document
  const yTodos: Yjs.Array<string> = yDocRef.current.getArray("todos");
  // the useY hook ensures React re-renders once
  // the array changes and returns the array
  const todos = useY(yTodos);
  // local state for the text of a new to-do
  const [newTodoText, setNewTodoText] = useState("");
  return (
      <div className="todoapp">
          onSubmit={(event) => {
            placeholder="What needs to be done?"
            onChange={(event) => setNewTodoText(}
          <button className="add">Add</button>
        <ul className="todo-list">
          {, index) => {
            return (
              <li key={`${index}-${entry}`}>
                <div className="edit">{entry}</div>
                  onClick={() => {
                    yTodos.delete(index, 1);

You can try it out here:

Example App

    Setup useYjsSync

    Now let's setup the end-to-end encrypted data sync. For now we will use the backend service used by the documentation.

    const websocketEndpoint = "wss://";

    Next we want to setup the keys. While in Secsync every Snapshot (and related Updates and EphemeralMessages) can each have their own encryption keys we use a stable documentKey. In addition we create signing keys for the client. In this tutorial we won't validate them and therefor we can generate some.

    import sodium, { KeyPair } from "libsodium-wrappers";
    export const YjsTodosExample: React.FC = () => {
      // Can be created using sodium.randombytes_buf(sodium.crypto_aead_chacha20poly1305_IETF_KEYBYTES)
      // Sodium is only used inside the component since sodium can only be used after sodium.ready
      // resolved which is recommended to be checked before even mounting this component.
      const documentKey = sodium.from_base64(
      const [authorKeyPair] = useState<KeyPair>(() => {
        return sodium.crypto_sign_keypair();

    Next up we adding the useYjsSync hook. Each parameter is explained by it's code comment.

    const [state, send] = useYjsSync({
      // The Yjs document
      yDoc: yDocRef.current,
      // A unique ID identifying the document
      // The current client's signing keyPair
      signatureKeyPair: authorKeyPair,
      // The backend service to connect to
      // Used to authenticate the client with the server (not checked by the documentation backend)
      websocketSessionKey: "your-secret-session-key",
      // Callback to return the key for the Snapshot. In this case we are going to use
      // one documentKey for all Snapshots.
      getSnapshotKey: async (snapshotInfo) => {
        return documentKey;
      // Callback invoked to return the necessary values to create a Snapshot.
      getNewSnapshotData: async ({ id }) => {
        return {
          // A Snapshot of the CRDT data
          data: Yjs.encodeStateAsUpdateV2(yDocRef.current),
          // Encryption key for the snapshot
          key: documentKey,
          // Custom data that will not be encrypted, but cryptographically attached
          // to the Snapshot as public data. In cryptography also referred to as
          // additional authenticated data (AAD).
          publicData: {},
      // Callback invoked for ever snapshot, update, ephemeralMessage to validate if
      // it was signed by a valid client for this document. While the encryption key
      // is securing confidentiality this can be used to verify the author and possibly
      // reject changes from clients that are not valid anymore e.g. a removed member.
      isValidClient: async (signingPublicKey: string) => {
        return true;
      // The libsodium-wrappers API implementation. This design was chosen to allow to pass in
      // other implementations e.g. react-native-libsodium for ReactNative

    You can try it out here by adding To-Dos and you they will load if you refresh the page since the documentId is part of the URL. Once you refresh the last snapshot with all related updates will be downloaded.

    Add Secsync DevTools

    In order to make development more transparent we created a DevTool component visualizing relevant information from the document.

    import { DevTool } from "secsync-react-devtool";
    // `state` and `send` from the useYjsSync hook
    <DevTool state={state} send={send} />

    Example App

    Setup your own backend

    Secsync ships with a backend utility that handles a Websocket connection including validations and handling expected error cases e.g. trying to send snapshot without having synced first. It requires 5 callbacks to be defined:

    • getDocument
    • createSnaphot
    • createUpdate
    • hasAccess
    • hasBroadcastAccess
    import { createWebSocketConnection } from "secsync-server";
    import { WebSocketServer } from "ws";
    const webSocketServer = new WebSocketServer();



    A callback that receives an object containing the snapshot structure sent by clients. The Snapshot should be persistet to a database. In case persisting fails an error should be thrown.


    A callback that receives an object containing the update structure sent by clients. The Update should be persistet to a database. In case persisting fails an error should be thrown.


    A callback that should return the necessary document information. The simples implementation would just return the latest snapshot, the proofs for snapshot ancestor chain and all related updates.

    A more advanced implementation should take into account if the full document or just a delta was requested and idenitfy if and if so which updates are necessary to send and only return those.


    A callback to verify if the client has read or write access to the requested document. Should return true if the client has access and false in case not.

    The callback is invoked with the following argument:

    type HasAccessParams =
      | {
          action: "read";
          documentId: string;
          websocketSessionKey: string | undefined;
      | {
          action: "write-snapshot" | "write-update" | "send-ephemeral-message";
          documentId: string;
          publicKey: string;
          websocketSessionKey: string | undefined;


    A callback to verify if clients are allowed to receive a new message. Should an array of true or false values matching the index of the websocketSessionKeys to indicate which client has access.

    The callback is invoked with the following argument:

    export type HasBroadcastAccessParams = {
      documentId: string;
      websocketSessionKeys: string[];

    Documentation Example Backend

    A fully functional backend can be found here (opens in a new tab). Keep in mind that it accepts any client and does not verify the Websocket session key/token.