Are messages/notifications encrypted?

We use industry-standard TLS (HTTPS) encryption for all communication in Pushover, in every step of the process between your servers and our API servers, our servers and Apple's and Google's push notification servers, those push servers to your devices, and our apps back to our servers.

Our iOS and Android apps use AES-256 message encryption with a random, per-device key automatically generated for your device upon registration. Our servers encrypt your messages before sending them through Apple's and Google's notification servers, then our apps running on your devices decrypt the messages before showing them as notifications.

Our desktop/browser app uses TLS encryption for all communication between your browser and our servers and messages are pushed directly from our servers to your browser when in direct mode.  When using cloud push notification mode, a small ping message is sent through Apple/Google servers which notifies your browser to securely connect to our API servers and fetch messages which then generate notifications.

Messages on our servers are stored in plain-text but are only stored long enough to send them out to your devices, which then check-in with our servers and trigger those messages to be deleted from our servers.

We store your messages on your devices in plain-text, but in a secure manner that prevents other applications on the device from reading them.

We do not currently support full end-to-end encryption where your server encrypts a message with your own key and sends it to our servers encrypted, which is then decrypted by our app on your device using the key that you stored in the app, which would additionally hide the message contents from our servers as well.