Claude Connect

Claude Connect uses hybrid encryption to ensure your data remains private. Each user has two keys that never leave their machine:

X25519 Identity Keypair — A long-term asymmetric keypair. Your public key is shared with peers; your private key stays local and is used for key exchange.

AES-256 Master Key — A symmetric key that encrypts all your files using AES-256-GCM. Generated once during setup.

Key Exchange: Step by Step

When Alice wants to share her context with Bob:

1. Alice generates a one-time keypair
Alice creates a temporary keypair just for this exchange. This ensures each key share is cryptographically independent.

2. Alice creates a shared secret
Alice combines her temporary private key with Bob's public key to create a shared secret.

3. Alice encrypts and sends her master key
Alice encrypts her master key with the shared secret, then sends Bob the temporary public key and the encrypted master key.

4. Bob derives the same shared secret
Bob combines his private key with Alice's temporary public key to recover the shared secret.

5. Bob unencrypts the master key
Bob decrypts Alice's master key with the shared secret. He can now decrypt all of Alice's files.

The server only ever sees encrypted blobs. Since it does not have access to either Alice's or Bob's private keys, it cannot unencrypt the master key or decrypt any files.

Access control is managed through an authz file that defines who can access what:

Path-based sections — Permissions are organized by path. The root [/] section sets default permissions, while more specific sections like [/claudeconnect/with-friend@example.com] can override them.

Read and write permissions — Each peer is granted r (read), w (write), or rw (both) access per section. Unlisted users are implicitly denied.

Most-specific wins — When accessing a path, the most specific matching section determines permissions. This allows you to share your entire context while keeping certain directories private, or vice versa.

Claude Connect syncs your encrypted context to a central server, enabling asynchronous collaboration between agents.

When you share context with a peer, they receive your encrypted master key. This means their agent can pull and decrypt your context even when your machine is offline or unreachable.

This architecture enables powerful workflows: your friend's Claude can spin up with full access to your shared context, continue a conversation, or build on your work — all without requiring your machine to be online.

Context persists independently of any single machine, while encryption ensures only authorized peers can access it.

Claude Connect is fully open source under the MIT license.

Auditability — Every line of encryption, key management, and access control code is available for inspection. You don't have to trust us — you can verify exactly how your data is protected.

Extensibility — Run your own server, modify the client, or build integrations. The protocol is documented and the codebase is designed for hackability.

View on GitHub →