Are messages/notifications encrypted?

We use industry-standard TLS (HTTPS) encryption for all communication in Pushover, in every step of the process between your servers and our API servers, our servers and Apple's and Google's push notification servers, those push servers to your devices, and our apps back to our servers.

Our iOS and Android apps use AES-256 message encryption with a random, per-device key automatically generated for your device upon registration. Our servers encrypt your messages before sending them through Apple's and Google's notification servers, then our apps running on your devices decrypt the messages before showing them as notifications.

Our desktop/browser app uses TLS encryption for all communication between your browser and our servers and messages are pushed directly from our servers to your browser.  macOS desktop notifications (registered through Safari) are not able to be encrypted since push notifications are delivered directly to macOS for display without our application in the middle able to decrypt them.

Messages on our servers are stored in plain-text but are only stored long enough to send them out to your devices, which then check-in with our servers and trigger those messages to be deleted from our database.

We store your messages on your devices in plain-text, but in a secure manner that prevents other applications on the device from reading them.

We do not currently support full end-to-end encryption where your server delivers an encrypted message to our API, and is then decrypted by our app on your device using a pre-shared key that you enter into the client, which would additionally hide the message contents from our servers as well.