Concept

Messages and envelopes

Applies to: All SDKs Last updated: 2026-06-11

A HexaEight message is an opaque text blob that one identity sends to another. The SDK calls this blob an envelope. This page describes what an envelope contains, what travels in cleartext at the wire level, and what fields are available inside the encrypted payload.

What an envelope is

From the application's perspective, an envelope is a string that the SDK produces from a plaintext body and that another SDK can turn back into that body. Applications do not need to inspect the envelope; they pass it to whatever transport delivers it to the recipient (HTTP, message queue, file, ntfy).

// Producing an envelope
string envelope = await client.EncryptEnvelopeAsync(
    recipient: "[email protected]",
    body:      "hello alice");

// Decoding an envelope
var msg = await client.DecryptEnvelopeAsync(envelope);
Console.WriteLine($"From {msg.Sender}: {msg.Body}");

What travels in cleartext, what is encrypted

An envelope has two parts:

  1. A short cleartext header at the start, containing the sender's opaque cryptographic identifier and a time-window number (called a KGT — a 15-minute window used for key derivation). The recipient needs both to know which decryption key to fetch.
  2. The encrypted payload, which contains the actual message body and any optional fields the sender added.

The cleartext header tells the receiving SDK which key to ask the platform for. It does not reveal the sender's email address or hostname directly — the identifier is opaque. It does not reveal the body in any form.

The encrypted payload

Inside the encrypted payload, the SDK places a JSON object with the following fields:

FieldAlways present?Set byPurpose
SenderYesThe platform, at encryption timeThe cryptographically verified sender name. The receiver trusts this.
BodyYesThe applicationThe actual message content.
SessionIdIf a session is usedThe applicationIdentifies an ongoing conversation. See sessioned envelopes.
FinalRecipientOptionalThe applicationUsed in relay scenarios. The sender is asking the recipient to forward to this final party.
OriginalSenderSet by relay agentsThe relay agent"This message came from this original party, forwarded by me."
ProtectionHashAuto-populatedThe SDKA hash of the sending application's binary. Used by app-level authorization rules.

Two envelope variants

HexaEight envelopes come in two variants:

See How-to: Use sessioned envelopes for the practical steps.

What the SDK does on every encrypt and decrypt

  1. Encrypt: the SDK fetches the appropriate shared key from the platform (or reuses a cached one), serialises the body and any optional fields into a JSON payload, encrypts the payload, and produces the wire envelope.
  2. Decrypt: the SDK parses the wire header, fetches the receiving key for that sender (or reuses a cached one), decrypts the payload, extracts the Sender and Body fields, runs authorisation if enabled, and returns the result.

All of this is transparent to your code — you call EncryptEnvelopeAsync and get back a string, or call DecryptEnvelopeAsync and get back a DecryptedEnvelope object.

See also