Skip to content
BeeBuzz Docs

Privacy & Security

BeeBuzz supports two delivery models.

The important question is: can the sender encrypt the notification before it reaches BeeBuzz?

Delivery Models

Section titled “Delivery Models”
SenderDelivery modelWhat BeeBuzz receives
CLIEnd-to-end encryptedCiphertext
Home Assistant integrationEnd-to-end encryptedCiphertext
HTTP API with JSON or form dataTrusted deliveryPlaintext notification content
WebhooksTrusted deliveryPlaintext notification content

The Home Assistant integration encrypts locally before upload. It fetches paired device public keys, encrypts the payload in Home Assistant, then uploads ciphertext to BeeBuzz.

Trusted Delivery

Section titled “Trusted Delivery”

Trusted delivery is used by the HTTP API and webhooks.

BeeBuzz receives the notification title, body, priority, topic, and any attachment data needed to prepare delivery.

Use trusted delivery when:

  • the sender cannot run the CLI
  • the sender can only call a fixed HTTPS URL
  • you want a simple curl or app integration

End-To-End Encrypted Delivery

Section titled “End-To-End Encrypted Delivery”

The CLI and Home Assistant integration can send end-to-end encrypted notifications.

In this mode, the sender encrypts locally for your paired devices. BeeBuzz stores and routes ciphertext. BeeBuzz does not read the original notification title, body, or attachment content.

Metadata

Section titled “Metadata”

End-to-end encryption protects notification content. It does not hide all metadata.

BeeBuzz still sees metadata such as:

  • account and API token used
  • target topic
  • device count
  • timing
  • delivery status
  • stored attachment or encrypted blob records

Attachments

Section titled “Attachments”

Attachments are temporary.

Current limits:

  • attachment content is limited to 1 MiB
  • attachment retention is 6 hours

In trusted delivery, BeeBuzz receives the attachment content before storing it for delivery.

In end-to-end encrypted delivery, the sender encrypts attachment content before upload.

Practical Limits

Section titled “Practical Limits”

End-to-end encryption does not remove all trust.

BeeBuzz can still:

  • route, delay, reject, or fail delivery
  • see routing metadata
  • serve the web app and Hive code used by your browser

End-to-end encryption also does not protect content on a compromised sender or receiving device.