AFK Pager ← Home

Your code never
leaves your Mac.

AFK Pager relays terminal output, questions, and replies between your Mac and your phone. Your source code never leaves your machine. Here's how every layer is protected.

🖥

Code stays local

Your source code never leaves your Mac. Only terminal output passes through the server.

🔒

Encrypted in transit

All communication between your Mac, the AFK Pager server, and your phone uses TLS. Nothing travels in plaintext.

🔕

Private notifications

Push notifications contain no code or question text. Apple only sees a generic alert.

🗑

Auto-purging

Terminal content and questions are ephemeral. Old data is automatically cleaned up.

// Layer 1

Transport security

Every connection between the Mac app, the AFK Pager server, and your phone is encrypted with TLS. The server enforces HTTPS with HSTS headers, preventing downgrade attacks.

The AFK Pager server terminates TLS at the edge and proxies to the application backend internally. The backend is never exposed to the internet.

Mac App —TLS→ AFK Pager Server
iPhone/iPad —TLS→ AFK Pager Server

HTTPS everywhere, no plaintext endpoints
HSTS with includeSubDomains
Backend only reachable via loopback interface
Certificate pinning available for apps (roadmap)

// Layer 2

Push notification privacy

Push notifications pass through Apple's servers (APNs). We treat APNs as an untrusted relay. The notification payload contains only a generic alert and opaque identifiers:

{

  "aps": {

    "alert": { "title": "AFK Pager", "body": "A session needs your attention" },

    "mutable-content": 1

  },

  "question_id": "opaque-uuid"  // means nothing to Apple

}

When the notification arrives on your device, a Notification Service Extension intercepts it, makes an authenticated call to the AFK Pager server over TLS, fetches the actual question text, and rewrites the notification before display. Apple never sees the real content.

// Layer 3

Authentication

AFK Pager uses passkeys (WebAuthn/FIDO2) for authentication. There are no passwords to steal, phish, or brute-force. Your passkey is bound to your device's Secure Enclave (Touch ID on Mac, Face ID on iPhone) and syncs securely through iCloud Keychain.

Passkey authentication (WebAuthn/FIDO2), no passwords
Private keys never leave the Secure Enclave
API keys are SHA-256 hashed before storage
Rate limiting on all authentication endpoints
Each API key is individually revocable

// Layer 4

Data at rest

The server is designed to hold as little data as possible, for as short a time as possible. A background task automatically purges stale data on a regular cycle.

Stream snapshots for closed sessions purged automatically
Answered and skipped questions, replies, and inputs cleaned up automatically
Closed sessions fully removed automatically
Expired auth tokens and pairing codes purged on every cycle

On your devices, credentials (passkeys, API keys) are stored in the system Keychain, backed by hardware encryption on devices with a Secure Enclave. Terminal content is held in memory and not persisted to disk.

For full details, see our privacy policy.

// Layer 5

Infrastructure

The AFK Pager server runs as a non-root, sandboxed process with only HTTPS exposed. The application backend is never directly reachable from the internet.

Non-root, sandboxed server process
Only HTTPS exposed, backend on localhost only
No content logged server-side (metadata only)

// Roadmap

Coming next

Security is never finished. Here's what's planned:

End-to-end encryption (E2EE)
SQLCipher for full database encryption at rest
Certificate pinning in iOS and Mac apps
Audit logging for compliance

Your code neverleaves your Mac.