OwnWire

End-to-end Data Encryption Beyond SSL/TLS

Maintain Communication Privacy Even When TLS Terminates at Your Proxy

Add zero-trust encryption to your web messaging infrastructure. Maintain complete message privacy even behind CDNs, load balancers, and reverse proxies. Your data stays encrypted end-to-end—no exceptions.

Read docs Download
JavaScript SDK
Connect + send a message
<script src="https://ownwire.yourwebsite.com/js/ownwire.js"></script>

let ownwire = new Ownwire("wss://ownwire.yourwebsite.com/ws");
ownwire.onMessage = (msg) => console.log("received:", msg);
ownwire.connect();
ownwire.send("Hello from the browser");
Secure origins only: https://* or http://localhost
2 sockets
public + internal
JSON
simple frames
Lean
static + binary
Widget embed
SDK for custom UI
Internal client WS
E2E over reverse proxies

Architecture Overview

Public WebSocket for browsers. Internal WebSocket for your backend worker. OwnWire routes messages by session_id.

1
Browser connects
Widget or SDK opens the public WS and starts a session.
3
Reply as JSON
Send {"content","session_id","metadata"} and OwnWire delivers it back.
2
Your client connects
Your internal client holds one WS and receives decrypted messages.
Widget embed
Paste + init. Minimal config.
<script src="https://ownwire.yourwebsite.com/js/ownwire_widget.js"></script>
<script>
document.addEventListener("DOMContentLoaded", () => {
  ownwireWidget({
    ws_url: "wss://ownwire.yourwebsite.com/ws",
    metadata: "username:user1",
    title: "Chat",
    widget_origin: "https://ownwire.yourwebsite.com",
    widget_path: "/",
    minimized_mode: "icon"
  });
});
</script>

How it works

Encrypted browser WS + internal client delivery

  • Embed the widget script from your OwnWire instance.
  • Connect over E2E-encrypted WebSocket (proxy sees ciphertext).
  • Route by session_id to your internal client.

How it works

Encrypted browser WS + internal client delivery

  • Your backend connects once and handles all sessions.
  • Message frames are plain JSON.
  • Internal WS endpoint example: ws://127.0.0.1:8081/ws
Internal client flow
{
  "content":    "... message text ...",
  "session_id": "UUID string",
  "metadata":   "optional metadata string"
}

Reverse proxy (nginx)

Useful when you want TLS termination, a stable public origin, and a single entry point for both your site and OwnWire. Your proxy can handle certificates and routing, while OwnWire still keeps message contents end-to-end encrypted.

  • TLS + public origin -- browsers connect to a trusted HTTPS/WSS endpoint.
  • One front door -- route /ws and static assets cleanly.
  • Same security model -- the proxy only forwards ciphertext.
nginx config
WSS upgrade + basic proxying
server {
  listen 443 ssl http2;
  server_name ownwire.yourwebsite.com;

  ssl_certificate     /etc/letsencrypt/live/ownwire.yourwebsite.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/ownwire.yourwebsite.com/privkey.pem;

  # Optional: serve widget/js from nginx as well
  location /js/ {
    proxy_pass http://127.0.0.1:8080;
  }

  # Public WebSocket endpoint (browser/widget)
  location /ws {
    proxy_pass http://127.0.0.1:8080;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    proxy_read_timeout 1h;
  }
}
Point ws_url to wss://ownwire.yourwebsite.com/ws. OwnWire still encrypts payloads end-to-end above TLS.

Get Started in Minutes

Complete documentation and production-ready binaries for all major platforms.

Docs Downloads