close search

Add Messaging, Voice, and Authentication to your apps with Vonage Communications APIs

Visit the Vonage API Developer Portal

End-to-End Encryption

Use the End-to-End Encryption API to encrypt media being sent through a media server from your application.

Important: In OpenTok.js 2.27.0, end-to-end encryption will not work with clients using an earlier version of OpenTok.js. When you upgrade your app to use OpenTok.js 2.27.0+, make sure all clients are using OpenTok.js 2.27.0+ if the app uses end-to-end encryption..

This topic includes the following sections:


End-to-end encryption (or E2EE) allows application developers to encrypt media in routed sessions from client to client. For relayed sessions, media is already encrypted client-to-client, through WebRTC protocols. This feature adds an encryption layer by encrypting the media payload at the client so that it will remain encrypted through the OpenTok Media Router that routes media to other clients (in routed sessions). You enable end-to-end encryption when you create a session.

End-to-end encryption is supported in web apps on Chromium-based browsers (Chrome,Opera, and Edge).

You set the encryption secret in a web application using OpenTok.js. You must set encryption secrets in the web client when you initialize a session, and you can change encryption secrets on the fly once the session has connected. The encryption secret is a non-empty string. All users must use the same secret to receive intelligible media. The encryption secret is key material for generating a cryptographic key that is used to encrypt and decrypt media. Specifically, the encryption secret generates an AES-256 encryption key using an AES-CTR algorithm with a 256-bit key.

Please note that the OpenTok Media Router does not have access to unencrypted media when using end-to-end encryption. So, features that require media decoding — such as archiving, live streaming broadcasts, experience composer, audio connector, and SIP interconnect — are unsupported in end-to-end encrypted sessions.

Adding end-to-end encryption for your account

End-to-end encryption is available as an add-on feature. You can enable it on your Vonage Video account page.

Enabling encryption using the REST API

You enable end-to-end encryption when you create a session using the REST API. Set the e2ee property to true. See session creation.

Note: Before enabling end-to-end encryption for a session, you must enable it for your Vonage Video account. See the previous section.

The following Node.js example creates an end-to-end encryption enabled session:

const opentok = new OpenTok(API_KEY, API_SECRET);
const sessionId;
    mediaMode: 'routed',
    e2ee: true,
  }, function(error, session) {
  if (error) {
    console.log('Error creating session:', error)
  } else {
    sessionId = session.sessionId;
    console.log('Session ID: ' + sessionId);