From IndieWeb
Jump to navigation Jump to search
This page describes one possible private messaging solution. See private posts for more.


In this diagram, these server names are shortened for brevity:


Possible implementations

(rel=pm is a placeholder for a better rel value. deliberately chose this terrible two-letter value so this doesn't stick)

There is an implied initial step of creating the private message which ultimately means needs to have the message.

1. fetches and looks for rel=pm, and discovers ""

2. sends some POST request that contains the message ID and sender ( to fetches looking for rel=pm, and discovers "".

3. sends a request to to check if this message request is legit.

4. generates a token and sends a request to asking the server to deliver the message (the POST request contains the message ID and destination, as well as the new token.

5. looks up the message and sees it was sent to "", goes and fetches the home page looking for rel=pm, and discovers "" which matches the request to deliver the message.

6. sends the message in a POST request to along with the secret that was included in step 4.

Step 2 is critical, this is how bob's server knows it's actually "" that sent the message. Effectively this is equivalent to bob's server requesting the message from alice's home page.


Needs to have a link tag with rel=pm pointing to

Needs to have a link tag with rel=pm pointing to

  • Accepts a POST request with a message ID and sender.
  • Parses for the rel link.
  • Generates a token and sends a POST request to requesting delivery of the message.
  • Accepts a POST request with the message contents and secret, and verifies the token matches the one generated previously.

  • Accepts a POST request with a message ID, delivery destination and token. (Verifies the message ID is valid first.)
  • Parses for the rel link and verifies this matches the request.
  • Sends the message contents and token to

Alternate Example

The diagram below is functionally equivalent to the above diagram, but is phrased in terms of "auth code" and "token", where the message only comes to play at the last step. One advantage of this is steps 1-4 establish the token, and then it can be used repeatedly to send multiple messages in a row.


See Also

IRC logs from the discussion that started this page:

Similar previous work:

See Also