Tutorial — Security & verification

Build an encrypted messaging app

TDIP identities expose X25519 key-agreement keys alongside their signing keys. Pair them with AES-256-GCM for end-to-end encrypted messaging — the network sees only ciphertext.

Level: Intermediate
Time: ~20 min
Prerequisites: Two TDIP DIDs
Stack: TypeScript

Resolve the recipient's key

The DID document holds the X25519 public key used for envelope encryption.

const doc = await tz.call("resolve_did_document", {
  did: "did:tenzro:human:..."
});

Encrypt the message

Derive a shared secret via X25519, then encrypt with AES-256-GCM.

const sealed = await tz.call("envelope_encrypt", {
  recipient_pubkey: doc.keyAgreement[0].publicKeyBase58,
  plaintext: utf8("hello")
});

Send through A2A

The A2A protocol relays the ciphertext envelope addressed to the recipient DID.

await tz.call("send_agent_message", {
  to: recipientDid,
  payload_b64: base64(sealed),
  encoding: "x25519+aes-gcm"
});

Decrypt on receipt

The recipient unwraps with their MPC-held private key — the server never sees plaintext.

const plaintext = await tz.call("envelope_decrypt", { sealed });

Open the docs →Browse all tutorials

← All tutorials