Hyphenate Docs

Start Chatting with Hyphenate!

Welcome to the Hyphenate docs portal. Here you'll find comprehensive guides and technical documentation to help you integrate Hyphenate In-App Chat.

Get Started

Security Measures

As a platform provider who is responsible for channeling potentially personal and sensitive information among users over chat infrastructure in the cloud, Hyphenate takes the security measure seriously. We will cover some major security measures in this article, such as data operations, communication channels, data storage, threats, and compliance.

Data Operation


Hyphenate implements multi-tenancy to isolate users’ data based on a two-tier system with levels of organization and application. Different developer accounts segregated with different organization sandbox; different applications under the same developer account also segregated with different application sandbox. As a result, developers’ data are stored in completely distinct and isolated databases without possibility of mixing the data.
In terms of application access control, for each app, globally unique API key is generated and used as the unique identifier for the app. In the process of chat service integration, API key and security validation are required to access the application’s data. Multi-Tenancy

Business Data Isolation

Hyphenate serves only as an instant messaging channel. It does not provide user data management system for business related data nor storage of user private information. In order to enable to the chat service for the app users, developer need to create anonymous Hyphenate ID (username) to bind with existing app user profile created on developer backend. Hyphenate only store three attributes for each chat user, Hyphenate ID, password to login to chat service, and nickname to be displayed for iOS push notification. As a result, the data of app users’ personal profile are effectively separated from Hyphenate server.

Account Security

Account passwords are automatically hashed as ciphertext using SHA256 + SALT and PBKDF2withHmacSHA256 algorithm before storing on Hyphenate database.
Deletion of Hyphenate developer account will clear the data from the Hyphenate database as a part of the account lifecycle.

Server Database Operation

  • Internal log to track the personnel who accessed the data or performed data operations.
  • External end-user activity log access, the administrator can easily browse to each user each terminal in the specific time of the operation, in order to carry out the investigation and processing.

Communication Channel

Message Communication Protocol

Hyphenate developed a proprietary compressed binary protocol called Message Synchronization (MSYNC). MSYNC is a performance enhancement and an improvement on top of the transport layer TCP/IP. In addition to the advantages of the XMPP structure, our engineers further optimized the performance of mobile devices with additional improvements to network usage, power consumption, and an enablement of a richer chat experience. Learn more about MSYNC. In addition to mobile optimization, the key benefit of MSYNC is the inherited security structure that uses binary instead of text-based XML - adding another layer of privacy during packet transmission.

Transport Layer Security

TLS/SSL message encryption over transport layer for server-client end-to-end communication to prevent tapping or tampering. Furthermore, we also implement additional encryption on transport layer to ensure greater security measures.


Server-side REST API requests are encrypted using HTTPS + OAuth 2.0. App developer or user first make a request via authentication and authorization API to obtain the token generated by Hyphenate server, then use the token to make other API request, like getting contact list or send a message.
Furthermore, to prevent CSRF (Cross-site request forgery) attacks, client id and client secret are generated by Hyphenate when the application was created. They’re are used for authentication process to obtain the authorization token, which will expire in 30 days. Each API request is also timestamped for record. Detailed log can be used for tracking access or operations and troubleshooting.

End-to-End Encryption (E2EE)

End-to-end encryption provides further security measure as the data is encrypted on the message sender's device and only the recipient is able to decrypt it with the proper key. Nobody in between is able to read the message. However, the downside is that since message is encrypted, the app developer won’t able to process the message for data analytics/insight nor anti-spam. Learn more about E2EE

Additional Communication Security

  • Web client uses HTTPS-based WSS (WebSocket secure).
  • Third-party security integration is supported, such as VPN Tunnel, VPDN line, CA authentication and other means. Support for custom message encryption, support for custom security level.
  • Webhook/Callback message are encrypted using SALT+MD5.

Data Storage


Server-side database encryption

Database encryption to ensure the security and confidentiality of information; Server storage uses symmetric encryption, and the key is randomly generated when the app first registered.

Data portability

Developer can use REST API or webhook provided by Hyphenate to obtain history message with appropriate authentication process. Developer can choose to extend the message history for convenience, otherwise messages will be purged up to 7 days from the server database.

Remote data controllability

The realization of remote data erasure to ensure the controllability of remote data.


Client-side database encryption

Client-side local storage encryption, non-client mode will not be able to read the correct encrypted information. Client anti-decompile and anti-crack, to prevent third-party malicious organizations from the client to steal data. The server supports calling the interface to delete the local message, and remotely deleting the client message record to prevent the client from leaking.
When the client is initially installed, the SDK randomly generates a local key (which ensures that each client's password is unique and different from each other) for storing local messages. All messages stored locally, need to use the local key to encrypt the message. The local storage key mode is generated for the key randomly, stored in the database, and then used by the algorithm for message.
Security key mechanism for exchanging files between clients. Only the clients with the proper key are able to download the image or video from the Hyphenate server. Image, Video, and Thumbnail Handling



Spam, scams, phishing attacks, or fraudulent activities are prevalent problem for social app users, which leads to serious threatening problems. Hyphenate provides anti-spam features based on user behavior and keyword filtering to mitigate or eliminate unwanted activities from your app chat ecosystem. https://docs.hyphenate.io/v1.0/docs/anti-spam

DNS Anti-Hijack

To prevent domain name hijacking, the SDK embeds its own signed IP root certificate. Client cache a successful service IP of entry, then determination via intelligence DNS upon login, which provide fault tolerance if DNS failed, also prevent the attempt of DNS hijacking. User's request will be routed to dedicated server cluster through the intelligent DNS accordingly, where are two entry points of the chat services, TCP-based IM long connection service and HTTP-based REST service.

API Request Threshold

API request threshold and throttle can used to prevent API request abuse from potential spammers, who sends out massive spam message from numbered of chat user accounts.

Password Protection

[Password Protection: Encryption vs. Hashing] Password Protection and Secure Storage


Hyphenate always enhancing architecture and operation to improve security. We will finished implementing requirements to satisfy European compliance, General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679), by the end of 2017.

Updated 2 years ago

Security Measures

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.