Security

End-to-End Encryption

Claude Sync encrypts all session data before it leaves your device. Session files, todos, artifacts, and tool results are encrypted using AES-256-GCM with a key derived from your account credentials. The encryption happens client-side in the CLI, meaning the API server and storage layer never see your unencrypted data. This zero-knowledge architecture ensures that only you and your authorized devices can decrypt and read your Claude Code sessions.

Authentication

Authentication is handled via JSON Web Tokens (JWT) with a dual-token system. When you log in, the API issues both an access token (valid for 15 minutes) and a refresh token (long-lived). The access token is sent with every API request to authenticate your identity. When the access token expires, the CLI automatically uses the refresh token to obtain a new access token without requiring you to log in again.

Token Refresh Flow

Presigned URLs

All file uploads and downloads use presigned URLs generated by MinIO (S3-compatible object storage). When you sync, the API provides temporary presigned URLs that grant direct access to the storage layer for 15 minutes. This means your encrypted files are uploaded and downloaded directly between your CLI and MinIO, without passing through the API server. The API never sees the contents of your files, only metadata like file paths and hashes for diffing.

Data Storage

Encrypted session data is stored in MinIO object storage with strict isolation by user ID. Each user's files are stored in separate prefixes (virtual folders) within two buckets: claude-sync-data for session files and artifacts, and claude-sync-manifests for device manifests. Access control policies ensure that users can only access their own data. Even if an attacker gains access to the storage layer, they would only find encrypted blobs without the decryption keys.