Frequently asked questions

Keytun uses end-to-end encryption (X25519 key exchange + AES-256-GCM). The relay server is a dumb pipe — it only ever sees ciphertext. Even if you use the public relay at relay.keytun.com, your keystrokes and terminal output are never visible to the relay operator.

Yes. The relay is a stateless WebSocket broker with no database or persistence. Run keytun relay --port 8080 on any server, or deploy the Docker image to Fly.io, Railway, or any container host. Then pass --relay ws://your-server:8080/ws when hosting or joining.

Anyone with your session code. Session codes are randomly generated from a wordlist (e.g. keen-fox-42) and are unguessable. Sessions are ephemeral — they exist only in memory while the host is connected. Once the host disconnects, the session is gone.

No. They can join straight from the browser — no install needed. You can also share a direct link like keytun.com/s/keen-fox-42. If they prefer a native experience, they can install keytun and use keytun join <code>.

Yes. In terminal mode, keytun spawns a real PTY (pseudo-terminal). Raw key bytes are sent — arrow keys, tab completion, Ctrl+C, Ctrl+D, and other control sequences all work exactly as they would locally.

As a client: Press Esc twice in quick succession. The host will see a "client disconnected" notification and the session remains open for reconnection.

As a host: Type exit in the terminal (or Ctrl+D) to close the shell — this ends the session. Your terminal title bar shows the session code while keytun is active, so you can always tell if a session is still open.

Terminal mode (default) spawns a PTY — your colleague types into a real shell session. Use this for running commands together, debugging, pair programming in the terminal.

System mode injects keystrokes at the OS level into any application. Use keytun host --mode system to target the focused window, or --target "VS Code" to target a specific app. Currently macOS only.

Most people are behind NATs, firewalls, or corporate networks that prevent direct peer-to-peer connections. The relay solves this by giving both sides a public WebSocket endpoint to connect to — no port forwarding, no VPN, no firewall rules. It's the same reason tools like ngrok and Tailscale exist.

The relay is stateless and sees only encrypted traffic. You can self-host it if you prefer not to use the public one.

keytun runs on macOS and Linux. Terminal mode works on both. System mode (OS-level keystroke injection) is currently macOS only, with Linux support planned. Windows support is not yet available.

Yes. Keytun supports fan-out — multiple clients can join the same session simultaneously. All connected clients can send keystrokes to the host's PTY, and all receive the terminal output.

Both sides are notified immediately via a peer disconnect event. The host's shell session is unaffected — it keeps running. The client can rejoin using the same session code as long as the host is still connected.

Those tools are great for full pair programming sessions. Keytun solves a narrower problem: you're already screensharing and your colleague just needs to type one command. No shared editor setup, no tmux session, no account creation — just a session code and they're typing.

Yes. Keytun is licensed under AGPL v3 and the source is on GitHub. Contributions are welcome.