Frequently asked questions

Keytun uses end-to-end encryption (X25519 key exchange + AES-256-GCM). The relay server is a dumb pipe — it only ever sees ciphertext. Even if you use the public relay at relay.keytun.com, your keystrokes and terminal output are never visible to the relay operator.

Yes. The relay is a stateless WebSocket broker with no database or persistence. Run keytun relay --port 8080 on any server, or deploy the Docker image to Fly.io, Railway, or any container host. Then pass --relay ws://your-server:8080/ws when hosting or joining.

Anyone with your session code. Session codes are randomly generated from a wordlist (e.g. keen-fox-42) and are unguessable. Sessions are ephemeral — they exist only in memory while the host is connected. Once the host disconnects, the session is gone.

No. They can join straight from the browser — no install needed. You can also share a direct link like keytun.com/s/keen-fox-42. If they prefer a native experience, they can install keytun and use keytun join <code>.

Yes. In terminal mode, keytun spawns a real PTY (pseudo-terminal). Raw key bytes are sent — arrow keys, tab completion, Ctrl+C, Ctrl+D, and other control sequences all work exactly as they would locally.

Press Esc twice in quick succession. Both the host and client will be notified of the disconnect. The host can also just close their terminal or press Ctrl+C.

Terminal mode (default) spawns a PTY — your colleague types into a real shell session. Use this for running commands together, debugging, pair programming in the terminal.

System mode injects keystrokes at the OS level into any application. Use keytun host --mode system to target the focused window, or --target "VS Code" to target a specific app. Currently macOS only.

Most people are behind NATs, firewalls, or corporate networks that prevent direct peer-to-peer connections. The relay solves this by giving both sides a public WebSocket endpoint to connect to — no port forwarding, no VPN, no firewall rules. It's the same reason tools like ngrok and Tailscale exist.

The relay is stateless and sees only encrypted traffic. You can self-host it if you prefer not to use the public one.

keytun runs on macOS, Linux, and Windows. Terminal mode works on all three. System mode (OS-level keystroke injection) is currently macOS only, with Linux support planned.

Currently, each session supports one host and one client. Multi-client sessions are not yet supported but may be added in the future.

Both sides are notified immediately via a peer disconnect event. The host's shell session is unaffected — it keeps running. The client can rejoin using the same session code as long as the host is still connected.

Those tools are great for full pair programming sessions. Keytun solves a narrower problem: you're already screensharing and your colleague just needs to type one command. No shared editor setup, no tmux session, no account creation — just a session code and they're typing.

Yes. Keytun is licensed under AGPL v3 and the source is on GitHub. Contributions are welcome.