Full auditability
Every line of encryption logic, every API endpoint, every data-handling decision is publicly visible. No back doors. No hidden telemetry. Verify it yourself.
Open Source
The server is open source.
The Keestash server — the heart of the system — is published under AGPLv3. Inspect every line of encryption logic, deploy it yourself, and verify our security claims without trusting our word.
Scope of Open Source
What is open, and what is not
We believe in being specific. Not every component of Keestash is open source — here is exactly what you can inspect, fork, and run yourself.
Server / Backend
AGPLv3 — Open Source
- PHP 8.4 Mezzio backend — all source on GitHub
- All encryption logic — AES-256-GCM, key derivation
- REST API — full OpenAPI 3.0 specification
- Self-host on any PHP 8.4+ server
- Network-facing modifications must be shared back
Web App & iOS App
Proprietary Clients
- Web app source code is not published
- iOS app source code is not published
- Clients connect to the open source server API
- Point them at your own self-hosted instance
- Use the OpenAPI spec to build your own client
The API is fully documented and public — anyone can build a compatible client.
Why It Matters
Security software must be verifiable
Community security
A public codebase attracts security researchers who find and report vulnerabilities. Open source projects fix critical bugs faster than closed-source alternatives.
No vendor lock-in
Fork it. Host it. Modify it. Your organisation is never dependent on our continued operation. The server is yours to run forever.
Contribute
Help improve the server
Bug reports, security disclosures, and pull requests are all welcome. Found a vulnerability? Please use responsible disclosure at security@keestash.com.