Follower-Only and Mutuals
Pipoke posts carry a privacy tier. Public posts are visible to anyone reading the chain. Follower-only, mutuals-only, and close-friends-only posts encrypt the attachment with a symmetric key that is sealed per recipient. The chain holds the ciphertext. The platform never sees the plaintext.
Pipoke runs on Octra Devnet today. Any fee, price, or limit referred to here is a contract setting chosen for testing. Every one is owner-settable, and mainnet values will be different. These docs describe how the mechanics work, not what the numbers are.
#The four tiers
| Tier | Who sees |
|---|---|
| Public | Anyone reading the chain. |
| Followers | Your followers only. |
| Mutuals | Followers who also follow you back. |
| Close friends | The wallets you marked as close friends. |
The tier is one field on the post tx. The feed shard stores it. The indexer reads it and the app applies the visibility rule.
#The sealing protocol
When you publish a follower-only post with an attachment:
- The app generates a fresh symmetric key.
- The attachment is encrypted with that key and uploaded to your Circle.
- The app loads your follower set from
PipokeCore. - For each follower's X25519 box pubkey, the app seals the symmetric key with NaCl's
box. - The post tx publishes the URI plus the sealed-key wraps.
A follower's Pipoke app sees the post, finds the wrap with their pubkey, unseals the symmetric key with their X25519 private key, fetches the ciphertext from the URI, and decrypts.
The platform never sees the symmetric key in the clear. The chain holds wraps and ciphertext, nothing else.
#Follower pubkey registration
For sealed delivery to work, every follower has to publish their X25519 box pubkey on PipokeCore with set_followers_only_pk(pk_hex, principal). The Pipoke app does this the first time you receive your first follower-only post.
The pubkey is derived deterministically from your wallet signature (the same Ed25519 key, converted to X25519 via the standard cryptographic conversion). Moving to a new device with the same seed phrase regenerates the same key, so old sealed posts you received still decrypt.
#Mutuals and close friends
Mutuals-only is the same protocol as follower-only, with one filter step: the app only includes wraps for wallets where the follow edge is two-way.
Close-friends-only is the same protocol, with one filter step: the app only includes wraps for wallets you marked as set_close_friend(target, on=1).
#Why sealed keys, not channel keys
A channel key (one key for all followers) would mean revoking a follower's access requires rotating the key and re-encrypting every past post. Sealed-per-follower delivery means a removed follower simply does not get a wrap on your next post, and their access to old posts depends on whether they kept the symmetric key from the time they were a follower.
The on-chain record of who could read what at any point in time is fixed at the post's epoch, and that is the point.
#Action fees
Follower-only, mutuals-only, and close-friends-only posts pay the same POKE action fee as a public post.