Skip to main content
Device pairing establishes trust between Spacedrive instances using cryptographic signatures and user-friendly codes. Once paired, devices can communicate securely and share data directly.

How Pairing Works

Pairing uses a 12-word code to create a secure connection between two devices. The initiator generates the code, and the joiner enters it to establish trust.

The Pairing Code

Spacedrive uses BIP39 mnemonic codes for pairing, which come in two formats:

Text Format (Local Network Only)

A 12-word BIP39 mnemonic for manual entry:
This format:
  • Works only on the same local network (mDNS discovery)
  • Easy to read and type
  • Contains 128 bits of entropy
  • Valid for 5 minutes
  • Never reused

QR Code Format (Local + Internet)

A JSON structure that enables both local and cross-network pairing:
This format:
  • Works across different networks and the internet
  • Includes the initiator’s node_id for pkarr discovery
  • Enables automatic relay fallback
  • Same 5-minute expiration
  • Recommended for most use cases

Security Model

The pairing protocol provides multiple security guarantees: Authentication: Devices prove their identity using Ed25519 signatures Confidentiality: All communication encrypted with session keys Integrity: Challenge-response prevents tampering Forward secrecy: New keys for each session

Choosing a Pairing Method

When to Use Text Codes

Text-based codes are best for:
  • Devices on the same local network (home, office)
  • Quick pairing without scanning QR codes
  • Situations where QR scanning is inconvenient
Limitations:
  • Only works on the same subnet
  • Cannot traverse NATs or firewalls
  • Requires both devices to be on the same physical or virtual network

When to Use QR Codes

QR codes are recommended for:
  • Pairing across different networks
  • Remote device pairing over the internet
  • Maximum reliability (falls back to relay if needed)
  • Most production use cases
Benefits:
  • Works anywhere with internet connectivity
  • Automatic relay fallback for NAT traversal
  • Faster on local networks (dual-path discovery)
  • More reliable overall

Pairing Process

For the Initiator

1

Generate Code

Call the pairing API to generate a code:
2

Wait for Connection

The device advertises via mDNS (local) and pkarr (internet) and waits for a joiner. The code expires after 5 minutes.Advertisement includes:
  • Session ID (via mDNS user_data)
  • Node address published to dns.iroh.link (via pkarr)
3

Verify Joiner

When a joiner connects, the initiator sends a cryptographic challenge to verify they have the correct code and own their device keys.
4

Complete Pairing

After verification, both devices exchange session keys and save the pairing relationship.

For the Joiner

1

Enter Code

Enter the code from the initiator (text or QR):
2

Discover Device

The system searches for the initiator using:
  • Local network (mDNS) - Scans for matching session_id
  • Internet (pkarr/DNS) - Queries dns.iroh.link for node address (requires node_id)
  • Relay servers - Automatic fallback if direct connection fails
With QR codes, both paths run simultaneously and the first to succeed wins.
3

Prove Identity

Sign a challenge from the initiator to prove you have the code and own your device keys.
4

Save Relationship

Store the paired device information and session keys for future communication.

Proxy pairing

Proxy pairing lets a new device join a network after a single direct pairing. The device that completed the direct pairing can vouch for the new device to other trusted devices. Each receiving device can accept or reject the vouch. See Proxy Pairing for the full protocol, resource model, and flows.

Technical Architecture

Protocol Messages

The pairing protocol uses four message types:

State Machine

The PairingProtocolHandler manages session state:

Session Management

Each pairing attempt creates a session:
Sessions expire after 5 minutes. Users must complete pairing within this time window.

Discovery Mechanisms

Devices find each other through multiple methods, depending on the pairing code format:

Local Network (mDNS)

On the same network, devices discover each other instantly using multicast DNS:
How it works:
  • Initiator includes session_id in mDNS broadcasts
  • Joiner scans local network for matching session_id
  • Typically connects in 1-3 seconds
  • Only works on the same subnet

Internet (Pkarr/DNS)

For pairing across networks, Spacedrive uses pkarr to publish and resolve node addresses via DNS:
How it works:
  • Initiator automatically publishes its address to dns.iroh.link via pkarr
  • Record includes relay_url and any direct addresses
  • Joiner queries dns.iroh.link with the node_id from QR code
  • Pkarr returns all connection options (relay + direct)
  • Takes 5-15 seconds including DNS resolution
Pkarr uses DNS-based discovery backed by the Mainline DHT. It’s more reliable than traditional DHT for NAT traversal and works globally.

Dual-Path Discovery

When using QR codes (with node_id), Spacedrive races both discovery methods:
This approach optimizes for speed on local networks while ensuring reliability across the internet.

Relay Servers

When direct connection fails, devices automatically connect through relay servers:
Current Configuration:
  • Uses n0’s default relay servers (North America, Europe, Asia-Pacific)
  • Relay URLs discovered automatically via pkarr
  • Custom relay support coming soon (configurable per-node)
Relay servers only forward encrypted QUIC traffic. They cannot decrypt your data or compromise security.

Cryptographic Details

Challenge-Response Authentication

The challenge-response prevents replay attacks and verifies device identity:

Key Derivation

Session keys are derived from the pairing code and device identities:

Pkarr Implementation

Spacedrive uses pkarr for decentralized node address resolution:
How Pkarr Works:
  • Uses DNS TXT records backed by the Mainline DHT
  • Records include relay URL and direct addresses
  • Automatic publishing every time the node’s address changes
  • TTL-based caching for performance
  • No manual DHT interaction required

Transport Security

All pairing communication uses encrypted channels:
  1. QUIC encryption: TLS 1.3 at transport layer
  2. Application encryption: Additional layer using session keys
  3. Perfect forward secrecy: New keys each session

Error Handling

Common Errors

Recovery Strategies

Invalid code: Check spelling, ensure correct code Connection failed: Check network, firewall settings Timeout: Generate new code and try again Signature failed: Restart both applications

Implementation Guide

Starting Pairing (Initiator)

Joining Pairing (Joiner)

Handling Protocol Messages

Testing Pairing

Unit Tests

Integration Tests

Best Practices

For Users

  1. Prefer QR codes: Use QR codes for reliability across any network
  2. Share codes securely: Use encrypted messaging or voice calls for text codes
  3. Complete quickly: Codes expire in 5 minutes
  4. Verify device names: Check the paired device is correct
  5. One code at a time: Cancel old attempts before starting new ones
  6. Check network connectivity: For cross-network pairing, ensure internet access

For Developers

  1. Handle all states: Account for every possible state transition
  2. Clean up sessions: Remove expired sessions promptly
  3. Log failures: Record why pairing failed for debugging
  4. Test edge cases: Network failures, timeouts, wrong codes

Troubleshooting

Pairing Fails Immediately

Check:
  • Both devices have network connectivity
  • Firewalls allow Spacedrive traffic
  • System time is roughly correct (within 5 minutes)

Cannot Find Device

For text-based codes:
  • Ensure both devices are on the same local network
  • Check that mDNS is not blocked by firewalls
  • Text codes only work locally - use QR codes for cross-network pairing
For QR codes:
  • Ensure both devices have internet connectivity
  • Check that the node_id is included in the QR code
  • Verify dns.iroh.link is accessible (not blocked by corporate firewalls)
  • Try generating a fresh code

Code Invalid or Expired

Solutions:
  • Double-check spelling of all 12 words
  • Ensure code was entered within 5 minutes
  • Generate new code if expired
  • Check for typos in word order