WebRTC (Browser Peer-to-Peer)

What WebRTC is

WebRTC is a set of W3C and IETF specifications that ship in every modern browser. It gives JavaScript three primitives:RTCPeerConnection (the connection itself), media tracks (audio and video from getUserMedia), and RTCDataChannel (an arbitrary-bytes pipe). Once a connection is set up, two browsers can exchange encrypted media or data directly across the open internet.

The DataChannel — how files move

Toolkiya Send uses RTCDataChannel for file transfer. Once a peer connection is open, the channel behaves a lot like a WebSocket — except instead of going through a server, the bytes go straight from one tab to the other. Large files are sliced into chunks (typically 16–64 KB), sent in order, and reassembled at the receiving end. SCTP, the transport WebRTC uses under the hood, handles reliable delivery and back-pressure.

Encryption is not optional

WebRTC mandates encryption. Media tracks are encrypted with SRTP. Data channels run over DTLS. There's no unencrypted mode you can flip on for testing — the spec doesn't allow it. The browser generates ephemeral certificates per session, so even if a TURN relay sits in the path, the relay sees ciphertext, not your file.

Signaling, STUN, and TURN — the boring part

Two browsers can't find each other without a tiny bit of help. They need to exchange SDP offers and ICE candidates first — that exchange is called signaling, and it's the one thing WebRTC doesn't standardise. Most apps use a short-lived WebSocket or HTTP endpoint for it. Once both sides have each other's candidates, the actual connection bypasses the signaling server.

STUNservers tell each peer what its public IP and port look like from outside its NAT. That's usually enough for two consumer routers to connect directly. When a router or corporate firewall is strict (symmetric NAT, port-blocking, no UDP), the peers fall back to TURN — a relay that does forward the encrypted bytes through a server. TURN keeps things working at the cost of relay bandwidth, which is why TURN providers charge per GB.

Where you've already used it

Google Meet, Discord voice and video, Zoom's web client, WhatsApp Web calls, Facebook Messenger calls, every browser-based screen-share tool, and a long list of file-drop sites all use WebRTC. If you've ever joined a video call from a browser tab without installing anything, that was WebRTC doing the work.

Why this matters for privacy

For a file-transfer tool, WebRTC is the difference between "your invoice is now on a third-party server somewhere" and "your invoice went from your laptop to your colleague's phone over an encrypted channel and nothing in between kept a copy." The signaling server only sees the metadata needed to introduce the peers — typically a room code and timestamps. The payload itself never passes through it. That's why Send doesn't need an upload limit, a free tier, or an account: there's nothing to host.