The server needs the encrypted blob, a derived vault lookup key, browser-limit metadata, rate-limit metadata, and plan state to operate sync.
Data boundary
What Relay can and cannot see
Readable bookmark titles, URLs, folders, and profiles are encrypted in the browser before upload. The password is not sent to Relay.
Sensitive actions require a local ownership token recovered only after a browser decrypts the vault with the correct password.
Password recovery would require Relay to hold a decryption path. Relay intentionally does not.
Extension surface
Extension permissions
Relay requests only the permissions needed for bookmark sync, local bookmark tools, and the optional passkey handoff:
- bookmarks: read and update the browser bookmark tree during sync, Preview, Tidy, Undo, restore, and profile switching.
- storage: keep local session state, browser identity, plan cache, and sync metadata.
- identity: open Relay's HTTPS passkey page and receive its one-time result. It does not sign you into Google or create an email account.
Optional passkeys
Passkeys approve a browser; they do not replace vault encryption
Relay stores the passkey public key and limited credential metadata needed for verification. The encrypted local password wrapper is split between an approved browser and Relay's server, so neither side can unlock it alone. Biometric data and device PINs stay with the operating system or passkey provider and are never sent to Relay.
Local controls
Health, Tidy, and Undo stay browser-side
Library health checks, canonical URL-copy detection, local bookmark organization, Undo snapshots, and action result messages are computed from this browser's bookmark tree and local storage. They do not require Relay to read plaintext bookmarks on the server.
Verification
Independent verification roadmap
Relay is preparing for an independent browser-extension security review. We will publish only completed review summaries, not future-tense certification claims. The planned review scope is:
- Manifest permissions and Content Security Policy.
- Bookmark sync, profile switching, and restore behavior.
- Client-side encryption and key handling.
- Backend API boundaries, rate limiting, and ownership checks.
- Public website claims against real implementation behavior.
Current status: no third-party certification has been claimed yet. Chrome Web Store distribution is the normal install path, and independent audit evidence will be added after completion.
Disclosure
Report a security issue
Please use the support page for a coordinated reporting path. Do not send passwords, full bookmark exports, sensitive URLs, or exploit playbooks in an initial report.