Wire
The year in review: What we worked on in 2023
A brand new standard for end-to-end encrypted messaging, federated secure messaging and a new Android app. Only some news from Wire in 2023.
Build secure, end-to-end encrypted apps with the Wire Integrations SDK. Learn how to create automation, AI assistants, and workflows that run inside encrypted conversations—on infrastructure you control.
The Wire Integrations SDK is built for developers who want to extend Wire without compromising its security model. Unlike traditional bot platforms, Wire Apps are cryptographic participants in the conversation, they operate with the same end-to-end MLS encryption as any human user. This guide covers the key concepts you need to build confidently on the platform.
KEY TERMS
SDK - Software Development Kit
A collection of tools, libraries, and code that developers use to build applications for a specific platform. The Wire Integrations SDK gives developers everything they need to build apps that connect to Wire - without having to implement low-level networking, encryption, or protocol details themselves.
MLS - Messaging Layer Security
An open standard (IETF RFC 9420) for end-to-end encrypted group messaging. Wire is one of the first platforms to implement MLS at production scale. MLS provides forward secrecy (old messages remain secure if a key is later compromised) and post-compromise security (future messages remain secure after a breach is resolved). The SDK handles all MLS complexity automatically - developers never touch cryptographic primitives.
E2EE - End-to-End Encryption
A method of encrypting messages so that only the sender and intended recipients can read them. Not even the service provider (Wire) can access the content. E2EE is enforced at the device level - messages are encrypted before they leave the sender's device and only decrypted on the recipient's device.
App - Application
In Wire, an App is an independent software service built using the Wire Integrations SDK that connects to Wire conversations. Apps can send and receive messages, react to events, and automate workflows - all inside the end-to-end encrypted environment. Unlike browser plugins or embedded add-ons, Wire Apps run on your own infrastructure and are added to team conversations by an administrator.
How it works in one paragraph
The Wire Integrations SDK is a development kit you use to build Apps - automated services that send messages, respond to events, and run workflows inside Wire conversations. You write the app logic, and you deploy it on your own infrastructure - your servers, your cloud, your rules. Wire never touches your code or your data. Once deployed, your app can be added to any Wire Team conversation using its App ID - either within your own team or shared with another team as a third-party app. Everything the app sends and receives stays end-to-end encrypted inside Wire.
One App, many teams
Once you build and deploy an App, it gets a unique App ID. Any Wire team administrator can add it to their team using that ID - your app then participates in their conversations as a trusted third-party app, fully encrypted, without your app needing to be redeployed or reconfigured. You stay in control of the infrastructure; they control which conversations it joins.
How it works:
-
You build the App using the Wire Integrations SDK and deploy it on your own servers.
-
Your App receives a unique App ID when registered.
-
Any Wire Team Admin - in your team or another organisation - can add the App to their Team using that App ID.
-
The App joins their conversations as a cryptographic participant. All messages remain end-to-end encrypted.
-
No redeployment needed. Your infrastructure serves every team that adds the App.
What You Can Build
The Wire Integrations SDK is a foundation, not a fixed set of features. If you can describe a workflow, you can build an App for it. The examples below are a starting point - what gets built next is limited only by your team's imagination.
Notification Pipelines
Replace REST webhooks with encrypted, authenticated notifications delivered directly into Wire conversations.
Examples: GitHub CI/CD alerts · PagerDuty incidents · Datadog monitoring · deployment status · security alerts · scheduled reports
Workflow Automation
React to conversation events to trigger actions in external systems - approvals, ticketing, data syncs - without leaving Wire.
Examples: approval flows with buttons · Jira ticket creation · Salesforce updates · on-call handover bots · access request management
AI-Powered Apps: Connect any AI model (on-premise or cloud) to Wire conversations.
Because your App runs on your own infrastructure, you choose where the AI model lives. Pair the SDK with a self-hosted LLM (Llama 3, Mistral) for a fully air-gapped pipeline, or use a cloud model where your compliance rules allow.
-
Translation: Translate messages in real time across languages inside an encrypted conversation
-
Transcription: Transcribe Wire calls and post structured summaries - decisions, action items - into the conversation.
-
Summarisation: Summarize long conversations on demand. Useful for catch-ups, compliance records, and status reports.
-
Document Intelligence: Analyse documents shared in Wire - extract clauses, flag risks, answer questions - without sending files to external services.
Compliance & Audit
Apps that monitor, log, and report on conversation activity for regulated industries - all within the encrypted environment.
Examples: audit trail bots · policy compliance checks · sensitive keyword detection · eDiscovery exports · data retention enforcement
Third-Party Integrations
Bridge Wire conversations with the tools your team already uses - bidirectionally, with encryption preserved throughout.
Examples: Jira · ServiceNow · Salesforce · Zendesk · SAP · custom internal tools
The limit is your imagination
Any service that can send an HTTP request or run as a JVM process can become a Wire App. If your team can describe a workflow - however specific to your industry, your toolchain, or your compliance requirements - the Wire Integrations SDK gives you the building blocks to make it happen, inside end-to-end encryption, on infrastructure you control.
A Story you can relate to
Meet Lena - a senior engineer at a 400-person fintech company. Her team chose Wire because they handle sensitive financial data, so end-to-end encryption (E2EE) was non-negotiable. Everything ran smoothly until the product team started asking.
Her first instinct is to reach for what she knows. But when she looks at how bots work on other platforms, something stops her. Every integration she has built works the same way: the platform decrypts the message on its servers, then forwards it to your bot. The encryption boundary ends at the platform. Her bot lives outside it.
She digs into the Wire Integrations SDK. The architecture is different.
An app built with the Wire SDK is a cryptographic participant in the MLS group. It has its own identity and key material. It receives messages as ciphertext and decrypts them locally - the same way a human's Wire client does. Because the app participates in the encrypted group, it decrypts messages locally just like a user client. The Wire backend routes encrypted messages without access to their content.
Getting Started
Add the SDK to your Kotlin or Java project:
|
// build.gradle.kts dependencies { implementation("com.wire:wire-integrations-jvm-sdk:0.0.1") } |
Initialise the SDK with your credentials, backend host, and event handler. The 32-byte cryptographyStorageKey encrypts the SDK's local state - generate it with SecureRandom and store it in a secrets manager, never in plaintext.
|
fun main() { val sdk = WireAppSdk( applicationId = UUID.fromString(System.getenv("WIRE_SDK_APP_ID")), apiToken = System.getenv("WIRE_SDK_API_TOKEN"), apiHost = System.getenv("WIRE_SDK_API_HOST"), cryptographyStorageKey = loadKeyFromVault(), // 32 bytes, SecureRandom wireEventsHandler = MyEventsHandler() ) sdk.startListening() // opens WebSocket, runs indefinitely } |
The SDK handles the WebSocket connection (a persistent real-time channel to the Wire backend), MLS decryption, key management, and group state. By the time an event hits your handler it is already decrypted and typed. You write business logic, not cryptographic plumbing.
For more information visit dev.wire.com or to request a development sandbox fill up the Form.
01 - GitHub Notifications
|
USER STORY As an engineer, I want PR (Pull Request) merges and CI (Continuous Integration) failures posted in Wire so I can stay on top of the pipeline without switching tools. |
PR / CI/CD - Pull Request / Continuous Integration & Continuous Delivery: A Pull Request (PR) is a developer's request to merge a set of code changes into the main codebase, typically reviewed by teammates before approval. CI/CD (Continuous Integration / Continuous Delivery) refers to automated pipelines that build, test, and deploy software every time code changes are made. The GitHub App example sends encrypted Wire notifications whenever a PR is merged or a CI build fails.
When the app is added to a Wire group, onAppAddedToConversation fires. Lena stores the conversation ID for later. When GitHub webhooks arrive, she posts into Wire using WireApplicationManager:
|
class GitHubHandler : WireEventsHandlerSuspending() {
override suspend fun onAppAddedToConversation(conversationId: QualifiedId) { ConversationStore.save(conversationId) // store for proactive sends later manager.sendMessageSuspending( WireMessage.Text.create(conversationId, "GitHub notifications active.") ) } }
// Called when GitHub webhook arrives suspend fun onGitHubEvent(event: GitHubWebhookEvent) { val manager = sdk.getApplicationManager() val text = when (event.type) { "pull_request.merged" -> "PR merged: ${event.title} - ${event.url}" "check_run.failed" -> "CI failed: ${event.workflowName} - ${event.logsUrl}" else -> return } manager.sendMessageSuspending( WireMessage.Text.create(ConversationStore.getPrimary(), text) ) } |
|
How the GitHub notification flows GitHub webhook fires ↓ Wire SDK service (your app - receives webhook via HTTP) ↓ sdk.getApplicationManager().sendMessageSuspending(message) ↓ MLS encryption (CoreCryptoClient - happens inside the SDK) ↓ Wire backend (routes ciphertext - no plaintext access) ↓ Wire group (each member decrypts locally) ← end-to-end encrypted |
That CI failure notification - branch names, commit details, links - is sent as a fully encrypted MLS message. The Wire backend routes ciphertext. It never sees what failed or why.
GitHub Actions app - CI failure and PR merge notifications in Wire
02 - Team Polls
|
USER STORY As a product manager, I want polls directly in Wire so the team can vote without leaving the workspace. |
A simple command creates an interactive poll:
|
/poll "What should we prioritise?" "Performance" "Onboarding" "API v2" |
The app listens for /poll via onTextMessageReceived and sends a Composite message - text combined with interactive buttons. SDK applications can create these messages to enable interactive workflows inside encrypted conversations. End clients can receive and display them, but only SDK apps can create them.
|
override suspend fun onTextMessageReceived(wireMessage: WireMessage.Text) { if (!wireMessage.text.startsWith("/poll")) return val parts = parsePollCommand(wireMessage.text) ?: return
manager.sendMessageSuspending( WireMessage.Composite.create( conversationId = wireMessage.conversationId, text = "Poll: ${parts.question}", buttonList = parts.options.mapIndexed { i, opt -> WireMessage.Button(text = opt, id = "vote-${parts.pollId}-$i") } ) ) }
// Each vote arrives as a typed event - captured and tallied inside E2EE override suspend fun onButtonClicked( conversationId: QualifiedId, messageId: String, buttonId: String, userId: QualifiedId ) { val (pollId, index) = parseButtonId(buttonId) PollStore.recordVote(pollId, userId, index) manager.sendMessageSuspending( WireMessage.Text.create(conversationId, PollStore.formatResults(pollId)) ) } |
Every vote is an encrypted MLS event. Sprint priorities, team decisions, retrospective outcomes - none of it transits a decrypted layer to get counted.
Poll App - live sprint priority poll with vote results
03 - AI Assistant
|
USER STORY As a compliance officer, I want the team to use AI assistance inside Wire without any conversation data leaving our infrastructure. |
API - Application Programming Interface: A defined contract that allows different software systems to communicate with each other. When a CI/CD pipeline sends a notification, it calls an API. When an AI assistant queries an external model, it calls an API. The key question in secure architectures is: which APIs receive sensitive data, and where do those APIs run - inside your infrastructure or outside it?
A month after the first two apps are live, the head of compliance asks for an AI assistant - but with a hard constraint: no conversation data can reach an external API (Application Programming Interface). On most platforms, this has no clean answer. Adding AI normally means routing conversation content to a cloud model endpoint. For a regulated fintech company, that path is closed.
LLM - Large Language Model: An AI model trained on large volumes of text that can generate human-like responses, answer questions, and summarise information. Examples include Llama 3 and Mistral (open-source, self-hostable) and GPT-4 (cloud-hosted). The critical distinction in regulated environments: a self-hosted LLM runs inside your own infrastructure, meaning sensitive conversation data never leaves your control.
With the Wire Integrations SDK, Lena's app already receives messages inside the encrypted boundary. She routes them to an on-premise LLM (Large Language Model) - a self-hosted AI model such as Llama 3 or Mistral running inside the company's own infrastructure, with no data leaving their systems.
|
class AiHandler : WireEventsHandlerSuspending() {
// On-premise model - self-hosted inside company infrastructure private val llm = OnPremiseLlmClient(System.getenv("LLM_ENDPOINT"))
override suspend fun onTextMessageReceived(wireMessage: WireMessage.Text) { if (!wireMessage.text.startsWith("/ask")) return val question = wireMessage.text.removePrefix("/ask").trim()
// Acknowledge immediately manager.sendMessageSuspending( WireMessage.Text.createReply(wireMessage.conversationId, "Looking into that...", originalMessage = wireMessage) )
// Query on-premise model - data stays in your infrastructure val answer = llm.query(question)
manager.sendMessageSuspending( WireMessage.Text.createReply(wireMessage.conversationId, answer, originalMessage = wireMessage) ) } } |
The Wire SDK handles E2EE for the Wire-to-app path. What your app does with the decrypted message is your architectural choice. Route to an on-premise model and the entire pipeline is air-gapped. Route to a cloud API and data leaves your infrastructure - a deliberate decision you own.
This is the architecture that makes AI viable in regulated environments. Not because Wire has a built-in AI feature - but because the SDK lets you bring AI into the encrypted space, rather than routing the encrypted space out to AI.
AI Assistant app - compliance questions answered from internal knowledge base - Sample mock for illustration
Deployment
JVM - Java Virtual Machine: The runtime environment that executes Java, Kotlin, and Scala code. When we say the SDK runs on the JVM, it means apps built with it can be written in any of these languages and deployed on any server or cloud platform - on-premise, containerised in Docker, or in a cloud environment. Kotlin is recommended for its concise syntax.
All three apps are standard JVM (Java Virtual Machine) processes - no inbound ports, no TLS (Transport Layer Security) configuration needed. Outbound access to the Wire backend is all they need. Containerise and run anywhere:
|
FROM eclipse-temurin:17-jre COPY build/libs/app.jar /app/app.jar ENV WIRE_SDK_API_HOST=https://prod-nginz-https.wire.com ENV WIRE_SDK_APP_ID=your-app-id ENV WIRE_SDK_API_TOKEN=your-api-token ENV WIRE_SDK_CRYPTOGRAPHY_STORAGE_PASSWORD=your-32-byte-key CMD ["java", "-jar", "/app/app.jar"] |
Single instance per app: The Wire Integrations SDK maintains a local cryptographic state (MLS key material) that cannot be safely shared across multiple running instances. Run one instance per app. For high availability, configure your deployment to automatically restart the instance if it stops - do not run two copies simultaneously.
The Point
What Lena built - GitHub notifications, team polls, an AI assistant - exists on every major platform. The difference is not the functionality. It is where the functionality lives relative to the encryption.
On many collaboration platforms, bots and integrations operate outside the encrypted client environment and rely on server-side APIs. The encryption boundary ends before your integration begins. With Wire's SDK the encryption boundary is the environment itself. The SDK app becomes a trusted participant in the encrypted conversation. The answer to "is this end-to-end encrypted?" is the same whether a human is reading the message or an app is processing it.
For most teams this does not matter day to day. For regulated industries - finance, healthcare, government, defence - it is often the difference between a tool that gets approved and one that does not.
Get Started
- Documentation & quickstart - dev.wire.com
- GitHub App - github.com/wireapp/github-app
- Poll App - github.com/wireapp/poll-app
- SDK repo - github.com/wireapp/wire-integrations-jvm-sdk
- Staging access request form - forms.gle/f6K7Bg4yyw79hR229
Phase 1 is live now - build and test on staging. Request credentials at dev.wire.com and we will get you set up within 2 business days.
Vinayak Sankar J
Vina serves as Senior Product Manager of Integrations at Wire. Before joining Wire in 2022, Vinayak worked as a Product Manager at EY India collaborating with stakeholders across Oceania, APAC, Europe, and the Americas to deliver impactful solutions. His early career includes a tenure as a Technology Lead at Infosys working onsite across client locations in US.
