Skip to content

MSC4203: Sending to-device events to appservices#4203

Open
tulir wants to merge 3 commits intomainfrom
tulir/appservice-to-device
Open

MSC4203: Sending to-device events to appservices#4203
tulir wants to merge 3 commits intomainfrom
tulir/appservice-to-device

Conversation

@tulir
Copy link
Member

@tulir tulir commented Sep 28, 2024
edited
Loading

Rendered

Part of #3202, split off from #2409

Implementations:

SCT stuff:

MSC checklist

Not yet proposed for FCP

@tulir
Sending to-device events to appservices
89133d7 
Signed-off-by: Tulir Asokan <tulir@maunium.net>
@tulir tulir added proposal A matrix spec change proposal application services kind:feature MSC for not-core and not-maintenance stuff labels Sep 28, 2024
MTRNord
MTRNord reviewed Sep 28, 2024
View reviewed changes
turt2live
turt2live reviewed Sep 30, 2024
View reviewed changes
proposals/4203-appservice-to-device.md
Copy link
Member

@turt2live turt2live Sep 30, 2024
edited by tulir
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Implementation requirements:

  • Appservice
  • Server

Copy link
Contributor

@tcpipuk tcpipuk Feb 3, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks like both of these exist now 🙂

@MadLittleMods MadLittleMods mentioned this pull request Nov 5, 2024
Closed
3 tasks
@rsb-tbg rsb-tbg mentioned this pull request Dec 17, 2025
Merged
@tulir
Copy link
Member Author

tulir commented Jan 19, 2026
edited
Loading

MSCs proposed for Final Comment Period (FCP) should meet the requirements outlined in the checklist prior to being accepted into the spec. This checklist is a bit long, but aims to reduce the number of follow-on MSCs after a feature lands.

SCT members: please check off things you check for, and raise a concern against FCP if the checklist is incomplete. If an item doesn't apply, prefer to check it rather than remove it. Unchecking items is encouraged where applicable.

Checklist:

  • Are appropriate implementation(s) specified in the MSC’s PR description?
  • Are all MSCs that this MSC depends on already accepted?
  • For each new endpoint that is introduced:
    • Have authentication requirements been specified?
    • Have rate-limiting requirements been specified?
    • Have guest access requirements been specified?
    • Are error responses specified?
      • Does each error case have a specified errcode (e.g. M_FORBIDDEN) and HTTP status code?
        • If a new errcode is introduced, is it clear that it is new?
  • Will the MSC require a new room version, and if so, has that been made clear?
    • Is the reason for a new room version clearly stated? For example, modifying the set of redacted fields changes how event IDs are calculated, thus requiring a new room version.
  • Are backwards-compatibility concerns appropriately addressed?
  • Are the endpoint conventions honoured?
    • Do HTTP endpoints use_underscores_like_this?
    • Will the endpoint return unbounded data? If so, has pagination been considered?
    • If the endpoint utilises pagination, is it consistent with the appendices?
  • An introduction exists and clearly outlines the problem being solved. Ideally, the first paragraph should be understandable by a non-technical audience.
  • All outstanding threads are resolved
    • All feedback is incorporated into the proposal text itself, either as a fix or noted as an alternative
  • While the exact sections do not need to be present, the details implied by the proposal template are covered. Namely:
    • Introduction
    • Proposal text
    • Potential issues
    • Alternatives
    • Dependencies
  • Stable identifiers are used throughout the proposal, except for the unstable prefix section
    • Unstable prefixes consider the awkward accepted-but-not-merged state
    • Chosen unstable prefixes do not pollute any global namespace (use “org.matrix.mscXXXX”, not “org.matrix”).
  • Changes have applicable Sign Off from all authors/editors/contributors
  • There is a dedicated "Security Considerations" section which detail any possible attacks/vulnerabilities this proposal may introduce, even if this is "None.". See RFC3552 for things to think about, but in particular pay attention to the OWASP Top Ten.

tulir
tulir commented Jan 19, 2026
View reviewed changes
proposals/4203-appservice-to-device.md
Comment on lines +48 to +70
### Implementation detail: when to delete a to-device message

Not defined by this MSC is an explicit algorithm for when to delete a to-device message (mark
it as sent). This is left as an implementation detail, though a suggested approach is as
follows:

* If the message is sent to a user under an appservice's *exclusive* namespace mark it as sent
and delete it. Note that retried transactions will still need to include the message.
* If the message is sent to a user under an appservice's *inclusive* namespace, mark it as sent
to the appservice but do not delete it until a `/sync` request is completed which includes the
message. Note that retried transactions will still need to include the message.

This approach is largely to align with how namespaces are used by appservices in practice, but
is not applicable to all scenarios (and thus is an implementation detail). The majority of known
appservices use exclusive namespaces, which typically also means that those users will not be
calling `/sync`. Because of this, the server may never get another opportunity to delete the
messages until it has confirmed that the appservice received the transaction successfully. Inclusive
namespaces are typically used when the appservice wants to impact a subset of users, but without
controlling those users explicitly. Typically, inclusive users are also calling `/sync` and so
the appservice should be CC'd on the to-device messages that would normally go down `/sync`.

For inclusive namespaces, servers may also track who created a device, and not wait for `/sync`
if the device was created using [appservice login] or [appservice device management].
Copy link
Member Author

@tulir tulir Jan 19, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Leaving this as an implementation detail might be wrong. I think the approach suggested here also won't work when transitioning from /sync to transactions. There are currently a lot of appservices with exclusive namespaces who will /sync to get their to-device events. If the server starts sending to-device events over /transactions unprompted, the appservices could get events double delivered (if the event is in both /transactions and /sync) or not delivered at all (if they ignore /transactions and the event gets deleted before reaching /sync).

MSC3202 has an org.matrix.msc3202 opt-in flag, maybe it'd make sense to reuse that for to-device events (because all appservices using this MSC presumably already have that flag set) and also define a stable opt-in flag that encompasses both to-device events and other e2ee-related transactions data

@tulir tulir mentioned this pull request Jan 19, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@turt2live turt2live turt2live left review comments

+2 more reviewers

@MTRNord MTRNord MTRNord left review comments

@tcpipuk tcpipuk tcpipuk left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

application services kind:feature MSC for not-core and not-maintenance stuff proposal A matrix spec change proposal

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@tulir @turt2live @MTRNord @tcpipuk