freeq supports server-to-server (S2S) federation via iroh QUIC, allowing separate server instances to share channels, users, and state.
Two freeq servers can peer with each other. When peered:
Federation uses iroh QUIC for transport:
freeq-server \
--s2s-peer <iroh-endpoint-id> \
--s2s-allowed-peers <comma-separated-ids>
On peer connection, servers exchange a SyncResponse containing:
Channel state uses operation-based CRDTs for eventual consistency:
S2S operations are authorized:
A message's sender identity — the IRCv3 account tag, i.e. the sender's DID —
is carried across S2S, so a federated user renders with their real handle and
avatar on the receiving server, not just a bare nick. The DID is always stamped
by the origin server from the sender's authenticated session; clients never set
it.
Federated identity is peer-vouched, not locally verified. The receiving
server did not authenticate the remote sender — it relays the origin's claim on
the same peer trust it already extends to the message body. To keep this honest,
federated messages also carry +freeq.at/origin=<server> naming the origin, so
clients can distinguish:
+freeq.at/origin): this server authenticated the+freeq.at/origin present): relayed from that server —The signature (+freeq.at/sig) is not verifiable across servers today (its
canonical inputs aren't all reconstructable downstream), so clients must not
show a "cryptographically verified" affordance on federated messages.
End-to-end-verifiable federated identity is future work.
account and +freeq.at/origin are persisted, so provenance survives history
replay (CHATHISTORY), not only live delivery.
--s2s-allowed-peers to restrict federation to trusted peers only.See Security Hardening Guide for full details.
-k) doesn't propagate via SyncResponse--s2s-allowed-peers only enforces incoming; outgoing relies on --s2s-peers consistencySee S2S Audit for a detailed protocol analysis.