Documentation

Understand the architecture, the security model and how to get started.

What is SShvTerm

SShvTerm is a cross-platform desktop SSH client with zero-knowledge cloud sync. It manages hosts, identities, keys, groups, tags, snippets and port-forwarding rules, with a high-quality terminal. Sensitive fields are encrypted on the client, and the server never sees your password or your encryption key.

Architecture

SShvTerm is split into three layers. The frontend never talks directly to the cloud or to SSH: everything goes through a local agent that keeps the encryption key in memory only.

1

Frontend (desktop)

The application shell, the UI and the terminal (xterm.js).

2

Local agent (sidecar)

Local backend handling authentication, sync, vault and SSH sessions. Runs on 127.0.0.1 only.

3

Sync server

A separate, self-hostable piece that stores encrypted blobs only — never plaintext.

Security model

Encryption is zero-knowledge: the encryption key is derived from your password and lives only in the local agent's memory. Sensitive fields are encrypted with RNCryptor (AES-256-CBC + HMAC-SHA256) before any sync. SSH connections use TOFU host key verification — the fingerprint is pinned on the first connection and any mismatch blocks the session to stop MITM attacks.

Getting started

  1. 1. Download the app

    Installers for macOS (.dmg), Windows (.msi) and Linux (.AppImage / .deb).

  2. 2. Create your account

    Your password generates the encryption key. Keep it safe: without it, no one — not even the server — can recover your data.

  3. 3. Add a host and connect

    Register the server, pick an identity or key and open the terminal. Everything syncs encrypted.

Local data directory

Hosts, identities, SSH keys and trusted host keys (TOFU) are stored in the app's local data directory, on your machine.

~/.sshvterm/

Cloud backend

By default the client talks to the hosted backend. If you prefer full control, you can point it at your own server — the reference implementation is self-hostable.

Public API

The site exposes a small, unauthenticated API for downloads and app auto-update. All responses are served over HTTPS by sshvterm.com.

GET /api/update/{target}/{arch}/{current_version}

Update check (app updater format). target: linux, darwin or windows; arch: x86_64 or aarch64; current_version as X.Y.Z. Responds 200 with the JSON manifest when a newer signed version exists, or 204 (no body) when you are already up to date.

$ curl https://sshvterm.com/api/update/darwin/aarch64/0.5.20
{
  "version":   "0.5.28",
  "notes":     "...",
  "pub_date":  "2026-06-11T21:30:00+00:00",
  "url":       "https://sshvterm.com/d/61",
  "signature": "...minisign signature of the installer..."
}
GET /d/{id}

Download of a specific installer — redirects (302) to the file hosted on the site. Per-platform links and the SHA-256 for integrity checking are on the Downloads page.

The app sync uses a separate, token-authenticated API that carries only client-encrypted blobs (zero-knowledge) — the server cannot decrypt them. It is not a public API: its contract is versioned with the app and may change between releases.

Ready to start?

Create your account and connect to your first host in minutes.

Create Free Account