fractal.beauty

2026-06-22

Sorrel: device management for apps using Iroh

Sorrel is an idea for device management in applications that use Iroh. Iroh facilitates direct connections between devices using key pairs for identity/addressing. Once a device knows the public key of another device, Iroh will reliably (magically) connect them. But the device first needs to know which device it wants to talk to.

Communicating a public key between two devices is pretty straightforward (via manual entry, copy/paste, invite links, QR codes), but between a set of potentially many devices is more complicated, especially if it needs to be decentralized. There’s interesting stuff to be done here1, but it’s not where I’m focused yet.

For now, I want something that’s convenient and familiar to users, and “sign in with provider” does the job. The client application sends a user to Sorrel (in a browser) to choose a provider and complete the OAuth flow. The app receives an access token, registers its Iroh public key, and can list the public keys of the application on the user’s other devices. Then it can show the user a list of their other devices to connect to, or attempt to connect to them automatically, depending on what the app does.

The user signs in on two devices and both devices talk to each other (directly!) and do stuff. Very quick and familiar, albeit less righteous or innovative than it could be. The application could also allow other device management schemes (manual configuration, switching Sorrel instances to another public instance or a self-hosted instance, atproto?, …) to regain some user agency.

The technical side is not very interesting. It’s a Rust web server and SQLite database. It implements the authorization code flow with PKCE and the device flow, and providers are configured using OpenID (I think? I’m not an OAuth expert and it’s been a couple months since I wrote the code). I also discovered monostate which works nicely with Serde untagged enums. The source is on GitHub (some assembly required), and it’s deployed to sorrel.trillia.net, but there’s not much to see. Thanks for reading!

Footnotes

  1. See Keyhive and other research on the topic of group key agreement.