Comments Api
Encrypted Comments for Any Context
The Context Is Yours to Define
Attach Comments to Any Entity in Your Domain
One Interface for Every Comment Surface
Every comment is associated with a context — an identifier and an integer type the consuming application defines. The context can be an article ID, a support ticket number, a product SKU, a forum thread, or any other entity your application manages. The Comments Api imposes no schema on what constitutes a context.
Consumer-Defined Types and Statuses
Comment type and status are integers whose meaning belongs entirely to the consuming application. A status can represent published, archived, flagged, or pending review — whatever the domain requires. A type can distinguish a reply from a review, or a reaction from a note. The Comments Api stores and returns these values without interpreting them.
Threads Without Extra Infrastructure
Any Comment Can Become the Root of a Thread
Reply to a Comment by Using Its ID as a Context
To create a threaded reply, pass a CommentId as the ContextId of the new comment. The Comments Api treats that comment as the parent context for the reply. The same create and retrieve operations work for top-level comments and nested replies — no separate threading endpoints are needed.
Depth Is Unlimited by the Platform
Because any CommentId can serve as a ContextId, threads can nest to any depth the application allows. A forum reply, a reply to that reply, and a reply to the reply's reply all follow the same pattern. The nesting structure lives in the data your application retrieves and renders — the platform stores and returns comments by context without enforcing a depth limit.
Maximum Encryption on Every Comment
Comment Text and Author Identity Receive Four Encryption Layers
Four Layers Applied to the Content That Matters
Comment text and author identity each pass through four encryption layers before they reach the database. The first layer compresses with GZip. The next two apply AES encryption — one using configured key material, one using a per-row key supplied by the caller. A final AES layer applies the bootstrap key. A breach of the database extracts ciphertext at every point in that chain.
Per-Row Keys Keep Comments Isolated
The caller supplies a per-row encryption key on every create, update, and read operation. Comments under different contexts can carry different keys, scoping any compromise to the rows whose key was exposed. The server applies the key per operation and does not retain it.
Delete One or Delete All
Lifecycle Operations Match the Domain
Targeted and Bulk Removal
A single comment can be deleted by its CommentId. All comments under a context can be deleted in one call — useful when the parent entity is removed and its associated comments should be cleaned up with it. Both operations are authorized through the Application Api.
Status Without Deletion
The consumer-defined CommentStatus field supports archiving, flagging, and moderation workflows without requiring a delete. A flagged comment remains in the database under its encrypted form. A moderator retrieval operation that filters by status can surface it for review without exposing it to the original audience.
Connected by Design
Comments Is Built on the Full Arch Stack
Application Api
Every request to the Comments Api is authorized by the Application Api. A service must be registered and granted access before it can create, retrieve, or delete comments. The authorization boundary ensures that comment data is never accessible to an unregistered caller.
Your Application
Your microservice posts and reads comments through the ICommentsApiClient interface. Threading, four-layer per-comment encryption, status-based moderation, and bulk cleanup are all available on every call. Building a comment system with this security posture from scratch is months of work. The interface makes it a dependency reference.
Tech Sovereignty
Arch
Company
About Contact