Comments Api
Encrypted Comments for Any Context
Features
  • Generic Context Attachment: Comments attach to any entity via a consumer-defined ContextId and ContextType integer. The API imposes no schema on what constitutes a context.
  • Threaded Discussion Support: Passing a CommentId as a ContextId creates a nested reply under that comment. Threads nest to any depth without additional endpoints.
  • Four-Layer Comment Encryption: CommentText passes through GZip compression followed by three AES encryption layers before it reaches the database. A database breach yields only ciphertext.
  • Four-Layer Author Identity Encryption: AuthorUserId receives the same four-layer treatment as CommentText. Author identity is never stored in a readable form.
  • Per-Row Encryption Keys: The caller supplies an encryption key on every create, update, and read. The server applies it per operation and does not retain it between calls.
  • Consumer-Defined Comment Types: CommentType is a consumer-defined integer. The application can distinguish replies, reviews, reactions, and notes without any API configuration.
  • Consumer-Defined Comment Status: CommentStatus is a consumer-defined integer supporting archiving, flagging, moderation, and any other state the domain requires.
  • Single Comment Deletion: A comment can be deleted by its CommentId, ContextId, and ContextType in a single authorized call.
  • Bulk Context Deletion: All comments under a context can be deleted in one call, useful when the parent entity is removed.
  • Envelope Encryption on All Requests: All sensitive parameters travel inside Protected<T> envelopes. Raw comment content and author identifiers never appear in transit in plaintext.
  • Authorization-Enforced Access: Every request to the Comments Api is validated by the Application Api. A service must be registered and authorized before it can create, retrieve, or delete comments.
How It Compares
Beyond What Cloud Platforms and Frameworks Offer
The Comment Privacy Problem, Solved
Cloud-hosted comment systems and framework modules store comment content the server can read. The Comments Api stores comment text and author identity under four layers of encryption — the server cannot reconstruct either without the per-row key the caller supplies. A breach of the Comments Api database exposes no readable comment content and no author identity.
Capability
Comments Api
US Cloud (AWS/Azure/GCP)
EU Cloud (OVH/Hetzner/Scaleway)
ABP Framework
Per-comment client-held encryption
No server-side key access
Encrypted author identity
Threaded discussion support
Consumer-defined type and status
Bulk context deletion
Envelope encryption on all requests
Air-gappable
CLOUD Act exempt
✓¹
No third-party data custody
¹ EU cloud providers (OVHcloud, Hetzner, Scaleway) are not subject to the US CLOUD Act. However, data remains on the provider's infrastructure — CLOUD Act exemption does not mean sole data custody.
Tech Sovereignty
Arch
Company
About Contact