As a developer, you will find here all necessary information and source code to successfully integrate Threema Gateway in your environment. Threema does not provide a graphical user interface for Threema Gateway. The Message API is an interface that can be used from within customer-specific software to send and receive messages via Threema Gateway.
Threema is a proprietary, end-to-end encrypted instant messaging application for iOS, Android and Windows Phone. In addition to text messaging, users can make voice calls send multimedia, locations, voice messages and files. Threema is a proprietary encrypted instant messaging application for iOS, Android and Windows Phone. In addition to text messaging, users can send multimedia, locations, voice messages and files. The app is available on Mac, PC, iOS and Android. The app's premium feature enables users to securely sync their data between an. How to download and install Threema on PC (Windows / Mac)? First of all, You need to “Download” an “Android Emulator”. “Install” the emulator by following the on-screen instructions. After the installation is complete Open the Emulator and Click on “My Apps”. Search for “Threema” in the search bar.
- API
This API can be used to send messages to any Threema user, and to receive incoming messages and delivery receipts. There are two main modes of operation:
- Basic mode (server-based encryption)
- The server handles all encryption for you.
- The server needs to know the private key associated with your Threema API identity.
- Incoming messages and delivery receipts are not supported.
- End-to-end encrypted mode
- The server doesn't know your private key.
- Incoming messages and delivery receipts are supported.
- You need to run software on your side to encrypt each message before it can be sent, and to decrypt any incoming messages or delivery receipts.
The mode that you can use depends on the way your account was set up.
To make client-side integration as simple as possible, the API is based on plain old HTTPS GET/POST operations. Authentication details (i.e. the API identity and key) are passed as GET/POST parameters as well (no need for HTTP authentication). The HTTP status code reflects the result of the operation (e.g. 200 OK, 401 Unauthorized, 402 Payment Required, 404 Not Found etc.).
Sending Messages
Basic mode
URL: https://msgapi.threema.ch/send_simple
POST parameters (application/x-www-form-urlencoded):
from
your API identity (8 characters, usually starts with '*')- recipient specifier – choose one:
to
recipient identity (8 characters)phone
recipient phone number (E.164), without leading +email
recipient email address
text
message text, max. 3500 bytes, UTF-8 encodedsecret
API authentication secret
By using the
phone
or email
recipient specifiers, one can avoid having to look up the corresponding ID (see 'Lookup ID' below) and instead do everything in one call (may be more suitable for SMS gateway style integration).Possible HTTP result codes:
- 200 (on success)
- 400 (if the recipient identity is invalid or the account is not set up for basic mode)
- 401 (if API identity or secret are incorrect)
- 402 (if no credits remain)
- 404 (if using
phone
oremail
as the recipient specifier, and the corresponding recipient could not be found) - 413 (if the message is too long)
- 500 (if a temporary internal server error occurs)
On success (HTTP 200), the ID of the new message is returned as text/plain.
End-to-end encrypted mode
URL: https://msgapi.threema.ch/send_e2e
POST parameters (application/x-www-form-urlencoded):
from
your API identity (8 characters, usually starts with '*')to
recipient identity (8 characters)nonce
nonce used for encryption (24 bytes, hex encoded)box
encrypted message data (max. 4000 bytes, hex encoded)secret
API authentication secret
The nonce should consist of 24 cryptographically secure random bytes.
Possible HTTP result codes:
- 200 (on success)
- 400 (if the recipient identity is invalid or the account is not set up for end-to-end mode)
- 401 (if API identity or secret are incorrect)
- 402 (if no credits remain)
- 413 (if the message is too long)
- 500 (if a temporary internal server error occurs)
On success (HTTP 200), the ID of the new message is returned as text/plain.
ID Lookups
Find ID by phone number
URL: https://msgapi.threema.ch/lookup/phone/
41791234567
?from=xxxxxxxx
&secret=xxxxxxxx
The phone number must be passed in E.164 format, without the leading +. The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The Threema ID corresponding to the phone number will be returned as a text/plain response.
Possible HTTP result codes:
- 200 (on success)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
Find ID by phone number hash
URL: https://msgapi.threema.ch/lookup/phone_hash/
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
?from=xxxxxxxx
&secret=xxxxxxxx
The phone number must be passed as an HMAC-SHA256 hash of the E.164 number without the leading +. The HMAC key is
85adf8226953f3d96cfd5d09bf29555eb955fcd8aa5ec4f9fcd869e258370723
(in hexadecimal).Best app to create invitations on mac. Example: the phone number
41791234567
hashes to ad398f4d7ebe63c6550a486cc6e07f9baa09bd9d8b3d8cb9d9be106d35a7fdbc
.The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The Threema ID corresponding to the phone number will be returned as a text/plain response.
Possible HTTP result codes:
- 200 (on success)
- 400 (if the hash length is wrong)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
Find ID by email address
The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
Threema App For Mac Os
The Threema ID corresponding to the email address will be returned as a text/plain response.
Possible HTTP result codes:
- 200 (on success)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
Find ID by email address hash
![Threema Threema](/uploads/1/3/4/2/134204726/123451616.jpg)
URL: https://msgapi.threema.ch/lookup/email_hash/
0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef
?from=xxxxxxxx
&secret=xxxxxxxx
The lowercased and whitespace-trimmed email address must be hashed with HMAC-SHA256. The HMAC key is
30a5500fed9701fa6defdb610841900febb8e430881f7ad816826264ec09bad7
(in hexadecimal).Example: the email address
[email protected]
hashes to 1ea093239cc5f0e1b6ec81b866265b921f26dc4033025410063309f4d1a8ee2c
.The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The Threema ID corresponding to the email address will be returned as a text/plain response.
Possible HTTP result codes:
- 200 (on success)
- 400 (if the hash length is wrong)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
Bulk lookup
URL: https://msgapi.threema.ch/lookup/bulk?from=
xxxxxxxx
&secret=xxxxxxxx
This URL can be used to lookup up to 1000 phone number hashes or email address hashes per request. See above for details on the hashing.
The API identity and secret must be passed in the URL query string for authentication (use URL encoding).
The POST request body must be a JSON document with the following format:
The response will also be returned as a JSON document: Using stickies on mac.
In this example, matches were found for one phone number hash and one email address hash, while no matches were found for the other hashes. Note: if both a phone number hash and an email address hash are provided that resolve to the same identity, only one entry will be returned in the response array, but it will have both a phoneHash and an emailHash key. At most 1000 hashes may be specified per request (i.e. the number of phone number hashes plus the number of email hashes may not be more than 1000).
Possible HTTP result codes:
- 200 (on success)
- 400 (if the JSON is invalid or a hash length is wrong)
- 401 (if API identity or secret are incorrect)
- 413 (if too many hashes have been specified in the request)
- 500 (if a temporary internal server error occurs)
Check file reception capability of an ID
Before you send a file to a Threema ID using the blob upload (+ file message), you may want to check whether the recipient uses a Threema version that supports receiving files. The receiver may be using an old version, or a platform where file reception is not supported.
URL: https://msgapi.threema.ch/capabilities/XXXXXXXX?from=
xxxxxxxx
&secret=xxxxxxxx
The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The result is a text/plain response of supported capabilities, separated by commas. Currently defined capabilities:
The result is a text/plain response of supported capabilities, separated by commas. Currently defined capabilities:
text
image
video
audio
file
More capabilities may be added in the future (separated with commas), so you should match on substrings when checking for
file
. The order in which the capabilities are returned is not defined.Example result:
text,image,video,audio,file
Possible HTTP result codes:
- 200 (on success)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
Key Lookups
For the end-to-end encrypted mode, you need the public key of the recipient in order to encrypt a message. While it's best to obtain this directly from the recipient (extract it from the QR code), this may not be convenient, and therefore you can also look up the key associated with a given ID from the server.
URL: https://msgapi.threema.ch/pubkeys/XXXXXXXX?from=
xxxxxxxx
&secret=xxxxxxxx
The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The public key corresponding to the ID will be returned as a text/plain response (hex encoded).
The public key corresponding to the ID will be returned as a text/plain response (hex encoded).
Possible HTTP result codes:
![What is threema What is threema](/uploads/1/3/4/2/134204726/604430582.jpg)
- 200 (on success)
- 401 (if API identity or secret are incorrect)
- 404 (if no matching ID could be found)
- 500 (if a temporary internal server error occurs)
It is strongly recommended that you cache the public keys to avoid querying the API for each message.
Incoming Messages and Delivery Receipts
If your account is operating in end-to-end encrypted mode and incoming messages have been enabled on it, you can specify an HTTPS URL callback that will be called whenever an incoming message or delivery receipt arrives for your API identity. You can set or change the callback URL in the Threema Gateway administration panel.
Callback parameters
Your callback URL will be called with the following POST parameters (application/x-www-form-urlencoded):
from
sender identity (8 characters)to
your API identity (8 characters, usually starts with '*')messageId
message ID assigned by the sender (8 bytes, hex encoded)date
message date set by the sender (UNIX timestamp)nonce
nonce used for encryption (24 bytes, hex encoded)box
encrypted message data (max. 4000 bytes, hex encoded)mac
Message Authentication Code (32 bytes, hex encoded, see below)nickname
public nickname of the sender, if set
Note that the message first needs to be decrypted before it can be determined whether it is an incoming text/media message or a delivery receipt.
MAC calculation
For each callback, the server includes a
|| denotes concatenation. The parameters are concatenated in the same form as they were included in the POST (i.e. including any hex encoding, but not including any URL encoding). The secret that is used for the HMAC operation is the API authentication secret.mac
parameter than can be used to verify the authenticity of the call and the included information. This parameter is calculated as follows:It is recommended that receivers verify the
mac
parameter before attempting to parse the other parameters and decrypt the message.Callback results and retry
If the connection to your callback URL fails or your callback does not return an HTTP 200 status, the API will retry 3 more times in intervals of 5 minutes. If all attempts fail, the message is discarded.
Certificates and cipher suites
The server that hosts the callback URL must use a valid and trusted SSL/TLS certificate (not self-signed). If in doubt, please contact customer service and specify the issuing CA of your certificate.
What Is Threema
File Upload and Download
Upload
URL: https://msgapi.threema.ch/upload_blob
POST parameters (multipart/form-data):
blob
blob data (binary), max. 50 MB
URL parameters ('GET'):
from
your API identity (8 characters, usually starts with '*')secret
API authentication secret
Please note that the authentication parameters must be passed in the request URL (
'/upload_blob?from=..&secret=..'
), while the actual blob data needs to be sent as a multipart/form-data parameter.Possible HTTP result codes:
- 200 (on success)
- 400 (if required parameters are missing or the blob is empty)
- 401 (if API identity or secret are incorrect)
- 402 (if no credits remain)
- 413 (if the blob is too big)
- 500 (if a temporary internal server error occurs)
The ID of the new blob is returned as text/plain. One credit is deducted for the upload of a blob.
Download
URL: https://msgapi.threema.ch/blobs/blobId
GET parameters:
from
your API identity (8 characters, usually starts with '*')secret
API authentication secret
Possible HTTP result codes:
- 200 (on success, body is the blob data as application/octet-stream)
- 401 (if API identity or secret are incorrect)
- 404 (if no blob with this ID could be found)
- 500 (if a temporary internal server error occurs)
Please note: after a blob download has first been attempted, the blob may be deleted from the server within an hour.
Querying Account Information
Get remaining credits
URL: https://msgapi.threema.ch/credits?from=
xxxxxxxx
&secret=xxxxxxxx
The API identity and secret must be passed in the corresponding GET parameters for authentication (use URL encoding).
The number of credits left on the account that the given ID belongs to will be returned as a text/plain response. Note: several IDs may use the same account, and thus share the same credit balance.
Possible HTTP result codes:
- 200 (on success)
- 401 (if API identity or secret are incorrect)
- 500 (if a temporary internal server error occurs)
E2E Message Format
The end-to-end encrypted messages use the following binary format:
type | data | padding |
Type
The first byte denotes the message type:
Byte | Type |
---|---|
0x01 | Text message |
0x02 | Image message |
0x17 | File message |
0x80 | Delivery receipt |
Data
The message data.
Type | Data | |||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Text | UTF-8 encoded string | |||||||||||||||||||||||||||||||||
Image | The image data (JPEG) needs to be uploaded to the blob server.
| |||||||||||||||||||||||||||||||||
File | The file contents need to be uploaded to the blob server. The file message data is sent as an UTF8-encoded JSON string. JSON data format:
| |||||||||||||||||||||||||||||||||
Delivery receipt | The delivery receipt always references 1 or more message IDs.
|
Padding
A random amount of PKCS#7 style padding (between 1 and 255 bytes, inclusive) is appended to each message. The padding consists of the random number n repeated n times.
Example paddings:
Random Number | Padding |
---|---|
1 | 0x01 |
3 | 0x030303 |
10 | 0x0a0a0a0a0a0a0a0a0a0a |
To add padding (pseudocode):
To remove padding (pseudocode):
Example
The text message 'hello threema' with 7 bytes of padding would look like this before encryption / after decryption:
Threema App For Macbook
- Hex:
01 68656c6c6f2074687265656d61 07070707070707
- Python bytestring:
b'x01hello threemax07x07x07x07x07x07x07'
The security of every individual is fundamental, but certain threats present in the environment can easily keep your personal information at stake.
We don’t like spies going through our messages or hackers proliferating our personal data. To prevent such gaffes from happening, encrypted messengers are in huge demand and are widely acknowledged.
Message encryption puts a shield on your sent messages and attachments which allows only the intended recipient to open your messages.
We don’t like spies going through our messages or hackers proliferating our personal data. To prevent such gaffes from happening, encrypted messengers are in huge demand and are widely acknowledged.
Message encryption puts a shield on your sent messages and attachments which allows only the intended recipient to open your messages.
Rated amongst the best secure texting applications, today we are going to talk about a 100 percent safe and secret messaging application, Threema.
What Is the Threema App All About?
Threema is a messaging application that is supported by end-to-end encryption to keep your messages safe and secure. It keeps your personal data out of the hands of hackers or any other potential threat.
Texts and voice calls made on an encrypted messaging application like Threema stay completely anonymous. The app uses a trusted open source NaCl cryptography library for encryption and is fully compliant with the updated norms of GDPR made by the European Parliament.
The core concept of the app is to provide extremely little data of the user on servers as all the contact added on Threema is saved directly on your device.
Threema generates public keys and stores them on the user’s devices to avoid backdoor access or copies by any possible threat.
What Makes Threema App Different?
Threema is packed with various features and upgrades to assure its users a sense of security, here are a few features of the app that make it extraordinarily safe:
- Highest encryption strength: Supports end-to-end encryption for all your calls and chats by only showing the messages to the intended recipient.
- Instant Anonymous Messaging Tool: Helps in keeping 100 percent anonymity and allows login without email id or password.
- Poll feature to hold polls: Allows the user to conduct polls on any topic to know their views.
- Reply with agree/disagree feature: To know the user’s agreement or disagreement on any topic, one can conduct this feature.
- Instant message deletion after delivery: This app lets you delete your messages instantly after delivering them to the recipient to enhance security.
- Dark and light theme: To break the monotony, the app introduced this feature to enhance the look and user experience.
- Send any type of file: you can send multiple types of files like PDF, animated GIF, DOC, MP3, ZIP, etc.
- Personal QR code: Creates a Unique ID and QR code for everyone so that you can add a particular user on the app without any problem.
Such calculated steps are taken by the app to guard user’s data and messages make Threema a trustworthy application.
What is the Need for Threema App?
With many prying eyes on your private information, it’s highly important to have an encrypted messenger by your side that protects your personal data efficiently.
Hackers nowadays can have very quick access to your private information which can have dangerous repercussions on an individual’s safety and have a great impact on them both mentally and physically.
An encrypted chat application like Threema allows no other authority or person to see your messages other than the intended recipient.
Messages sent through this application are instantly deleted once they are received and the anonymity of the user is maintained.
How to Work with Threema Application?
Threema is accessible and can be installed on your smartphones or desktops, below mentioned are the quick steps on how to install and use Threema:
Step 1: Download Threema application from the Google Play Store for $3.49 or Apple App Store for $2.99.
Step 2: Open the application after installing it and a setup guide will set your unique ID.
Step 3: The app asks you to move your finger on the screen to generate a random key and create your Threema ID.
Step 4: After the setup, Threema tells you three ways to start chatting with your contacts:
Step 2: Open the application after installing it and a setup guide will set your unique ID.
Step 3: The app asks you to move your finger on the screen to generate a random key and create your Threema ID.
Step 4: After the setup, Threema tells you three ways to start chatting with your contacts:
- Scan your friend’s QR code (considered the most secure).
- Sync your contacts (considered less secure).
- Manually entering your friend’s ID (considered least secure).
Note: After all the needful information is stored, Threema is ready to use.
How much does Threema App Cost?
Maintaining security and anonymity is a top priority of the Threema App and every good thing comes with a price tag. Similarly, the app charges you a minimal amount of:
- For Android users- $3.49
- For iOS users- $2.99
MAD Verdict: Threema App Review
It’s much more viable when your personal data is confined to yourself as nobody likes to be spied on. That’s when Threema comes to the rescue and protects your privy chats with ease.
The Threema application allows users to be 100 percent anonymous while giving them the choice to enter their mobile phone number or email ID, which makes it the most secure chat app.
Crafted features like instant deletion of messages, set up of QR codes, exclusive IDs make it a top-notch application to protect user’s personal chats and voice calls with utmost security.
Threema Free
With Threema messenger you can always keep your private information close to you without any fear of being seen any day and for more such detailed mobile app reviews and subscribe to MobileAppDaily to learn more about Android and iOS mobile app updates that bare breaking the barriers.
- Is Threema app secure?Yes, the Threema app is supported by end-to-end encryption, which makes it one of the most secure messaging applications.
- Can Threema be hacked?Every app has little knick-knacks to deal with but Threema tries its best to keep conversations a secret and away from the reach of potential threats.
- How much does Threema cost?Threema costs a minimal of $2.99 for iOS users and $3.49 for Android users.
- What is the most secure messaging app?Although there are an exceptional number of secure chat apps on the line, Threema is one such application and proves to be a secure messenger app for Android and iOS users.
She is a writer and content marketer at MobileAppDaily. Her knack around the mobile apps is merely splendid. Her experience in the tech industry has assisted her in churning out the best and more importantly, unbiased mobile app reviews.