what you can share
pipes
share scheduled AI agents (pipe.md configs) with your team so everyone runs the same automations
window filters
push ignored/included window lists so the whole team has consistent privacy rules
url filters
share ignored URL patterns (e.g. banking sites) to enforce org-wide recording policies
how security works
teams use AES-256-GCM encryption. the encryption key is generated on the admin’s device and never sent to our server. members receive the key through the invite link (shared out-of-band via a secure channel like slack DM or signal).admin creates a team
a 256-bit AES-GCM key is generated locally using the Web Crypto API. this key is stored in the Tauri secure store (
~/.screenpipe/store.bin) — not in localStorage or anywhere web-accessible.admin shares invite link
the invite link contains the team ID and the base64-encoded encryption key:
screenpipe://join-team?team_id=...&key=.... this is the only time the key is transmitted — via the link itself, not through our server.members join and store the key
when a member opens the invite link, the key is imported and stored in their local Tauri secure store. our server only records the membership — it never sees the key.
configs are encrypted before upload
when an admin pushes a pipe or filter config, it’s encrypted locally with AES-256-GCM using a random 12-byte nonce. only the encrypted blob and nonce are sent to the server.
what the server stores vs what it can see
| data | stored on server | readable by server |
|---|---|---|
| team name & member list | yes | yes |
| encrypted config blobs | yes | no |
| encryption nonces | yes | yes (but useless without key) |
| encryption key | no | no |
| decrypted pipe configs | no | no |
| decrypted filter lists | no | no |
getting started
create a team (admin)
- go to settings > team
- enter a team name and click create team
- copy the invite link and share it with your team via a secure channel
join a team (member)
- open the invite link — screenpipe will handle it automatically via deep link
- alternatively, go to settings > team and paste the invite link manually
push filters to team (admin)
- go to settings > recording and scroll to filtering
- set up your ignored windows, included windows, or ignored URLs
- click the push to team button on any filter card
share a pipe to team (admin)
- go to settings > pipes
- click the share button next to any pipe
- the pipe config (including its prompt and schedule) is encrypted and pushed to the team
if you update a pipe locally and share it again, the team copy is overwritten with your latest version. the model is last-push-wins — there’s no merge.
how filters sync for members
when a member visits the team tab, shared filters are automatically merged into their local recording settings:- team filters are additive — they’re combined with the member’s own filters, not replaced
- team-sourced entries show a badge in the recording settings so members know which filters come from the team
- members can’t remove team filters from their local settings while they’re in the team — leaving the team clears them
roles
| action | admin | member |
|---|---|---|
| create/delete team | yes | no |
| invite members | yes | no |
| remove members | yes | no |
| push configs (pipes, filters) | yes | no |
| delete shared configs | yes | no |
| receive shared configs | yes | yes |
| leave team | yes | yes |
requirements
- screenpipe account (sign in at settings > team)
- screenpipe desktop app (teams use the Tauri secure store for key storage)
technical details
- encryption: AES-256-GCM via the Web Crypto API
- key storage: Tauri plugin-store (
~/.screenpipe/store.bin), not localStorage - nonce: 12-byte random per encryption operation (crypto.getRandomValues)
- config types:
pipe,window_filter,url_filter(extensible) - sync: automatic when the team tab loads; filter configs merge into local settings via the
useTeamSynchook
view source code
audit the AES-256-GCM encryption implementation