Dropgate is built on two protocols that each solve a different file-sharing problem. One lets you upload files to a server so someone can download them later. The other lets you send files directly to another person in real time. Both are open source, both are designed with privacy front and centre, and neither requires you to understand a single line of code to use.
This article walks through what each protocol does, how they keep your files safe, and why the project is built the way it is. If you want the full technical specifications, they’re available on the Dropgate GitHub repository.
Two ways to share files
Think of Dropgate as offering two distinct postal services. The first, called DGUP (Dropgate Upload Protocol), is like dropping a parcel at a post office for someone to collect when they’re ready. The second, called DGDTP (Dropgate Direct Transfer Protocol), is like handing a parcel directly to someone standing in front of you.
The key difference comes down to whether the other person needs to be online at the same time as you.
DGUP: Uploading files for later
DGUP is the upload side of Dropgate. You upload a file to the Dropgate server, receive a download link, and share that link with whoever needs the file. They can download it whenever they like, without you needing to be online.
How an upload works
The process starts with your device asking the server what it supports — maximum file sizes, chunk sizes, whether encryption is available, and so on. Once those capabilities are confirmed, your device splits the file into chunks (5 MiB each by default), and uploads them one at a time over HTTPS. Every chunk is accompanied by a SHA-256 hash, which the server independently recalculates to verify that nothing was corrupted in transit.
When all chunks have arrived and been verified, the server assembles the final file, assigns it a unique ID, and gives you a download link.
End-to-end encryption
This is where DGUP really shines from a privacy perspective. When end-to-end encryption (E2EE) is enabled, your device encrypts the file — and even the file name — before any data leaves your machine. The encryption uses AES-256-GCM, a widely trusted standard used across the industry.
The clever part is how the encryption key is shared. It gets appended to the download link as a URL fragment (the bit after the # symbol). URL fragments are never sent to the server as part of an HTTP request, which means the server never has the key. It stores only encrypted data that it has no way to decrypt.
So even if someone broke into the server itself, they’d find nothing but meaningless ciphertext.
File lifecycle
Uploaded files don’t live on the server forever. You can set a time limit (the default is 24 hours) and a download limit (the default is a single download). Once either limit is reached, the file is automatically deleted. The server also runs periodic cleanup tasks to sweep away any incomplete uploads that were abandoned mid-transfer.
DGDTP: Sending files directly
DGDTP is the peer-to-peer side of Dropgate. When you use it, your files travel directly from your device to the recipient’s device. The Dropgate server’s only job is to help the two of you find each other — after that, it steps out of the way entirely.
How the connection is made
When you want to send a file, Dropgate generates a short, human-readable code in the format XXXX-0000 — four letters followed by four digits. You share this code with your recipient through whatever channel you like: a text message, a phone call, a sticky note — it doesn’t matter. The recipient enters the code, and Dropgate’s server helps the two devices establish a direct connection using a technology called WebRTC.
Once that direct connection is open, the server is no longer involved. It never sees, stores, or processes any of your file data.
What happens during the transfer
The sender’s device slices the file into small chunks (64 KiB each by default) and streams them across the direct connection. The recipient’s device confirms receipt of each chunk as it arrives, which serves two purposes: it proves the data got there safely, and it prevents a fast sender from overwhelming a slow receiver.
If you’re sending multiple files at once, Dropgate handles them one after another within the same session, and the recipient gets them bundled into a single ZIP archive.
The entire transfer is encrypted in transit using DTLS, the same encryption layer that underpins WebRTC. This is handled automatically by your browser — there’s nothing you need to configure.
What the server can and can’t see
During the initial connection setup, the server sees some networking metadata (things like IP addresses and connection parameters) to help the two devices locate each other on the internet. Once the direct connection is established, the server has zero visibility into what’s being transferred. It doesn’t know the file names, the file sizes, or the file contents.
How the two protocols compare
The two protocols are complementary rather than competing. DGUP is best when the recipient isn’t available right now, or when you want to share a link that someone can use at their convenience. DGDTP is best when both people are online at the same time and you want maximum privacy — the file never touches a server at all.
Both protocols encrypt data in transit. DGUP goes a step further with optional end-to-end encryption for data at rest on the server. DGDTP doesn’t need this because there’s no server storage to protect — the data flows directly between devices and is never stored anywhere along the way.
For the technically curious
This article has deliberately kept things at a high level. If you’re a developer or you’re simply curious about the finer details — the state machines, the flow control mechanisms, the handshake sequences, the exact message formats — the full protocol specifications are available on GitHub:
The specifications cover everything from the mutex-based quota reservation system and bundle upload workflows in DGUP, to chunk acknowledgement strategies and resume support in DGDTP. They’re thorough, well-structured documents that are well worth a read if you want to understand how the system works under the bonnet.
Supporting the project
Dropgate is fully open source and free to use. There are no accounts, no subscriptions, and no hidden costs. Projects like this survive on community support, and even a small contribution helps keep development moving forward.
If Dropgate has been useful to you — whether you’ve used it to share files privately, learned something from reading the source code, or simply appreciate that tools like this exist — please consider making a donation. Every contribution, no matter the size, makes a real difference and helps ensure that Dropgate can continue to be maintained and improved for everyone.
You can support the project through Buy Me a Coffee. It only takes a moment, and it goes directly towards keeping the project alive.
- WillTDA, Founder of Diamond Digital Development