← Back to Blog
Church April 4, 2026 • 4 min read

How Pastors Moderate Encrypted Prayer Feeds

Here's a question we get a lot: "If everything is encrypted and you can't read it, how does a pastor moderate prayer requests?"

It's a fair question. End-to-end encryption and content moderation seem fundamentally incompatible. Most encrypted messaging apps (Signal, WhatsApp) don't offer moderation at all — because they can't see the content.

We solved this differently.

The key insight: the pastor IS a member

In our system, each prayer feed has its own encryption key (we call it a "container key"). This key is shared with every member of the feed — including the pastor. The platform never has this key.

When a pastor enables moderation on a feed, new prayer requests go into a pending queue instead of being published immediately. The pastor can decrypt these pending posts because they have the same container key as every other member.

The flow:

  1. Member writes a prayer request
  2. Request is encrypted with the feed's container key
  3. Encrypted request goes into the pending queue (status: "pending")
  4. Pastor opens the moderation queue in the church dashboard
  5. Pastor's browser decrypts the request using their copy of the container key
  6. Pastor approves or rejects
  7. Approved requests become visible to all feed members

What the server sees

During this entire process, our server sees:

  • An encrypted blob with a status of "pending"
  • The status change from "pending" to "approved" or "rejected"
  • That's it.

The server never sees the prayer request text. It doesn't know if someone is asking for prayers about a job interview or a cancer diagnosis. It just knows that a blob moved from one queue to another.

Why this matters for churches

Churches need moderation. It's not about censorship — it's about pastoral care. Sometimes a prayer request reveals a crisis that needs immediate attention. Sometimes someone accidentally shares something too personal for a public feed. Sometimes the content simply isn't appropriate.

Without moderation, pastors have two bad options: don't use encryption (and betray member privacy), or use encryption and lose the ability to shepherd their flock. Our approach gives them both.

What about key rotation?

A common concern with encrypted groups: what happens when members join or leave? If a new member gets the old key, they could read old posts. If a member is removed, they still have the key from before.

We handle this with two mechanisms:

Eager Key Rotation

When a new member joins, the container key is automatically rotated. New posts use a new key. Old posts remain readable with the old key (which new members don't have). This is forward secrecy for prayer feeds.

Key Healing

If a member's access to old container keys is lost (device change, password reset), any member who still has those keys automatically re-wraps them for the affected member. Self-healing, no admin intervention needed.

The bottom line

Encryption doesn't mean chaos. The pastor has full visibility into their church's prayer feeds — the same visibility they'd have without encryption. The difference is that we (the platform) can't see any of it. The pastor is the shepherd, not us.

End-to-end encryption and pastoral oversight aren't in conflict. They're complementary. The pastor moderates with the same keys the members use. The platform stays blind. Everyone wins.

Set up your church

Encrypted feeds with full pastoral control. Free to start.

Church Plans