(no title)

> Presumably, your server stores a registry of Device IDs and IPs to route messages?

Not IPs but Push API registration objects.

> What about replacing this with some sort of partitioned DHT to make it decentralized?

I guess this could be done but it's a task I can't tackle at this point.

> Also, the messages flow through your servers?

Yes but I don't store them. My API just dispatches the message to the recipient's push service. Which means the message exists on my server only in the form of an in-memory variable for several microseconds between being received and sent further.

> Would it be possible to set up WebSocket connections between the users instead, and how would that compare from a security model perspective?

This generally can't be done in a PWA. OS won't allow a persistent WebSocket to run in background.

Also, this would disclose too much information about a client to all the other clients. Currently, all I know about other clients is their Device IDs which are just random strings.