NoChat encrypts every message on your device before it leaves it. We transport opaque blobs and nothing else — no plaintext, no keys, no readable metadata.
NoChat is an encrypted messaging app built on end-to-end encryption (E2EE). Today every message is sealed with AES-256-GCM under a session key derived from a P-256 ECDH key exchange, and a post-quantum upgrade path (ML-KEM) is on the roadmap. The encryption happens in your browser or app using the Web Crypto API, so the NoChat server never handles a private key and never sees a single word you write.
End-to-end encryption means only the sender and the intended recipient can read a message. With NoChat, encryption and decryption happen locally on each device. The server's only job is to route a payload it cannot read.
NoChat uses standardized, auditable primitives — no homegrown crypto. The deployed message stack is classical-strong today, with post-quantum key encapsulation prepared on the backend for rollout.
Encryption isn't only for text. Video and audio calls run over WebRTC with DTLS-SRTP, and connect peer-to-peer where the network allows, so media doesn't pass through our servers.
We describe our cryptography truthfully. Deployed today: P-256 ECDH + AES-256-GCM E2EE for messages, and DTLS-SRTP for calls. On the roadmap: post-quantum encryption (ML-KEM / ML-DSA) on the client, the Double Ratchet for per-message forward secrecy, and sealed sender for metadata protection. The full breakdown lives in our open-source crypto inventory.
Yes. Messages are encrypted on your device with AES-256-GCM using a session key derived from a P-256 ECDH exchange. Keys are generated client-side and the server only stores ciphertext. You can verify this in the open-source code at github.com/kindlyrobotics/nochat.
AES-256-GCM for content, P-256 ECDH for key exchange, HKDF-SHA256 for key derivation, and P-256 ECDSA for signatures. ML-KEM (Kyber) post-quantum key encapsulation is implemented on the backend and planned for the client.
No. Your private keys never leave your device, and the server only stores encrypted payloads. Even under legal order we could only hand over opaque ciphertext we cannot decrypt.
No. You can sign up with just a username and password, or start an anonymous session in one click — no phone number, no SMS verification.
Yes. Calls use WebRTC with DTLS-SRTP and connect peer-to-peer where possible, so media never traverses our servers in the clear.
Message encryption today is classical-strong (P-256 ECDH + AES-256-GCM). Post-quantum key encapsulation (ML-KEM) is implemented on the backend and on the roadmap for the client — we don't claim it's fully deployed on the frontend yet.
Free, open source, and private by design. No phone number, no email required.
How the zero-trust design holds up against real-world threats.
Sign up with no identity — no phone number, no email.
Why we mathematically cannot read your messages.
What's deployed today and what's on the roadmap.