Skip to main content

Secure Messaging

End-to-end encrypted messaging with rate limiting. Private, secure communication with per-contact encryption keys.

E2E Encrypted
Zero-Knowledge
Real-Time

Key Features

Enterprise-grade security and performance

End-to-End Encryption

Messages encrypted with NaCl/TweetNaCl using per-contact symmetric keys (256-bit AES). Server never sees plaintext.

Per-Contact Keys

Each contact relationship has a unique 256-bit encryption key. Secure key exchange using public-key cryptography (NaCl box).

Zero-Knowledge Architecture

Server cannot decrypt messages. All encryption/decryption happens client-side. True privacy-first design.

Rate Limiting

Anti-spam protection: 1 message per 10 seconds (6 per minute) globally. Prevents abuse while allowing normal use.

Real-Time Delivery

WebSocket-based real-time messaging. Sub-100ms latency for online users. Offline message queue for delivery when users return.

Multi-Device Sync

Access messages from multiple devices. Device approval system ensures security. Seamless synchronization across all your devices.

Encryption Architecture

How your messages stay private

Key Exchange Process

  1. When two users become contacts, they exchange public keys
  2. A secure random 256-bit symmetric key is generated for the contact pair
  3. This key is encrypted using each user's public key and stored securely
  4. All messages between these two users are encrypted with this shared key
  5. Keys are stored encrypted and can only be decrypted by the contact pair

Message Encryption Flow

  1. Sender encrypts message client-side using the contact's shared 256-bit symmetric key
  2. Encrypted message blob is sent to server (server cannot decrypt - zero-knowledge)
  3. Online: Server routes encrypted blob in real-time via WebSocket (never stored)
  4. Offline: Server temporarily queues encrypted blob in Redis memory (not persisted to disk)
  5. Recipient receives encrypted blob and decrypts client-side using the shared key
  6. Plaintext is never exposed to the server at any point in the process
  7. Queued messages are automatically deleted after delivery or expire after 30 days

Security Guarantees

  • Server cannot read message content (zero-knowledge)
  • Each contact pair has unique encryption key
  • Keys are derived from Ed25519 public keys (cryptographically secure)
  • No backdoors or master keys
  • Open source client libraries for transparency

No Persistent Storage - Temporary In-Memory Queuing Only

Important: Messages are never stored in persistent database storage (PostgreSQL). Everything is user-to-user and end-to-end encrypted with the shared key for the relationship.

  • No Database Storage: Messages are never written to disk or stored in PostgreSQL
  • Temporary In-Memory Queue: If a recipient is offline, encrypted messages are temporarily queued in Redis (in-memory only) and automatically deleted after successful delivery
  • Real-Time Routing: For online users, messages are routed in real-time through WebSocket connections - never stored
  • Client-Side Encryption: All encryption/decryption happens client-side - server only sees encrypted blobs it cannot read
  • Unique Per-Contact Keys: Each contact relationship has its own unique 256-bit symmetric encryption key
  • Zero-Knowledge: Server cannot decrypt messages even if it wanted to - no master keys or backdoors
  • Automatic Cleanup: Queued messages are deleted immediately after delivery or expire after 30 days if undeliverable

Note: The temporary Redis queue is necessary for offline message delivery, but messages are never persisted to permanent storage. This is fundamentally different from traditional messaging platforms that store all messages in databases indefinitely.

Rate Limiting & Anti-Spam

Protecting users from abuse

Global Message Rate Limit

To prevent spam and abuse, all users are limited to sending 1 message every 10 seconds (6 messages per minute) to any other user, even the same user.

Rate Limit: 1 message / 10 seconds = 6 messages / minute

Trust Level Limits

Untrusted
20 messages/day
Trusted
200 messages/day
Verified
Unlimited

Additional Protections

  • Abuse detection algorithms flag suspicious patterns
  • Users can report spam contacts
  • Automatic suspension for repeated violations
  • Behavioral analysis to detect bots

Messaging Costs

Fair pricing for secure communication

Send Message

Text message to any contact

4 credits ($0.08)
Send Attachment <1MB

Small files, images

8 credits ($0.16)
Send Attachment 1-10MB

Medium files (Trusted+)

20 credits ($0.40)
Send Attachment 10-50MB

Large files (Trusted+)

40 credits ($0.80)
Read Messages

View received messages

FREE
Delete Message

Remove a message

1 credit ($0.02)
Edit Message

Modify sent message

2 credits ($0.04)

Voice & Video Calls

Secure peer-to-peer communication

Audio Calls

High-quality voice calls using WebRTC. Peer-to-peer connection with TURN server fallback.

Requires contact permission

Video Calls

HD video calls with screen sharing support. Encrypted signaling through our servers.

Requires contact permission

Start Secure Messaging

Join a privacy-first messaging platform with end-to-end encryption and zero-knowledge architecture.

    Nlaak Studios - Crafting the Future of Software