zkChat uses AES-256-GCM, the same symmetric encryption primitive used in banking infrastructure, military and government-grade secure storage, and TLS connections protecting financial data worldwide.
All encryption and decryption happens entirely in your browser before any data leaves your device. The encryption key lives in the URL fragment (#key=...), which browsers never send to servers.
The relay server, CDNs, proxies, and infrastructure providers see only random ciphertext—never keys or plaintext. Even if compelled or compromised, we cannot decrypt what we don't have the keys for.
A factual comparison of privacy features. We keep it honest.
| Feature | zkChat | Signal |
|---|---|---|
| End-to-end encryption by default | Yes (AES-256-GCM) | Yes (Signal Protocol) |
| Requires account / phone number | No | Phone required |
| Server sees message content | No (mathematically impossible) | No |
| Server stores metadata / identifiers | No | Yes (phone, contacts) |
| Key stays only on device / in browser | Yes (URL fragment, never sent) | Yes |
| Anonymous access (no signup) | Yes | No |
| Self-destructing rooms / sessions | Yes (auto-burn when empty) | Partial (disappearing messages) |
| One-time self-destruct messages | Yes | No |
| One-time encrypted file drop | Yes | No |
| Messages stored after you close the app | No (memory only) | Yes, until deleted |
| Browser-native, no install required | Yes | No (app required) |
| Designed to minimize metadata | Yes (zero metadata by design) | Partial |
This comparison is based on publicly available information and may not reflect recent updates. We encourage you to verify claims independently.
Cryptographic guarantees that don't require faith in our good intentions.
A 256-bit key is generated via Web Crypto API directly in your browser. This key is encoded and placed in the URL #fragment. By design, browsers never send anything after the # to servers or proxies.
/room/abc123#key=8f3a9b...Messages, OTMs, and files are encrypted using AES-256-GCM. The server only relays or stores ciphertext blobs. Even a full server compromise reveals no plaintext and no keys.
No historical log, no archive, no inbox. Privacy isn't a setting—it's the architecture.
Rooms
Destroyed when all disconnect
OTMs
Burned on first read
Files
Deleted after download or 24h
In an era where every message, file, and conversation leaves a permanent digital footprint, zkChat offers something radically different: ephemeral, zero-knowledge communication built on military-grade AES-256 encryption. This isn't security theater—it's cryptographic architecture designed from the ground up for real-world privacy.
Most messaging platforms claim end-to-end encryption, but encryption is only part of the story. Metadata—who you talk to, when, how often, from where—often reveals as much as message content. Traditional messengers require accounts linked to phone numbers or emails, creating permanent identity records. They store message history, contact graphs, and behavioral data on servers you don't control. Even with encrypted content, this metadata enables surveillance capitalism, traffic correlation attacks, and legal compulsion.
zkChat takes a fundamentally different approach. Every chat room, one-time message, and file drop uses AES-256-GCM encryption performed entirely in your browser. The encryption key is generated locally and embedded in the URL fragment—the part after the # that browsers never transmit to servers. Our relay sees only random ciphertext bytes. We cannot decrypt your messages because we never possess the keys.
Unlike services that promise not to log your data (promises that can change or be legally compelled), zkChat's privacy guarantees are architectural. We require no accounts, no phone numbers, no emails. There is no user database to breach or subpoena. Rooms exist only in memory and vanish when participants leave. One-time messages are cryptographically destroyed after first read. This isn't a policy decision—it's how the system is built.
Consider the threats that matter: corporate data harvesting (we collect nothing to harvest), government surveillance (we have no decryption capability to provide), server breaches (attackers would find only meaningless ciphertext), network observers (ISPs and employers see only encrypted traffic). The only remaining attack vector is endpoint compromise—and no communication tool can protect you if your device is already compromised.
zkChat is purpose-built for scenarios where privacy is non-negotiable: journalists protecting sources, legal teams discussing privileged matters, activists organizing under repressive regimes, businesses sharing confidential information, or anyone who simply values communication that's nobody's business but yours. Whether you're sharing a password, coordinating a project, or having a conversation that's nobody's business but yours, zkChat ensures that when the chat ends, the evidence ends with it.
This is what privacy-first messaging actually looks like: browser-based encryption, fragment-isolated keys, ephemeral state, and zero-knowledge architecture. Not promises—mathematics.