DecentChat
No accounts · No servers after handshake · No logs

TerminalEncryptedMessenger.

Most "secure" apps still phone home. DecentChat doesn't — your keys, your tunnel, your session. Gone when you close it.

PowerShell · Quick install (as Administrator)
# Run in PowerShell as Administrator
irm https://chat.teamxebec.xyz/install.ps1 | iex
View on GitHub ↗

If your identity is tied to a phone number, it's not private.

— built out of frustration
256
AES-GCM bit key
0
messages stored
P2P
after handshake
MIT
open source
decentchat@tty — ~/secure · session active
X25519 key agreementAES-256-GCM sealed boxEd25519 signaturesTOFU peer pinningCloudflare Tunnel NAT traversalZero message storageGo single binaryPerfect forward secrecyX25519 key agreementAES-256-GCM sealed boxEd25519 signaturesTOFU peer pinningCloudflare Tunnel NAT traversalZero message storageGo single binaryPerfect forward secrecy
Built because I didn't trust the alternatives.
00

I got tired of "private" messaging apps that still need your phone number, still run on someone else's servers, still log connection metadata. Every account is a liability. Every server is a target.

DecentChat started as a weekend experiment — can two machines talk directly, end-to-end encrypted, with zero persistent infrastructure? It turned into a full P2P layer. The signaling server touches nothing but session descriptions. After handshake, it's completely out of the loop.

This is not a product. It's a stance.

"If your identity is tied to a phone number, it's not private."

"Servers should not exist after the connection is established."

"Privacy shouldn't require trust. It should require math."

No magic. Just four steps.
01
01
Discovery
Both peers connect to a stateless signaling server. It exchanges only encrypted session descriptions and ICE candidates. No messages ever pass through it.
signaling server
02
Verification
Ed25519 fingerprints are exchanged and pinned (TOFU). If a peer's key ever changes, you get an immediate MITM alert. Trust once. Lock forever.
Ed25519 · TOFU
03
Tunnel
X25519 ECDH establishes a shared secret. AES-256-GCM encrypts every frame. Cloudflare Tunnel handles NAT traversal. The signaling server is now out of the loop.
X25519 · AES-256-GCM
04
Communication
Direct P2P. No server. Session keys are ephemeral — each conversation generates new keys. When it ends, everything is gone. Nothing persists.
perfect forward secrecy
Under the hood.
01b
001
X25519 Key Exchange
Elliptic-curve Diffie-Hellman produces a shared secret neither party transmits. Ephemeral keys isolate every session completely.
002
AES-256-GCM Encryption
Every frame sealed with authenticated encryption. Tampering is detected before decryption — not just confidential, authenticated.
003
Ed25519 Signatures
Your identity keypair. Fast, small, collision-resistant. Used for peer fingerprinting and TOFU pinning — never for server auth.
004
TOFU Peer Pinning
Trust On First Use. The first fingerprint is pinned. Any deviation is immediately flagged as a potential MITM attack.
005
Stateless Signaling
The relay sees only encrypted session offers. No IPs, no identities, no payloads. Could be adversarially operated — wouldn't matter.
006
Go Single Binary
One file. No runtime. No dependency hell. Cross-compiled for every platform. Download and you're running encrypted P2P comms.
Signaling exists. Then it doesn't.
02

Hybrid signaling +
direct mesh.

The signaling server does one thing: helps two peers find each other. It sees only encrypted session descriptions — no payloads, no identities, no IPs in plaintext.

Once the Cloudflare tunnel is established, the server is completely excluded. It could go offline mid-session and you'd never notice.

Note: NAT traversal has known edge cases on campus/corporate networks with aggressive CGNAT.

USER A key: 0x9f3a… USER B key: 0xb771… E2EE P2P TUNNEL SIGNALING RELAY stateless · pubkey exchange only
Good for some. Not for others.
03
Good for
  • Two devs on the same network talking without internet
  • Journalists exchanging messages without metadata trails
  • Temporary comms that genuinely disappear after the session
  • Anyone who can't or won't hand over a phone number
  • Scripted / automated secure communication pipelines
Not great for
  • Message history — there isn't any, by design
  • Non-technical users — CLI-first, no GUI currently
  • Unstable networks — P2P degrades under packet loss
  • Account recovery — lose your keypair, lose your identity
  • Group chats — currently 1:1 only
One command. Any platform.
04

Keys never
leave your machine.

No registration. No account. Run it and you have a cryptographic identity. Keys are generated locally and never transmitted.

PowerShell · Windows (as Administrator)
# Run in PowerShell as Administrator irm https://chat.teamxebec.xyz/install.ps1 | iex
Downloads the signed binary, verifies checksum, and adds decentchat to your PATH.
curl · Linux / macOS
curl -LO https://github.com/hiwarkhedeprasad/decentchat-terminal/releases/latest/download/decentchat chmod +x decentchat sudo mv decentchat /usr/local/bin/ # Run: decentchat
go build · from source
git clone https://github.com/hiwarkhedeprasad/decentchat-terminal.git cd decentchat-terminal go build -o decentchat . ./decentchat