How it works

nullchat is an anonymous, end-to-end encrypted chat room that requires no accounts, no emails, no phone numbers, and no personal information of any kind. You enter a shared secret — a password — and anyone else who enters the same password lands in the same room. That's it.

You and the person you want to talk to agree on a shared secret ahead of time — in person, over a phone call, however you want. You both type that secret into nullchat and you're in the same encrypted room. There is no room list, no directory, no way to browse. If you don't know the secret, the room doesn't exist to you.

Your shared secret is the single most important piece of your security. It is both the key to your room and the key to your encryption — if someone guesses it, they can read everything. Treat it like a password to a safe. Choose something long, random, and unguessable. A strong secret is at least 5–6 random words or 20+ mixed characters. Avoid names, dates, common phrases, song lyrics, or anything someone could find on your social media. Never reuse a secret across different conversations or rooms. Share your secret through a secure, out-of-band channel — in person is best. A phone call is acceptable. Never send it over text, email, DM, or any platform that logs messages. If you suspect a secret has been compromised, stop using it immediately and agree on a new one through a secure channel. The strength indicator on the entry screen gives you a rough sense of how resistant your secret is to brute-force attacks, but no indicator is a substitute for good judgment. When in doubt, make it longer and more random.

When you enter your shared secret, two things happen entirely in your browser: 1. The secret is hashed using SHA-256 to produce a room ID. This hash is sent to the server so it knows which room to connect you to. The server never sees your actual secret. 2. The secret is run through PBKDF2 (100,000 iterations) to derive a 256-bit encryption key. This key never leaves your browser. Every message you send is encrypted with NaCl secretbox (XSalsa20-Poly1305) using that key before it leaves your device. The server receives, stores, and relays only ciphertext — encrypted blobs that are meaningless without the key. We cannot read your messages. No one can, unless they know the shared secret.

The server sees: • A SHA-256 hash (the room ID) — not your password • Encrypted ciphertext blobs — not your messages • The number of active connections in a room • Timestamps of when encrypted blobs were received The server does NOT see: • Your shared secret / password • Your message content • Your identity or username (aliases are encrypted inside messages) • Your IP address (stripped at the edge by our hosting provider)

Before encryption, every message is padded to a fixed block size (256 bytes). This means a short message like "hi" produces the same size ciphertext as a message like "meet me at the park." Without padding, an observer could guess message content based on ciphertext length. Padding eliminates this side channel.

Timestamps included in messages are rounded to the nearest minute before encryption. This prevents timing correlation attacks where an observer could match message patterns across different channels by comparing exact timestamps.

Messages use a tiered timer system: • Dead drop (first message): A message sits encrypted on the server for up to 24 hours, waiting for a response. The sender can leave and come back to check on it without triggering any countdown. Simply entering the room does not burn the message. • Reply triggers burn: The moment someone else sends a message in the room, all prior unread messages begin a 5-minute burn countdown. A reply is proof that the conversation is live and the dead drop has been picked up. • Active conversation: Once a room has seen replies, subsequent messages have a 6-hour window. They can be explicitly acknowledged by the recipient pressing the "Received" button, which starts the 5-minute burn. • Hard ceiling: Any unread message is deleted after its timer expires (24 hours for dead drops, 6 hours for active messages) regardless of whether it was acknowledged. There is no archive, no backup, no way to recover a deleted message.

nullchat functions as a digital dead drop. In traditional intelligence tradecraft, a dead drop is a method of passing information between two people without them ever needing to meet or be in the same place at the same time. nullchat works the same way. You enter the shared secret, leave an encrypted message, and disconnect. The message sits on the server — encrypted and unreadable by anyone, including us — for up to 24 hours. Your contact enters the same secret whenever they're ready, and picks up the message. The message does not burn just because someone entered the room. It only burns when the recipient takes an explicit action: either replying (which proves the conversation is live) or pressing the "Received" button (a manual confirmation). Once either happens, a 5-minute burn timer starts and the message is permanently destroyed. The sender can safely reconnect at any time to check whether their message is still waiting — without triggering any countdown. Neither party needs to be online at the same time. Neither party needs an account. Neither party is identifiable. The server never knows who left the message or who picked it up — only that an encrypted blob was stored and later retrieved. After the burn, there is no evidence the exchange ever happened.

A room exists as long as it has active connections or unexpired messages. Once the last person disconnects and all messages have expired or burned, the room is gone. There is no persistent room state. If no messages are ever sent, the room is just a live connection — nothing is stored, and it vanishes the moment everyone leaves.

Terminate immediately deletes every message you sent during your current session from the server for everyone in the room. Other participants will see your messages disappear from their screen in real time. You are then disconnected from the room. Use this if you need to leave without a trace.

Leave simply disconnects you from the room. Your messages remain on the server — unread messages continue waiting (up to 24 hours), and already-read messages continue their 5-minute burn countdown. If you rejoin the room later, you'll get a new random alias — there is no way to link your old and new identities.

When you enter a room, you are assigned a random 8-character hex code (like "a9f2b71c") as your alias. This alias is generated in your browser, encrypted inside each message, and is never sent to the server in plaintext. If you disconnect and reconnect, you get a new alias. There is no way to reserve, choose, or persist an alias.

Each room supports up to 50 simultaneous connections. If the room is full, you'll see a "Room is full" message. This limit exists to keep rooms intimate and to prevent abuse.

Yes. Each connection is limited to 1 message per second. This prevents spam and abuse without requiring any identity verification. If you send messages too quickly, you'll see a brief "Slow down" notice.

The application is hosted on Vercel and Cloudflare's network. Your IP address is handled at the edge infrastructure layer and is never read, logged, or stored by the application code. The server code does not access IP headers. We have no mechanism to identify you by network address.

No. nullchat sets no cookies, uses no analytics, loads no third-party scripts, embeds no tracking pixels, and makes no external requests. The Content Security Policy headers enforce this at the browser level. You can verify this in your browser's developer tools.

By design. nullchat is text-only — no links, images, file attachments, or media of any kind can be sent or rendered. This is a deliberate security decision, not a limitation. Clickable links and embedded media are the primary attack surface for zero-day exploits used by commercial spyware like Pegasus, Predator, and similar surveillance tools. A single malicious link or file can silently compromise an entire device. By stripping the chat down to plaintext only, nullchat eliminates this attack vector entirely. There is nothing to click, nothing to download, and nothing to render — which means nothing to exploit.

No. The server is a dumb relay. It receives encrypted blobs and forwards them. The encryption key is derived from your shared secret, which never leaves your browser. We do not have the key. We cannot decrypt the blobs. Even if the server were compromised, the attacker would only obtain meaningless ciphertext.

We cannot provide what we do not have. There are no plaintext messages stored anywhere. There are no user accounts to look up. There are no IP logs to hand over. The encrypted blobs auto-delete on a fixed schedule. Even under a valid legal order, the most we could produce is a collection of encrypted blobs and room hashes — none of which are useful without the shared secret that only the participants know.

nullchat is built by Artorias — a veteran-operated intelligence technology company based in New York City. Artorias exists to dismantle outdated systems and arm the most important organizations and individuals with tools purpose-built for operating in the dark. At its core, Artorias is about democratizing intelligence and anonymity — ensuring that the ability to communicate securely and operate without surveillance is not a privilege reserved for the few. nullchat is one expression of that mission: secure communication stripped to its essence, with no compromise on cryptographic integrity. Learn more at artorias.com.