Whoever holds the keys

holds the messages.

No. Messages are encrypted on your device with AES-256-GCM and wrapped in MLS (RFC 9420) before they ever leave your browser. Only you and your recipient hold the keys — relays only see ciphertext, and there is no Keychat server in the middle.

Never. You authenticate by signing one message with your existing Ethereum-compatible wallet (MetaMask, Rabby, anything EIP-1193). No emails, phones, passwords or seed phrases are collected — there is nothing for us to lose.

Any EIP-1193 compatible wallet — MetaMask, Rabby, Coinbase, Trust, and others via WalletConnect. Multichain identity (Solana, Bitcoin, Polygon, Tron) is shown as your portable inbox; the underlying messaging runs on XMTP.

Forward secrecy means past messages stay protected even if a key is later stolen. After you rotate the wallet (or move to a fresh one), post-compromise security restores end-to-end protection for future messages.

Yes. Groups use the MLS group-key agreement, so every member has the same end-to-end guarantees, and revoked members lose the ability to read future messages immediately.

The protocol stack is post-quantum ready. AES-256-GCM is already considered quantum-resistant for symmetric encryption; key exchange and signatures will roll over to Kyber-1024 and Dilithium as MLS-PQ matures.

There is no central database or application server to serve a subpoena to. We never store your keys, your messages or your social graph. Decentralized XMTP relays only ever hold ciphertext.

Yes. New senders land in a Requests inbox with no notification or badge. You explicitly Allow or Block — and Block means block at the protocol level, not just a UI filter.

Messaging is fully usable with a zero token balance. A utility token is planned for spam-prevention staking, premium services and governance, but it is never required to send or receive messages.

Yes. Clients, the cryptographic engine (libxmtp, Rust + WASM) and the protocol implementations are all open source — auditable by anyone.