sendit.chat
Private, end-to-end encrypted chat & file sharing.
No accounts. No logs. No persistent storage.
0 sessions started since last deploy
Create new session
Start a private room in your browser. We generate the join secret and X25519 keys locally, then give you a short invite link to share — the server never sees your messages, files, or private keys.
Join existing session
Have a session link? Paste the invite URL below to join.
Why sendit.chat?
Zero-knowledge server
Messages are encrypted in your browser before anything leaves your device. The server only ever sees scrambled ciphertext it can never decode.
No accounts, ever
No sign-up, no email, no phone number. Nothing to register, nothing to breach. Start a conversation in one click.
Nothing stored
Messages and files exist only for the life of your session. Close the tab and they're gone — no logs, no history, no trace.
Instant, no installs
Works in any modern browser. Share a link and you're chatting in seconds — no app stores, no updates, no waiting.
How it works
Create a session
Your browser generates a join secret and X25519 identity locally, derives the session ID client-side, and encrypts the private key into sessionStorage.
Share the link
The session can create a one-time /j/<token> invite for easy sharing, while the underlying capability stays in the URL fragment and is only ever kept in server memory until first use or expiry.
Chat securely
A 3-message Noise_XX handshake bootstraps the Signal Double Ratchet, so chats get authenticated end-to-end encryption with forward secrecy and optional direct P2P when Privacy Mode is off.
How we compare
Most messaging apps need your phone number just to say hello. We don't.
| sendit.chat | Telegram | Signal | ||
|---|---|---|---|---|
| No account or phone number | ✓ | ✗ | ✗ | ✗ |
| No app install needed | ✓ | ✗ | ~ | ✗ |
| Messages never stored | ✓ | ✗ | ✗ | ✗ |
| E2E encrypted by default | ✓ | ✓ | ✗ | ✓ |
| Server is fully blind to content | ✓ | ✗ | ✗ | ✓ |
| Open source | ✓ | ✗ | ~ | ✓ |
🔒 All messages and files are protected by a Noise_XX + Signal Double Ratchet stack (X25519 + HKDF-SHA256 + ChaCha20-Poly1305, with AES-256-GCM protecting stored private keys). The server only relays encrypted blobs and temporary invite tokens — it never has the chat keys.
🔑 Server Public Key Transparency
The server generates an Ed25519 signing key pair at startup and uses it to sign the
SHA-384 script-integrity manifest. Comparing the public key below against the one
published in the
source repository
lets you independently verify that this server is running genuine, unmodified code.
A substituted malicious server would show a different key.
The machine-readable JSON is available at
/.well-known/pubkey.
⚠ Key is ephemeral (regenerated on restart). Set SERVER_SIGNING_KEY for a stable, pinnable key.
| Ed25519 public key | 3ab86484f2a4fb6e151543d3c6b31875c78f87885c966600c92163511f7cf28c |
| Signature over script hashes | 63708e9b1f2d52bb41e8aec1a032dcf7311fd0854ccdf8b35672e26d903e707d634c182c32b9398cc5e2a272ce19fba4807014bc2670a7a4ac8513865653d000 |
🔍 Script Integrity Verification
Every session script is protected by a SHA-384 Subresource Integrity hash. Your browser enforces these hashes automatically — any script that does not match is blocked before it can run. To independently detect a compromised server, compare the hashes below against the /.well-known/sri.json endpoint or the reference values published in the source repository.
| Script | SHA-384 integrity hash |
|---|---|
| js/socket.io.min.js | sha384-2huaZvOR9iDzHqslqwpR87isEmrfxqyWOF7hr7BY6KG0+hVKLoEXMPUJw3ynWuhO |
| js/qr-creator.min.js | sha384-cmmVU8dn+rGH6Yvlt0Q1+31iG9lS4wdVsqV/ZP/53RBddef+VZcYakA+NhG4S8wE |
| js/noble-bundle.js | sha384-5Ebee1TT4HsgIqMOhDJRWdKOqeD4jWEfN/2hOfFkzc46I29kXcDB/EtqDqz9jaHb |
| js/noise.js | sha384-9kGQ0g7mwTbaR7FjCU/EoUUti6tBf9tLPYoaFvjSthRKB+59aO7xwGG7H029Kalt |
| js/ratchet.js | sha384-qHzLumbwrhKZxELTEVp/UnzvciLzBmkmzIvehTPGImohd4ZwJpo9v1U2xHB5pG50 |
| js/crypto.js | sha384-OjLZ7A5d53zeDS5E5iv1/qPGxENEP2dzTOmT9ft2cSSurhtjy9IdcXBf4uzhSARz |
| js/session.js | sha384-Y6GU1N5stzRu5zfiLojx+joDl3mThj3dtWvDmE5GRFuBZkLwnSPzlWeLCvK9A636 |
Advertisements
Ads help fund sendit.chat, but we keep them on the public landing page only — never inside private chat sessions — and separate them from the app’s buttons and join controls.