- AES-256
- Message encryption (GCM)
- RSA-4096
- Key exchange (OAEP)
- 4
- Interface languages
- 100%
- Self-hosted, your data
Everything a team needs, nothing it should fear
A complete internal messenger: private by design, pleasant to use, and fully under your control.
End-to-end encrypted
RSA-4096 key exchange and AES-256-GCM message encryption. The server never sees plaintext.
Real-time sync
A single WebSocket connection keeps every device in sync with cursor-based event delivery.
Self-hosted
Run it on your own infrastructure. Your data never leaves your servers.
Groups, channels & roles
Owners, admins and members with fine-grained permissions. Group keys rotate automatically when someone is removed.
Admin dashboard
Usage statistics, user and group management, and role control, built in and ready from day one.
Secure attachments
Photos and files travel through the same end-to-end encrypted pipeline as your messages.
Multi-device sync
Cursor-based delivery brings every device up to date the moment it reconnects. Nothing is missed.
Fully multilingual
English, Dutch, French and Latvian out of the box. Adding another language is a single JSON file.
Light, dark & auto themes
Light, dark, follow-your-system or time-of-day themes, synced across all your devices.
How your messages stay yours
True end-to-end encryption, not a checkbox. Every step happens on your device, before anything touches the network.
- 01
Keys are born on your device
On registration your browser generates an RSA-4096 key pair. The private key is encrypted with your password and never leaves your device unprotected.
- 02
Every message is sealed
Each message is encrypted with AES-256-GCM, and the key is wrapped with the recipients' public keys, all before it is sent.
- 03
The server stores only ciphertext
The server routes and stores encrypted blobs it cannot open. Even a full database leak reveals no conversations.
Zero-trust by architecture
You do not have to trust the server, the hoster, or us. The design guarantees privacy even if the infrastructure is compromised.
- Private keys never leave your device unencrypted
- Group keys rotate automatically when a member is removed
- The server can route messages but never read them
- Short-lived access tokens with refresh rotation
- Openly documented protocol and byte-level crypto spec
Your infrastructure, your rules
One command brings up the whole stack on your own hardware. No third parties, no data leaving your network.
$ git clone https://your-git/bschat && cd bschat
$ cp .env.example .env
$ docker compose up --build
✓ db ready · migrations applied
✓ BSChat listening on http://localhost:3000
One-command deploy
docker compose up --build starts the app, PostgreSQL and the TLS proxy in one optimized image.
Automatic HTTPS
Nginx terminates TLS with Let's Encrypt certificates that are issued and renewed automatically.
Reliable storage
PostgreSQL 16 with Prisma; migrations are applied automatically on every start.
Production-ready
Health checks, structured logs and a lean non-root container image out of the box.
An open, documented protocol
Build your own client, a bot, or a mobile app. Everything the official client uses is specified.
REST + Swagger
Authentication is the only REST surface. Explore it live in the built-in Swagger UI.
One socket for everything
After login, every operation is an RPC call over a single Socket.IO connection, with cursor-based events.
Byte-level crypto spec
The E2EE scheme is specified byte for byte, enough to build a mobile client without reading the source.
Frequently asked questions
Short answers to the questions teams ask before switching.
Can the server administrator read my messages?
No. Messages are encrypted on your device and only your recipients hold the keys to unwrap them. The server, and whoever operates it, stores ciphertext only.
What happens if I forget my password?
Your password protects the private key on each device. Without it the key cannot be decrypted, so resetting creates a new encryption identity and old messages may become unreadable. That is the price of real end-to-end encryption.
What do I need to run BSChat?
A Linux host with Docker, a domain name, and ports 80 and 443. One compose command starts the app, the database and the TLS proxy; certificates renew automatically.
Is there an API for custom or mobile clients?
Yes. REST handles auth, a single Socket.IO connection carries everything else, and the crypto spec is documented byte for byte. A full mobile client can be built from the guides alone.