BSChat
Sign inGet started
Self-hosted internal chat with true end-to-end encryption.

Private team chat,on your own servers.

Your messages are encrypted on your device before they ever leave it. The server only stores ciphertext - nobody but you and your recipients can read your conversations.

  • AES-256-GCM messages
  • RSA-4096 key exchange
  • Zero-knowledge server
AES-256
Message encryption (GCM)
RSA-4096
Key exchange (OAEP)
4
Interface languages
100%
Self-hosted, your data
Features

Everything a team needs, nothing it should fear

A complete internal messenger: private by design, pleasant to use, and fully under your control.

End-to-end encrypted

RSA-4096 key exchange and AES-256-GCM message encryption. The server never sees plaintext.

Real-time sync

A single WebSocket connection keeps every device in sync with cursor-based event delivery.

Self-hosted

Run it on your own infrastructure. Your data never leaves your servers.

Groups, channels & roles

Owners, admins and members with fine-grained permissions. Group keys rotate automatically when someone is removed.

Admin dashboard

Usage statistics, user and group management, and role control, built in and ready from day one.

Secure attachments

Photos and files travel through the same end-to-end encrypted pipeline as your messages.

Multi-device sync

Cursor-based delivery brings every device up to date the moment it reconnects. Nothing is missed.

Fully multilingual

English, Dutch, French and Latvian out of the box. Adding another language is a single JSON file.

Light, dark & auto themes

Light, dark, follow-your-system or time-of-day themes, synced across all your devices.

Security

How your messages stay yours

True end-to-end encryption, not a checkbox. Every step happens on your device, before anything touches the network.

  1. 01

    Keys are born on your device

    On registration your browser generates an RSA-4096 key pair. The private key is encrypted with your password and never leaves your device unprotected.

  2. 02

    Every message is sealed

    Each message is encrypted with AES-256-GCM, and the key is wrapped with the recipients' public keys, all before it is sent.

  3. 03

    The server stores only ciphertext

    The server routes and stores encrypted blobs it cannot open. Even a full database leak reveals no conversations.

Zero-trust by architecture

You do not have to trust the server, the hoster, or us. The design guarantees privacy even if the infrastructure is compromised.

  • Private keys never leave your device unencrypted
  • Group keys rotate automatically when a member is removed
  • The server can route messages but never read them
  • Short-lived access tokens with refresh rotation
  • Openly documented protocol and byte-level crypto spec
Self-hosting

Your infrastructure, your rules

One command brings up the whole stack on your own hardware. No third parties, no data leaving your network.

Deploy in minutes

$ git clone https://your-git/bschat && cd bschat

$ cp .env.example .env

$ docker compose up --build

✓ db ready · migrations applied

✓ BSChat listening on http://localhost:3000

  • One-command deploy

    docker compose up --build starts the app, PostgreSQL and the TLS proxy in one optimized image.

  • Automatic HTTPS

    Nginx terminates TLS with Let's Encrypt certificates that are issued and renewed automatically.

  • Reliable storage

    PostgreSQL 16 with Prisma; migrations are applied automatically on every start.

  • Production-ready

    Health checks, structured logs and a lean non-root container image out of the box.

Developers

An open, documented protocol

Build your own client, a bot, or a mobile app. Everything the official client uses is specified.

REST + Swagger

Authentication is the only REST surface. Explore it live in the built-in Swagger UI.

One socket for everything

After login, every operation is an RPC call over a single Socket.IO connection, with cursor-based events.

Byte-level crypto spec

The E2EE scheme is specified byte for byte, enough to build a mobile client without reading the source.

FAQ

Frequently asked questions

Short answers to the questions teams ask before switching.

Can the server administrator read my messages?

No. Messages are encrypted on your device and only your recipients hold the keys to unwrap them. The server, and whoever operates it, stores ciphertext only.

What happens if I forget my password?

Your password protects the private key on each device. Without it the key cannot be decrypted, so resetting creates a new encryption identity and old messages may become unreadable. That is the price of real end-to-end encryption.

What do I need to run BSChat?

A Linux host with Docker, a domain name, and ports 80 and 443. One compose command starts the app, the database and the TLS proxy; certificates renew automatically.

Is there an API for custom or mobile clients?

Yes. REST handles auth, a single Socket.IO connection carries everything else, and the crypto spec is documented byte for byte. A full mobile client can be built from the guides alone.

Ready to own your team's conversations?

Deploy BSChat on your own infrastructure in minutes and give your team a place to talk that nobody else can read.