How RitChat works

RitChat is a minimal, file-based messenger with end-to-end encryption (E2EE). Encryption and decryption happen entirely in your browser using the WebCrypto API. The server never sees your passphrase or decrypted messages.

Core principles

  • No accounts, no registration, no user profiles.
  • No cookies or persistent identifiers.
  • All secrets live only in browser memory (RAM).
  • Closing the tab immediately destroys access.

Chat identity

A chat is identified by a deterministic chat_id derived from the shared passphrase: 

normalized = trim(passphrase).normalize('NFC')
chat_id = hex(SHA-256("ritchat:chat-id:" + normalized)).slice(0, 32)

Key derivation

  • PBKDF2-HMAC-SHA-256
  • 310,000 iterations
  • Deterministic salt derived from the passphrase
  • Result: AES-GCM 256-bit key

Message encryption

  • AES-GCM with a random 12-byte IV for every message
  • Authenticated data binds ciphertext to the chat
  • Only encrypted payloads are stored on the server

Server storage model

  • One file per chat under @runtime/ritchat
  • Each line is a JSON event (msg, join, cleared)
  • No IP addresses are logged for RitChat requests

Retention and deletion

Chats that remain inactive for more than 7 days are automatically removed by the server cleanup task. Users can also manually clear chat history at any time.

Limitations

  • Security depends on the strength of your passphrase.
Enter RitChat