Your conversations are nobody's business.

Group chat, voice, and communities, like Discord, except the server can't read your messages, your metadata, or even your community's name. End-to-end encrypted, with post-quantum key exchange.

Coming Soon See How It Works
The Hushwire desktop app showing a community with text channels on the left, an encrypted conversation in the center, and the member list on the right.
Why This Exists

"Just trust us," isn't good enough.

You already know the pitch from every other platform: we care about your privacy. And then they log everything, sell the patterns, and hand it over when someone with a badge asks nicely. Any platform that can read your data will eventually be compelled to share it. That is a structural problem, not a policy failure.

Hushwire doesn't ask you to trust us. The server literally cannot read your messages. It cannot read your community's name. It cannot see who sent a direct message. It cannot decrypt your profile picture. Not because of a policy: because of math. Even your GIF searches run through the server, so your IP never touches Giphy. That is the difference between a privacy policy and a privacy architecture.

If you've ever had to think twice about what you say in a group chat — about who you are, who you're with, what you believe, what you're working on — this is built for you. Not as a feature. As the entire point.

Security & Privacy

Encrypted before it ever leaves your device.

Privacy isn't a setting you switch on. It's how Hushwire works at the lowest level — your messages, your metadata, and your history are protected by default.

Post-Quantum Security

Today's encryption will eventually fall to quantum computers, and adversaries are already recording traffic to crack later. Hushwire uses encryption built to resist quantum attacks, so the messages you send now stay private years from now.

Forward Secrecy

Your keys keep changing as you chat, and a group's keys rotate the moment someone leaves. Even if a key is ever exposed, it can't unlock your earlier messages, or anyone else's. One compromise stays contained.

Metadata Privacy

The server delivers your direct messages without learning who sent them. It can't read your community's name or see who's talking to whom. The patterns other apps collect and sell, Hushwire never gathers in the first place.

Features

Everything a community needs, encrypted by default.

Channels, voice, roles, and the everyday tools you'd expect — attachments, emoji, link previews, multi-device — built so the server never sees what's inside.

Group Messages & DMs

Text channels organized into categories. Direct messages. Replies, reactions, edits, deletes, pins, markdown, presence. The familiar shape of a community platform, encrypted end-to-end by default.

Voice Channels

Your voice is encrypted on your device before it ever reaches the network. The server just relays the audio packets, it can't listen in. Low latency, no third party on the line.

Roles & Permissions

Fine-grained permissions, down to individual actions. Per-channel and per-category overwrites. Multi-role assignment. Audit logs. Full community governance without giving up encryption to get it.

Attachments

Send files and images up to 25 MB, encrypted end-to-end like everything else. Images render inline; the server only ever stores ciphertext it can't open.

Custom Emoji

Up to 50 custom emoji per community. Uploaded encrypted, decrypted only on members' devices, and ready to drop into messages and reactions.

Avatars

Profile pictures for people and communities, encrypted on your device before upload. The server holds an opaque blob, never an image.

GIF Search

Search Giphy without Giphy seeing you. The server runs the query on your behalf, so your IP address never touches their infrastructure.

Link Previews

Pasted links unfurl into rich preview cards, fetched server-side with SSRF protection and dedicated handling for YouTube.

Encrypted Local Storage

Everything Hushwire saves on your device is encrypted with a key tied to your password. Lose your laptop or phone and your messages stay unreadable, even to whoever ends up with it.

Multi-Device

Link a second device with Signal's Sesame protocol and confirm it with a 30-digit verification code. Your devices stay in sync without the server learning your keys.

Account Recovery

A 256-bit recovery key, shown once as a 24-word phrase, lets you reset your password and recover your account. Write it down; it never leaves your device.

How the Encryption Works

Our own Signal Protocol implementation, written from scratch in Rust.

Hushwire implements the Signal Protocol, the same peer-reviewed design that secures Signal itself. We built our own clean-room version from the ground up in Rust. If you're a security researcher, the primitives, constructions, and design choices are all laid out. Read the full details.

Hushwire account setup showing a 24-word recovery key laid out in a numbered grid for the user to write down.
The 24-word recovery key is generated on your device and shown once. The server never sees it.

Zero server knowledge

Messages are encrypted on your device. The server relays ciphertext it cannot read. But Hushwire goes further: community names, descriptions, and avatars are also encrypted before upload. The server cannot produce readable data because it never had any.

Five security tiers

Choose the right tradeoff per channel.

Openunencrypted; full history and pins
Standardfull history and pins for everyone
Secureremoving a member cuts their access and hides older history from new joiners
Strictno message history or pins
Transientmessages deleted once delivered

Identity verification

Verify contacts by comparing safety numbers out-of-band — the same pattern Signal uses. Multi-device linking uses 30-digit SAS verification. Identity key changes trigger visible warnings.

hushwire-crypto — Clean-room Signal Protocol implementation. PQXDH key agreement with ML-KEM-1024, Double Ratchet with continuous post-quantum ratcheting (ML-KEM-768), Sender Keys, Sealed Sender. Written in Rust. Read the source.
Written in Rust — memory safety without a garbage collector. Built on x25519-dalek, ed25519-dalek, ml-kem, and chacha20poly1305 — audited, widely-used cryptographic crates. The kind of foundation you pick when mistakes have consequences.
Encrypted metadata — profile pictures are encrypted before upload. Guild names and descriptions are stored as ciphertext. Even the metadata about your community is opaque to the server.
Pricing

One plan. You're the customer, not the product.

Joining a community is always free. You only pay to create your own — $49 a year as an early adopter, and that rate stays yours even after it rises to $99. No ads, nothing to sell; you subscribe inside the app.

$49 / year

Early adopter price — the plan rises to $99, but your rate stays $49.

  • Create your own community
  • Unlimited members
  • Up to 10 people in voice at once
  • 50 custom emoji slots
  • Every encryption feature, nothing paywalled
Coming Soon See full pricing
Get Started

Built for communities where privacy is safety.

Download Hushwire, create a community, and invite the people who matter. Desktop for macOS, Windows, and Linux; iOS and Android are on the way.

Coming Soon