zero-knowledge · onion-routed · forward-secret

nullcord

Messaging that leaves nothing behind. End-to-end encrypted, onion-routed, with no accounts, no logs, and no trace.

download now launch on web

Windows · web app works on all platforms

no accounts
no logs
no metadata
in-browser crypto
forward secrecy
how it works

Designed to be untraceable

Every message travels through layered encryption and a multi-hop relay network. No single point ever sees the full picture.

01 — onion routing
you
wraps message in 3 encryption layers · sends to relay 1
relay 1
removes outer layer · knows: prev + next only
relay 2
removes middle layer · knows: prev + next only
relay 3
removes inner layer · delivers encrypted payload
them
decrypts with their private key · reads plaintext
encryption layers → layer 3 · ephemeral ECDH + AES-GCM layer 2 · ephemeral ECDH + AES-GCM layer 1 · ephemeral ECDH + AES-GCM e2e double-ratchet payload
No relay ever sees both the sender and the final destination simultaneously. No relay can read the payload — every layer uses a fresh ephemeral key pair negotiated per circuit. The coordinator delivers an opaque encrypted blob and nothing more.
02 — forward secrecy via double ratchet
Key Evolution Per Message
Each message derives a unique key. Compromising one reveals nothing about any other.
ECDH shared secret
root key
chain key
msg key₁
msg key₂
msg key₃
···
DH ratchet step (on reply)
new ephemeral DH pair
+
peer's current pub key
new root key
new chain → new msg keys
key derivation is one-way — cannot reverse
DH ratchet advances on each reply cycle
message keys are zeroed from memory after use
break-in recovery — future messages heal after compromise
03 — threat model: who sees what
Visibility by Party
What each party in the chain can and cannot see. Every cell is a result of the cryptographic architecture — not policy.
relay
nodes
coordinator
server
vps
provider
your
isp
law
enforcement
message content
recipient identity
your real IP
files & media
contact / group list
you use nullcord
historical logs
not visible
visible
partial / limited
relay nodes — entry relay sees your IP only; middle and exit relays see neither sender nor recipient
coordinator — sees recipient mailbox ID (a random hash), not a real identity; no message content
historical logs — VPS and ISP may retain network-level traffic logs outside the app's control; the app itself keeps none
voice calls are peer-to-peer — audio never touches the server; peers see each other's IP during a call
features

Everything private. Nothing optional.

Messaging, calls, screen sharing, and file transfer — all encrypted end-to-end, all anonymous, all in your browser.

Onion Routing
Traffic bounces through a multi-hop relay network. No single node knows both who you are and who you're talking to.
End-to-End Encrypted
Messages are encrypted in your browser before leaving your device. The server sees only an opaque encrypted blob.
Forward Secrecy
The double ratchet evolves keys with every message. Past conversations remain safe even if a current key is ever exposed.
No Accounts
Your identity is a cryptographic key pair generated entirely in your browser. No email, no phone number, no sign-up.
Ephemeral by Default
Set your identity to auto-wipe on a timer — 1 hour to 1 month — or keep it indefinitely. When it's gone, it's gone. Optional encrypted auto-login lets you resume without any plaintext stored on disk.
Encrypted File Transfer
Files are encrypted with a random per-transfer key, chunked, and routed through the same onion circuit. Optionally persist files and media locally — encrypted in your browser's storage, unreadable even if the server is ever compromised.
Encrypted Voice Calls
Peer-to-peer voice calls secured with DTLS-SRTP. Signalling travels through the onion circuit — the server never handles your audio, ever.
Screen Sharing
Share your screen up to 4K over an encrypted peer-to-peer channel. Requires an active voice call — no sharing without a verified connection.
Code Sharing
Paste code in triple backticks and it renders as a styled, syntax-aware block with language detection and one-click copy. C++, Python, Rust, Go, and more.
Encrypted Group Chats
Create or join anonymous groups with a shared AES-256 key. All group messages are end-to-end encrypted. Contact and group requests queue server-side for 24 hours — no message lost if the recipient is briefly offline.
privacy guarantee

Nothing stored. Nothing to give up.

The best protection is having nothing to hand over. nullcord is built around that principle end to end.

what the server never sees
message content — server receives only encrypted blobs
IP addresses or geolocation
user accounts, identifiers, or sign-up data
metadata — who spoke to who, or when
file contents or transfer records
encryption keys — generated in your browser, never leave your device
contacts, groups, or session history
how privacy is enforced
all cryptography runs in your browser — zero server involvement
messages unreadable to server and all relay nodes
sender hidden from relays, recipient hidden from entry relay
message keys zeroed from memory after use
one-time licence: everything wiped on refresh, wipe notices sent to all contacts
timed licence: contacts and messages encrypted locally on your device, auto-destroyed on expiry
multiple accounts fully isolated — no state bleeds between sessions or tabs
content security policy blocks all external connections at the browser level
WebCrypto · ECDH P-256 · AES-GCM-256 · HKDF-SHA-256 · Double Ratchet
get started

Start a conversation
that leaves no trace.

Generate a key pair and you're in. No signup. No waiting. No record.

download for windows launch on web

web app works on all platforms · no install required