Zero-Knowledge, End-to-End Encrypted, Self-Destructing Chat.
Velox is a secure communication tool designed for absolute privacy. Rooms are ephemeral, identities are anonymous, and messages are encrypted on your device before they ever touch our servers. We cannot read your messages even if we wanted to.
- 🔒 End-to-End Encryption (E2EE) — Messages are encrypted with AES-GCM (256-bit) using a key derived from the room invite. The server only stores ciphertext.
- 💣 Self-Destructing Rooms — Set a timer (2, 5, or 10 minutes). When it expires, the room and all data are permanently wiped from Redis.
- 👻 Truly Anonymous — No accounts, no emails, no logs. auto-generated identities (e.g.,
anonymous-wolf). - 🛡️ IDOR-Proof Access Control — Access is strictly controlled via cryptographically secure keys. Knowing a Room ID is not enough to join.
- ⚡ Real-Time — Instant message delivery via Upstash Realtime (Server-Sent Events).
- 📋 Smart Invites — Share a single link that contains the secure key. Special
VEL-codes allow safe manual entry.
graph LR
A[User A] -->|Encrypts| B(Browser)
B -->|Sends Ciphertext| C{Relay Server}
C -->|Broadcasts| D(Browser)
D -->|Decrypts| E[User B]
C -.->|Stores| F[(Redis TTL)]
Velox follows a Zero-Knowledge architecture. Here is how we secure your data:
-
Room Creation:
- The server generates a
RoomID(nanoid) and a cryptographically secure, random 32-characterRoomKey. - The server also generates a unique random
Salt. - The
RoomKeyis sent only to the creator. The server stores a hash/metadata but does NOT use this key for encryption.
- The server generates a
-
Joining:
- To join, you must possess the
RoomKey(embedded in the link or invite code). - The browser requests the
Saltfrom the server using theRoomKeyfor authentication. - Client-Side Derivation: Your browser uses PBKDF2 (150,000 iterations) to mix the
RoomKey+Saltinto a derived Encryption Key. - This Encryption Key never leaves your device.
- To join, you must possess the
-
Messaging:
- Encryption: Messages are encrypted locally using AES-GCM with a unique, random 12-byte IV (Initialization Vector) for every message.
- Transport: The server receives only
iv:ciphertext. It cannot decrypt this. - Decryption: Other participants (who also derived the key client-side) decrypt the message locally.
| Layer | Technology |
|---|---|
| Framework | Next.js 16 (App Router) |
| Language | TypeScript |
| Security | Web Crypto API (Native Browser Encryption) |
| API | Elysia (Type-safe API backend) |
| Database | Upstash Redis (Serverless, TTL expiry) |
| Realtime | Upstash Realtime (SSE) |
| Styling | Tailwind CSS v4 |
git clone https://github.com/Ansh0305/Velox.git
cd Veloxnpm installCreate a .env file in the root directory:
UPSTASH_REDIS_REST_URL=your_upstash_redis_url
UPSTASH_REDIS_REST_TOKEN=your_upstash_redis_token
# Optional: Public URL for copy-link feature in production
NEXT_PUBLIC_APP_URL=https://your-domain.comnpm run devOpen http://localhost:3000 to create your first secure room.
src/
├── app/
│ ├── api/ # Elysia Backend
│ │ ├── [[...slugs]]/ # API Router + E2EE Auth Middleware
│ │ └── realtime/ # SSE Endpoint
│ ├── room/[roomId]/ # Secure Chat Room (Decryption logic here)
│ └── page.tsx # Lobby & Join Flow
├── lib/
│ ├── crypto.ts # CORE: AES-GCM & PBKDF2 logic
│ ├── parse-invite.ts # Secure link parsing utility
│ ├── redis.ts # DB Connection
│ └── realtime.ts # SSE Helper
└── proxy.ts # Middleware for route protection
- Secure File Sharing — Encrypted blob storage for images.
- Burn-on-Read — Option for messages to disappear immediately after being viewed.
- Voice Notes — Encrypted audio blobs.
- QR Code Invites — Scan to join instantly on mobile.
This project is open source and available under the MIT License.
Built with ⚡ & 🔒 by Sirigiri Sai Ansh Raj