End-to-end encrypted browser chat widget for the SimpleGo ecosystem.
One script tag. No app install. No registration. No user IDs.

---

Overview

GoChat is a browser-native encrypted chat widget that implements the SimpleX Messaging Protocol (SMP) directly in JavaScript. Website owners embed GoChat with a single script tag. Visitors open the chat, and their browser establishes an end-to-end encrypted connection to the site owner's SimpleX app. No accounts, no phone numbers, no metadata.

GoChat is part of the SimpleGo ecosystem and serves as the communication layer for GoShop, enabling encrypted product inquiries, order communication, and customer support.

---

Quick Start

Embed on any website

<script src="https://cdn.simplego.dev/gochat.js"
        data-contact-address="YOUR_SIMPLEX_ADDRESS_HERE"
        data-server-url="wss://smp.simplego.dev"
        async></script>

One line of code. The widget handles everything: Shadow DOM isolation, E2E encryption, key exchange, and UI.

Install via npm

npm install gochat-widget

Protocol library (for developers building custom apps)

npm install simplex-js

Configuration

<script src="https://cdn.simplego.dev/gochat.js"
        data-contact-address="YOUR_SIMPLEX_ADDRESS_HERE"
        data-server-url="wss://smp.simplego.dev"
        data-position="bottom-right"
        data-trigger="floating"
        data-name="Support"
        data-color="#45bdd1"
        async></script>

Attribute	Default	Description
data-contact-address	required	SimpleX contact address from your app
data-server-url	required	WSS URL of your SMP server
data-position	bottom-right	Widget position (bottom-right, bottom-left)
data-trigger	floating	floating (bubble icon) or custom (use GoChat.open())
data-name	GoChat	Header title
data-color	#45bdd1	Primary accent color
data-bubble-animation	shimmer-flip	Bubble animation (15 options, see below)
data-welcome	-	Welcome message after connection
data-lang	en	Interface language
data-z-index	10000	CSS z-index

Bubble animations

shimmer-flip (default), inner-glow, icon-breathe, shimmer, wiggle, color-shift, icon-flip, notification-dot, radar-sweep, pulse, neon, heartbeat, jelly, ring-rotate, float, none

Custom trigger

For sites that use their own button or menu item instead of the floating bubble:

<script src="https://cdn.simplego.dev/gochat.js"
        data-contact-address="YOUR_SIMPLEX_ADDRESS_HERE"
        data-server-url="wss://smp.simplego.dev"
        data-trigger="custom"
        async></script>

<button onclick="GoChat.open()">Contact us</button>

Theming

Customize colors via CSS Custom Properties on your page:

:root {
  --gochat-color-primary: #45bdd1;
  --gochat-color-background: #1a1a2e;
  --gochat-color-text: #e0e0e0;
}

---

How it works

Website visitor (browser)          SMP Relay Server           Site owner
        |                               |                        |
        |--- WSS + SMP ---------------->|                        |
        |    E2E encrypted              |--- SMP relay --------->|  SimpleX App
        |                               |                        |
        |<-- WSS + SMP -----------------|<-- SMP relay ----------|
        |    E2E encrypted              |                        |

1. Visitor clicks the chat widget on the website
2. Browser generates ephemeral keys and performs X3DH key exchange
3. Double Ratchet session is established (AES-256-GCM, forward secrecy)
4. Messages are encrypted in the browser before transmission
5. The SMP relay server forwards opaque 16 KB blocks - it cannot read content
6. Site owner receives messages in their SimpleX app (desktop or mobile)

The relay server, hosting provider, and CDN never see message content.

---

Use cases

• E-commerce - encrypted product inquiries, orders, and delivery addresses via GoShop
• Customer support - private support channel on any website
• Professional services - lawyers, agencies, consultancies offering clients a secure contact
• Healthcare - encrypted patient communication
• Personal sites - private contact without accounts or phone numbers

---

Features

• End-to-end encryption (X3DH + Double Ratchet, AES-256-GCM)
• Shadow DOM isolation (widget cannot affect host page and vice versa)
• Floating bubble or custom trigger mode
• Multi-step UX flow (Start, Name, Waiting, Chat)
• Visitor name (custom or anonymous guest)
• Offline messaging
• Delivery receipts (double checkmarks)
• Connection lifecycle management (END detection, timeout, delete notification)
• Delete confirmation with destruction sequence
• Responsive design (desktop and mobile)
• Reduced motion support
• Mock mode for development and demos
• AGPL-3.0 licensed

---

Security model

GoChat is a browser application. This section documents both its protections and its limitations.

Protections

End-to-end encryption. Messages are encrypted in the visitor's browser and can only be decrypted by the site owner. The relay server sees only encrypted 16 KB blocks. It cannot read content, distinguish message types, or correlate conversations.

No accounts or identifiers. Visitors are not identified by phone numbers, email, or usernames. Each session uses ephemeral keys destroyed when the tab closes.

Audited cryptography. All crypto operations use @noble/curves (6 independent security audits, used by Proton Mail and MetaMask).

Limitations

Browser code delivery. Unlike installed apps, GoChat's JavaScript is loaded from the web server on each visit. A compromised server could deliver modified code. This is the same trust model as online banking and all browser-based applications.

Mitigations include Subresource Integrity (SRI), Content Security Policy (CSP), minimal dependencies, and isolated crypto operations.

Ephemeral sessions. Keys are destroyed when the browser tab closes. Conversations do not persist across sessions. For persistent encrypted communication, use the SimpleX app directly.

Trust comparison

Platform	Trust requirement
SimpleX App	App store, OS integrity
Signal Desktop	Auto-update mechanism, Electron, OS
Online Banking	Bank's web server, browser
GoChat	Website server, browser

---

Architecture

Browser Client
  Chat Widget (Shadow DOM)
  Crypto Engine (X3DH, Double Ratchet, NaCl)
  SMP Transport (WebSocket + TLS)
       |
  SMP Relay Server
  Queue Management, Zero-knowledge storage
       |
  SimpleX App (desktop/mobile)
  or SimpleGo hardware terminal

Cryptographic stack

Layer	Algorithm	Purpose
Key exchange	X3DH (3x X448 DH + HKDF)	Initial shared secret
Message encryption	Double Ratchet (AES-256-GCM, 16B IV)	Forward secrecy
Transport auth	X25519 DH + HSalsa20 + XSalsa20-Poly1305	SMP command authorization
PQ resistance	SNTRUP761 KEM (parsing support)	Post-quantum key encapsulation

Security hardening roadmap

Documented in docs/SECURITY-HARDENING-ROADMAP.md:

1. CSP + SRI + Input Sanitization
2. Crypto Web Worker isolation
3. Non-extractable Web Crypto keys
4. Dependency vendoring
5. Cross-origin iframe isolation
6. Rust-to-WASM crypto core

---

Server requirements

GoChat runs in the browser and connects to SMP relay servers via WebSocket (WSS). This requires SMP servers that support WebSocket connections. Standard SimpleX public servers (like smp8.simplex.im, smp10.simplex.im, etc.) do not support WebSocket - they only accept native TLS connections from the SimpleX app.

This means: GoChat can only connect to SMP servers that have WebSocket support enabled. If your SimpleX contact address points to a server without WebSocket support, GoChat cannot establish a connection.

Options:

1. Use SimpleGo's public server - smp.simplego.dev (recommended, free, WebSocket-enabled)
2. Self-host - Build from the smp-web branch of simplexmq (PR #1738 by Evgeny Poberezkin). Requires a 4096-bit RSA Let's Encrypt certificate.

WebSocket support is based on PR #1738, authored by the SimpleX founder. The patch adds WebSocket connections on the same TLS port via warp-tls. It is maintained in the smp-web branch and has not yet been merged into the main SimpleX release. Once merged, all public SimpleX servers will support WebSocket and GoChat will work with any contact address.

Why this matters

Every SimpleX contact address contains the SMP server where that user's message queue lives. When a visitor opens GoChat and initiates a connection, GoChat must connect to that specific server - not just any server. If the contact address points to smp8.simplex.im (no WebSocket), GoChat cannot reach it. The contact address must point to a WebSocket-enabled server like smp.simplego.dev.

This also applies to the reply direction. When you accept a GoChat connection in your SimpleX app, the app creates a reply queue on one of your configured servers. If the app routes the reply through a server without WebSocket support (via private routing or because another server is set to receive messages), GoChat cannot reach it and the connection fails with an AUTH error. This is why all message routing must go through smp.simplego.dev until WebSocket support is available on the official SimpleX servers.

---

Setting up your contact address for GoChat

To use GoChat on your website, you need a SimpleX contact address that points to a WebSocket-enabled SMP server. Follow these steps in the SimpleX app (desktop or mobile).

We recommend creating a separate SimpleX profile dedicated to GoChat support. This way, the server settings described below only apply to your support profile, while your other profiles continue to work normally with all SimpleX servers.

Step 1: Add the SimpleGo SMP server

1. Open the SimpleX app
2. Go to Settings > Network & Servers
3. Tap Your servers
4. Tap Add server
5. Enter the server address:

   smp://7qw4hvuS-PvTHbotgtg_xiwrhFUk_s1q2upUQrGIWow=@smp.simplego.dev
   

6. Tap Test server - wait for the green checkmark
7. Enable Use for new connections
8. Go back to Network & Servers
9. Tap Save Servers

Step 2: Disable private routing on default servers

This step is critical. If the default SimpleX servers have "To receive" or "For private routing" enabled, your app will route reply queues through those servers. Since they don't support WebSocket, GoChat connections will fail with an AUTH error.

For each of the preset SimpleX servers (the ones you did NOT add yourself):

1. Go to Settings > Network & Servers
2. Tap on each preset server
3. Under "Use for messages", turn OFF "To receive"
4. Turn OFF "For private routing"
5. Go back and tap Save Servers

Only smp.simplego.dev should be active for sending and receiving. The preset servers can remain in the list but must not be used for receiving or routing.

Step 3: Create your contact address

If you already have a SimpleX contact address, you need to delete it first and create a new one. The old address points to a server without WebSocket support.

1. Go to Settings > Your SimpleX Contact Address
2. If you have an existing address, delete it
3. Tap Create new address
4. Your new address is now created on smp.simplego.dev
5. Tap Share address to copy it to your clipboard

Step 4: Add GoChat to your website

Take the address from your clipboard and add the GoChat script tag to your website:

<script src="https://cdn.simplego.dev/gochat.js"
        data-contact-address="YOUR_COPIED_ADDRESS_HERE"
        data-server-url="wss://smp.simplego.dev"
        async></script>

That's it. Visitors can now open the chat widget and their browser establishes an end-to-end encrypted connection directly to your SimpleX app.

Step 5: Accept incoming chats

When a visitor starts a chat on your website, a connection request appears in your SimpleX app. Accept the request and you can start messaging. Each visitor appears as a separate contact. Multiple concurrent conversations are supported.

Troubleshooting

If the chat widget shows "connecting to support" indefinitely after you accept the connection, or if the browser console shows SMP error: AUTH, check the following:

• Reply queue on wrong server: Open the browser console (F12) and look for Reply queue: in the log. If it shows any server other than smp.simplego.dev (like smp4.simplexonflux.com or smp8.simplex.im), your app is routing replies through a server without WebSocket support. Go back to Step 2 and make sure "To receive" and "For private routing" are disabled on all preset servers.
• Private routing enabled: If you have private routing turned on in your SimpleX app settings, the app will route messages through intermediate servers. Disable private routing for the profile you use with GoChat.
• Old connection cached: Delete the contact in your SimpleX app, reload the website (Ctrl+Shift+R), and start a fresh chat.
• Certificate fingerprint mismatch: If you see "Server certificate fingerprint mismatch", your contact address was created on a different server. Delete your address and create a new one after completing Steps 1 and 2.

---

Supported address formats

GoChat accepts SimpleX contact addresses in multiple formats. You can use whichever format your SimpleX app provides:

Full HTTPS format

The standard share link from the SimpleX app:

https://simplex.chat/contact#/?v=2-7&smp=smp%3A%2F%2F...

Short format

The compact address format:

https://smp.simplego.dev/a#ABCDxxxxxxxxxxxxxxxxxxxxxxx

Deep-link format

The simplex:// URI scheme used by the mobile app. GoChat automatically converts this to the HTTPS format:

simplex://contact#/?v=2-7&smp=smp%3A%2F%2F...

All three formats work in the data-contact-address attribute. GoChat normalizes the address internally before establishing the connection.

Important: Server compatibility

Regardless of format, the contact address must point to a WebSocket-enabled SMP server. If your address contains a server like smp8.simplex.im or smp10.simplex.im, GoChat cannot connect because those servers do not support WebSocket. Follow the setup steps above to create an address on smp.simplego.dev.

---

Development

git clone https://github.com/saschadaemgen/GoChat.git
cd GoChat
cd smp-web
npm install
npx vitest run              # 554+ tests
npm run build:browser       # dist/gochat-client.js (crypto engine)
npm run build:widget        # dist/gochat-widget.js (complete widget)

Repository structure

GoChat/
  .github/assets/              # Banner and images
  .claude/                     # Claude Code project configuration
  smp-web/                     # SMP browser client
    src/                       # Protocol + crypto source (25+ TypeScript files)
      __tests__/               # 554+ tests across 23 files
    widget/                    # Widget source (entry, UI, CSS, HTML, animations)
    package/                   # npm package files for gochat-widget
    dist/                      # Build output
    esbuild.config.mjs         # Crypto engine build config
    esbuild.widget.mjs         # Widget build config
  docs/
    PROTOCOL.md                # Technical protocol documentation
    RESEARCH.md                # Browser crypto and security research
    SECURITY-HARDENING-ROADMAP.md
    seasons/                   # Season plans and closing protocols
  LICENSE                      # AGPL-3.0
  README.md

---

Status

Done

Component	Season	Tests
WebSocket transport + SMP handshake	S2	-
SMP command implementation (14 commands)	S3	187
Connection flow + X3DH + Double Ratchet	S4	413
Chat UI + browser client API + server connectivity	S5	485
Connection request to SimpleX App	S6	493
Server infrastructure (Docker, TLS, WebSocket)	S7	-
SMP v9 authorization + MSG processing	S8	494
Full E2E pipeline (X3DH, Ratchet, HELLO, CON)	S9	537
Chat messaging + Desktop App + UX	S10	544
Delivery receipts + connection lifecycle	S11	551
Widget product (CDN, npm, animations, demo)	S12	551
Address format normalization	S13	554

In progress

Component	Season	Description
Security hardening	S13	CSP, SRI, Web Worker, vendoring

Planned

Component	Season	Description
GRP: Noise transport	S14	Noise IK/XX for GoRelay

Season overview

Season	Focus	Status
S1-S11	Protocol + E2E + Chat + Receipts + Lifecycle	Complete (551+ tests)
S12	Widget Product (CDN, npm, animations, demo)	Complete
S13	Security Hardening	In progress
S14+	GRP Profile (Noise, PQ, two-hop)	Future

npm packages

Package	Version	Description
gochat-widget	1.0.0	Embeddable chat widget with UI
simplex-js	1.0.0	Protocol library (no UI)

Live instances

URL	Description
cdn.simplego.dev/gochat.js	Widget CDN
demo.it-and-more.systems	Live demo with configurator
simplego.dev	SimpleGo website (GoChat embedded)
it-and-more.systems	IT and More Systems (GoChat embedded)

---

GoShop integration

GoChat is the communication layer for GoShop. In GoShop, all customer-shop communication flows through GoChat's encrypted channel: product inquiries, orders, delivery addresses, and status updates. The hosting provider, CDN, and relay server cannot read any of this data.

GoChat works standalone as a support chat widget on any website. GoShop adds structured e-commerce messaging on top of the same encrypted channel.

---

SimpleGo ecosystem

Project	Description	Repository
SimpleGo	Dedicated hardware messenger (ESP32-S3)	GitHub
GoChat	Browser-native encrypted chat widget (this project)	GitHub
GoShop	End-to-end encrypted e-commerce	GitHub
GoRelay	Encrypted dual-protocol relay server (SMP + GRP)	GitHub
GoBot	SimpleX moderation and verification bot	GitHub
GoUNITY	Verified identity certificate authority	GitHub
simplex-js	JavaScript SimpleX protocol implementation	GitHub

---

Documentation

Document	Description
PROTOCOL.md	Technical protocol documentation
RESEARCH.md	Browser crypto and security research
SECURITY-HARDENING-ROADMAP.md	Six-phase security hardening plan
SEASON-PLAN.md	Season plan and roadmap

---

License

AGPL-3.0. Derivative work of SimpleXMQ by SimpleX Chat Ltd.

Commercial licensing available for integration into proprietary products. Contact: info@it-and-more.systems

Acknowledgments

SimpleX Chat (SimpleX Messaging Protocol) - @noble/curves (Ed25519, X25519, X448) - @noble/ciphers (XSalsa20-Poly1305, AES-256-GCM) - tweetnacl (NaCl crypto_box)

---

GoChat is part of the SimpleGo ecosystem by IT and More Systems, Recklinghausen, Germany.