FastAnChat is a web-based anonymous chat application where every message is encrypted client-side using AES-256-GCM before it reaches the database. The server never sees plaintext — only the participants who share the room code can read the conversation.
No signup required, no cookies, no tracking scripts, no ads. Open a room, share the code, start chatting. When you leave, the data goes with you.
This project was built to solve a simple problem: how to have a quick, private conversation online without handing over your identity to yet another platform. It runs on a serverless stack (Vercel + Supabase) to keep operational costs at zero.
┌─────────────────────────────────────────────────┐
│ Browser (Client) │
│ │
│ React 19 + Next.js 16 (App Router) │
│ ├── Zustand store (single source of truth) │
│ ├── crypto.subtle (AES-256-GCM encrypt/decrypt)│
│ ├── Supabase Realtime (WebSocket subscribe) │
│ └── WebRTC (peer-to-peer video) │
│ │
│ encrypt(plaintext, roomCode) ──► ciphertext │
│ │ │
└────────────────────┼────────────────────────────┘
│ WebSocket / REST
┌────────────────────┼────────────────────────────┐
│ Supabase ▼ │
│ ├── PostgreSQL (rooms, messages, sessions) │
│ ├── Row Level Security (per-room isolation) │
│ └── Realtime (broadcast encrypted payloads) │
└─────────────────────────────────────────────────┘
Encryption flow:
- Room code (e.g.
X1X2X3) acts as the shared secret. - Key derivation:
SHA-256(roomCode + salt)→ 256-bit AES-GCM key via Web Crypto API. - Each message gets a random 96-bit IV, encrypted as
e2ee:<base64(iv)>:<base64(ciphertext)>. - Database only stores the ciphertext. Decryption happens client-side on receive.
- Anyone with the room code can derive the same key and decrypt — anyone without it cannot.
- Go to fastanchat.vercel.app
- Click "Start Chat" — a 6-character room code is generated for you.
- Share the room code with anyone you want to chat with.
- They enter the code on the same site and join the room instantly.
- Start chatting. All messages are encrypted before leaving your browser.
That's it. No downloads, no accounts, no app installs. Works on any modern browser (desktop & mobile).
| Feature | Detail |
|---|---|
| End-to-end encryption | AES-256-GCM via crypto.subtle. All encrypt/decrypt happens in-browser, server stores only ciphertext. |
| Real-time messaging | Supabase Realtime (WebSocket). No HTTP polling, sub-second delivery. |
| Video calls | Peer-to-peer WebRTC between room participants. No relay server. |
| Image sharing | Camera capture + gallery upload with client-side compression. Images are encrypted before send. |
| Reply threads | Reply to specific messages with quoted preview context. |
| Presence | Live online user count per room via Supabase Presence channels. |
| Room admin | Room creator can kick users and delete messages. |
| Rate limiter | Sliding window (5 messages per 5 seconds) to prevent spam. |
| XSS protection | HTML entity escaping on all user-supplied input before render. |
| Optimistic UI | Messages appear immediately with sending → sent → delivered status. |
| Auto-reconnect | Exponential backoff + navigator.onLine detection for unstable networks. |
| i18n | English & Indonesian, persisted to localStorage. |
| Dark / Light mode | CSS custom properties with theme toggle, saved per-user. |
| Bandwidth monitor | Built-in data usage tracker (intercepts fetch + WebSocket frames). |
- No accounts, no identity — Each session is a random UUID in
sessionStorage. No cookies, no login, no email. - Row Level Security — PostgreSQL RLS policies enforce read/write access per
room_id. Cross-room access is blocked at the database level. - Client-side encryption — Even the Supabase anon key cannot read message content — it's encrypted before insertion.
- Room isolation — Each room runs on its own Realtime channel with a cryptographically random 6-char code.
- Input sanitization — All nicknames and messages are HTML-escaped to prevent injection attacks.
- No telemetry — Zero analytics, no third-party scripts, no data collection of any kind.
| Landing | Chat Room |
|---|---|
Known issues:
- Image size is limited by Supabase's row payload limit (~1MB). Very large images may fail to send even after compression.
- WebRTC video calls may not connect behind strict corporate firewalls that block UDP traffic and Limited TURN Servers can be not working well.
- Room history is stored in
localStorage— clearing browser data removes it.
Planned:
- File sharing (documents, audio)
- Message read receipts
- Typing indicators
- QR code room sharing
- Push notifications via Service Worker
If FastAnChat is useful to you, consider giving this repo a ⭐ — it helps with visibility and motivates continued development.
You can also support the developer financially to keep the server running and fuel future updates:
Built by Dio with ❤️