Sendant
Security overview

How Sendant is built — and what we won't claim

Updated 11 July 2026

The architecture, the cryptography, the threat model, and a plain-language list of what's done, what's hardened, and what isn't finished yet. Written to be checked, not believed.

In one paragraph: Sendant is an end-to-end encrypted messenger with no phone number, no email, and no account. Your identity is a cryptographic key generated on your device. Messages are encrypted on-device with X3DH + the Double Ratchet — the same primitives Signal uses — by a single Go implementation shipped native on Android and as WebAssembly in the browser. Servers store and forward ciphertext only. It is not yet independently audited, and this page says so in the same breath as everything else.

Identity: a key, not a name

There is no registration. Creating an identity generates key material on your device; connecting with someone means exchanging an invite link or scanning a code — discovery is explicit and consensual, because there is no phone-number or email directory to mine. No identifier also means less to subpoena: the server has no account record that maps to a person.

Message encryption

One shared crypto core

X3DH establishes each conversation's keys; the Double Ratchet advances them with every message, giving forward secrecy (a stolen key can't decrypt past messages) and post-compromise recovery (sessions self-heal after a key exposure). The implementation is written once in Go and compiled for both clients — native library on Android, WebAssembly in the browser — so there is no second implementation to drift. Why that matters in a browser specifically is treated honestly and at length on the browser trust-model page.

Sealed-sender-style envelopes

Messages travel in envelopes whose sender header is opaque to the mailbox server: it can deliver to a recipient without reading who the sender is inside the envelope. Combined with ciphertext-only content, the server's view of a conversation is deliberately impoverished.

Verifiable safety numbers

Each conversation has a safety number derived by SHA-256 from both parties' full identity key bundles — twelve 5-digit groups, identical on Android and web. Compare it with your contact over any channel we don't control and you have personally verified there is no machine-in-the-middle, ours included.

What servers can and cannot see

Delivery today is an encrypted store-and-forward mailbox: if your contact is offline, ciphertext waits and delivers when their device reconnects (the full delivery ladder, including what's still roadmap, is documented here). The mailbox holds encrypted envelopes with expiry — not message text, not a contact graph, not an account profile. Voice calls are end-to-end encrypted WebRTC. A default-on "hide my IP during calls" setting — on Android and in the browser — forces call media through our relays so your network address is not exposed to the other party; if no relay is reachable, the call fails closed rather than quietly leaking your address.

The service infrastructure is hardened the boring way: strict transport security and content-security policies on the web properties, request timeouts and connection caps against resource-exhaustion attacks, per-IP and fleet-wide rate limits, and logging that excludes message content, tokens, and IP-to-identity joins.

Keys at rest

Honest status

Found a vulnerability? Email privacy@sendant.io with "SECURITY" in the subject. Reports go to the people who ship the fixes. Reproduction steps help; other people's message content doesn't belong in the report.

Check the claims yourself

Inspect the headers, compare the safety numbers, verify the APK signature — the point of this page is that you can.

Open web app Browser trust model Verify the APK