What is Chatalot

Chatalot is a self-contained chat platform — direct messages, groups, channels, voice and video, file sharing — that you can run on a single server and point a domain at. Messages between people are end-to-end encrypted. The server is a relay, not a reader.

It exists because the alternatives compromise on something important. Discord is convenient but you don’t own it; the company holds your community’s data, the rules can change overnight, and the platform is unambiguously a public-facing product surveilling its users. Matrix solves the ownership problem but pays for it with operational complexity, federation surface area, and a UX that still trails the proprietary options. Slack and Teams are corporate-by-design and priced for enterprise procurement.

Chatalot lives in between. It’s a single Docker stack — server, database, optional TURN — with a web UI and a desktop app. There’s no federation to configure. There’s no SaaS in the loop unless you choose one (Seglamater offers a managed tier; everything else is fully self-host). The protocol is end-to-end encrypted using the same primitives Signal uses: X3DH for key agreement, Double Ratchet for forward secrecy, Sender Keys for groups. The crypto compiles to WebAssembly and runs in the browser; the server stores ciphertext it cannot decrypt.

It’s open-core, and the core is genuinely open. The same software runs whether you self-host or buy a managed deployment. Paying customers don’t get a different binary — they get a support relationship, a signed update pipeline, and someone whose job it is to keep their instance healthy.

What’s end-to-end encrypted

• Direct messages between users
• Group and channel messages
• Voice and video call media (DTLS-SRTP, peer-to-peer)
• File transfers attached to encrypted messages

What’s not end-to-end encrypted (yet)

• Webhook payloads. Incoming webhook messages are stored as plaintext on the server because the sender — typically a CI system or alerting tool — has no way to participate in the E2EE protocol. Tracked as CHAT-9 for a future hardening pass.
• Server-side search index. Search currently runs against a server-side index. A WASM client-side search rebuild is on the roadmap as CHAT-8; until that ships, message bodies are accessible to a database-level operator on the search path.
• Message metadata. Sender, recipient, timestamp, and size are visible to the server. This is fundamental to routing; metadata privacy needs a different protocol family entirely (onion routing or similar) and Chatalot does not claim it.
• Account identifiers and roles. Usernames, optional emails, and role assignments live in plaintext.

These are documented honestly because the security story is only useful if it’s accurate. See Security for the full disclosure.

Who’s behind it

Chatalot is published by Seglamater — a small software company building infrastructure-grade tools for teams that want to own their stack. Self-host is free forever. Managed deployments fund continued development.