How Vant Chat Works - Technical Architecture

Architecture Overview

Vant Chat uses a relay-based architecture for message delivery. Messages are encrypted on your device before being sent to our relay server, which routes them to the recipient. The server never sees plaintext message content.

Message Flow

Sender Device
↓ (Encrypt with recipient's public key)
Encrypted Message → Relay Server → Recipient Device
↓ (Decrypt with private key)
Plaintext Message

When both users are online, messages are delivered in real-time via WebSocket connections. When a recipient is offline, messages are temporarily stored in encrypted form on our relay server (Redis with TTL) and delivered when they come back online.

Encryption Stack

Key Exchange: X25519 elliptic curve Diffie-Hellman
Message Encryption: AES-256-GCM (Galois/Counter Mode)
Integrity: HMAC-SHA256
Call Encryption: WebRTC with DTLS-SRTP
Key Derivation: HMAC-SHA256 for call encryption keys

What the Server Sees

Our relay server routes encrypted payloads and can see the following metadata:

Timestamps (when messages are sent/delivered)
IP addresses (for routing)
Message sizes (for bandwidth management)
Public keys (for encryption)
Device IDs (for message routing)

The server never sees: Message content, call audio, or any plaintext data. Encrypted messages are temporarily stored for offline delivery (up to 7 days) and automatically deleted.

Voice Calls

Voice calls use WebRTC for peer-to-peer audio streaming. Media flows directly between devices whenever possible, minimizing server involvement. The relay server only handles signaling (call setup, ICE candidate exchange).

Peer-to-Peer Media: Audio flows directly between devices
Signaling: Server handles call setup only
No Server Recording: The relay server never sees or records call audio

Push Notifications

When the app is closed, we use Apple Push Notification Service (APNs) and Firebase Cloud Messaging (FCM) to deliver notifications. These services may log metadata including timestamps and device IDs, but never message content. Message content remains encrypted end-to-end.

Temporary Storage

Messages for offline recipients are temporarily stored in Redis with a time-to-live (TTL) expiration. Once the TTL expires or the message is delivered, it is permanently deleted from the server. We do not store message content long-term.

Security Best Practices

End-to-end encryption by default for all messages and calls
No plaintext content ever stored on servers
Perfect forward secrecy through ephemeral key exchange
Regular security audits and updates
Industry-standard cryptography libraries (no custom implementations)