App Review

XChat Review (2026): Convenience First, Audit Pending

New encrypted messenger from X

7.9
/ 10
★ 4.0 / 5

XChat is the newest encrypted messenger on the market, launched inside the X (formerly Twitter) ecosystem on April 24, 2026. We score it 7.9 / 10: E2EE is on by default and there is no phone-number requirement, but the protocol is closed, no independent audit exists yet, and your identity is locked to your X account. For X users it's the easiest encrypted option in 2026; for high-threat-model users, Signal and Threema remain the safer choices.

Reviewed by the xchat.directory editorial team · Last reviewed

XChat at a glance

Price Free
Encryption Default (E2EE)
Owner Commercial · United States
Phone required No
Open source No
Platforms iOS / Android / Web
Group size 1,000 members
Launched April 24, 2026

What Is XChat?

XChat is the newest end-to-end encrypted messenger on the mainstream market, launched by X Corp on April 24, 2026 inside the X (formerly Twitter) app. It replaces the long-running legacy direct-message system with a fully E2EE experience and ships with group chats of up to 1,000 members (350 at launch, growing), voice and video calls, screenshot blocking, and disappearing messages.

Unlike Signal, Threema, or WhatsApp, XChat does not require a phone number or an email address. Your identity is simply your X account handle — so if you already have an X account you can start messaging with anyone on X within seconds of upgrading the app. That tight integration with the social graph is XChat's killer feature and its biggest trade-off: switching off X means switching off XChat.

Privacy & Security — What We Know and What We Don't

XChat turns on end-to-end encryption by default for every chat, group, voice call, and video call. Screenshot blocking and disappearing messages are first-class features. So far, so good — and meaningfully better than the legacy X DMs which were not E2EE at all.

The catch is transparency. There is no published protocol specification for XChat, no public independent third-party security audit, and the client and server code are closed source. That means outside researchers cannot verify that the cryptography on the device actually matches what X Corp claims is happening, and what the server is actually doing. By contrast, the Signal Protocol has been peer-reviewed in academic journals and the Signal app has been audited repeatedly.

We treat XChat's encryption as a trust claim, not a verified property. For everyday conversations with people you know, that is a reasonable trade-off. For journalists, activists, or anyone with a high threat model, it isn't.

What XCorp can still see

  • The body of messages is encrypted and unreadable to X.
  • The metadata — who is messaging whom, when, how often — is held by X and is subject to lawful-access requests and to X's standard account policies.
  • Your identity is your X handle, which is pseudonymous by default but not anonymous. Anything tied to your X profile (avatar, bio, followers) leaks through to XChat.

Features — What's Actually in the App

  • One-to-one and group chats (up to 1,000 members) — E2EE by default
  • Voice and video calls with E2EE on the same protocol
  • Screenshot blocking for sensitive messages
  • Disappearing messages with multiple timers
  • X social-graph integration — start a chat with anyone who has opened DMs, no add-by-handle friction
  • Cross-device on iOS, Android, and the web; no native iPad or desktop app at launch

What XChat doesn't ship at launch: standalone desktop clients, public broadcast channels comparable to Telegram, and a deep bot ecosystem. The roadmap matters here — X Corp has hinted at expanding group size, adding encryption to additional surfaces, and broader platform coverage.

Cost — Free, but Owned by a Commercial Company

XChat is free — no ads inside the chat UI as of mid-2026 and no paid tier. The business model is X Corp's existing platform model: investors expect ongoing revenue growth from the wider X ecosystem, not from XChat specifically. That makes XChat ad-light today, but it does not give you the strong nonprofit guarantees that Signal provides.

Who Should Use XChat?

XChat is the right pick if:

  • You are already an active X user and want encrypted DMs without a separate app
  • You don't want to give a phone number to a messenger
  • Your threat model is "my messages should be encrypted against casual surveillance" — not "I need verifiable cryptographic guarantees"
  • You want the convenience of starting a chat with anyone who has X DMs open

Choose Signal instead if privacy must be provable; choose Threema instead if you want no X account at all; choose Session if you want a random ID with no link to any social profile.

XChat vs Signal vs Threema — Quick Comparison

Vs Signal: Signal wins on transparency (open source, audited, nonprofit) and is the long-standing reference. XChat wins on no-phone convenience for X users.

Vs Threema: Threema is paid-once, fully open source, requires no phone or email, and ships in Switzerland. Threema's user base is tiny. XChat is free and tied to X.

Vs WhatsApp: Both are free, both E2EE-by-default, both require no verification. WhatsApp is Meta-owned and tracks metadata. XChat is X-owned and tracks metadata to a similar degree. Different social graph.

For the full breakdown see our Signal vs Threema comparison and our dedicated XChat overview.

The Honest Verdict

XChat is a real step up from the old X DMs — the encryption story is finally accurate and the feature set is competitive with Telegram or WhatsApp inside the X ecosystem. For hundreds of millions of X users it is the easiest way to get E2EE in 2026 without installing anything new.

Where XChat falls short is the part that privacy professionals care about most: there is no public audit, the protocol is closed, and your identity is bound to your X account. Until those change, XChat is "encrypted, with caveats" — not "encrypted, full stop."

What we like

  • E2EE by default on every chat and call
  • X social graph — you can DM people you already know on X
  • No phone number required — X handle is your identity
  • Screenshot blocking + disappearing messages built in
  • Group chats up to 1,000 members

What we don't

  • No published independent audit of the cryptography
  • Closed source — implementation cannot be verified
  • No iPad, Mac, or Windows desktop app at launch
  • Identity is tied to your X account profile (pseudonymous by default but not anonymous)

Common questions

Is XChat actually end-to-end encrypted?

Yes. XChat turns on end-to-end encryption by default for every chat, group chat, voice call, and video call. However, the encryption protocol is proprietary and not yet published, so unlike Signal and Threema the cryptography cannot be independently verified by outside researchers.

Does XChat require a phone number?

No. XChat does not require a phone number or an email. Your identity is your X (formerly Twitter) account handle. If you already have an X account you can start messaging immediately without sharing any additional identifier.

Is XChat safer than Signal?

Not in a strict privacy sense. Signal has years of published audits and a fully open-source client and server. XChat has neither. Where XChat wins is convenience for X users — no separate signup, social-graph DMs already loaded. For casual encrypted conversations inside X it is competitive; for activists or journalists with high threat models, Signal and Threema remain the safer choice.

Has XChat been audited?

No public, independent third-party security audit has been published for XChat as of July 2026. X Corp has stated that encryption is on by default, but the protocol spec is closed and the implementation cannot be independently verified.

Who actually owns XChat?

XChat is operated by X Corp — the same company that runs X (formerly Twitter). X Corp is a U.S. company and is subject to U.S. jurisdiction, including lawful-access requests. XChat stores encrypted message contents, but metadata about who is messaging whom can be made available to authorities in response to valid legal process.

Is XChat safe to use?

Yes for casual encrypted conversations, with real caveats for high-risk use. XChat turns on end-to-end encryption by default, supports screenshot blocking and disappearing messages, and is integrated into the X app most people already have. The honest concerns: the protocol is closed and unaudited, identity is locked to your X account, X Corp retains metadata, and U.S. lawful-access requests can reach that metadata. Pick XChat for daily DMs with people you already know on X. For journalists, activists, or anyone whose threat model involves a determined adversary, Signal and Threema remain the provably safer choices.

Can police recover XChat messages?

They cannot read message content: XChat stores only ciphertext on its servers. They can, with a valid legal order served on X Corp in the United States, obtain the metadata X Corp already retains — who you messaged, when, how often, your account identifiers, and your device and IP information. If a recipient or your own device is seized, message history is also recoverable from device-local storage depending on your settings. E2EE protects content; X Corp's jurisdiction and metadata retention shape the rest.

Is XChat open source?

No. XChat's clients and servers are closed source, and the encryption protocol has not been published in enough detail for outside researchers to reproduce the implementation. X Corp has announced commitments around transparency in the past, but as of July 2026 there is no public source code and no public protocol specification to compare against the Signal Protocol or the Matrix Olm/Megolm protocol.

Is XChat better than WhatsApp?

Different, not clearly better. Both end-to-end encrypt by default, both require no phone number for XChat / already-trusted phone number for WhatsApp, and both retain substantial metadata on a U.S.-jurisdiction server (Meta vs X Corp). XChat wins if you live inside X and want encrypted chat without installing a new app; WhatsApp wins if your contacts are already there and you want a larger group, status, and a richer feature set. For activism or threat-model-grade privacy neither beats Signal or Threema.

Does XChat hide your IP address?

Not by default. XChat uses your normal internet connection to deliver messages, so X Corp can see your IP address when you connect, along with standard headers from the X app. E2EE protects message content in transit, but it does not hide who is talking from the operator the way Tor or onion routing does. If hiding your IP from a network observer matters, you need a separate transport (VPN or Tor) on top of XChat — and most high-risk users will prefer a messenger built with metadata stripping in the first place.

Can I use XChat without an X account?

No. XChat is gated behind an X account login. There is no standalone signup flow. If you no longer want to be on X / Twitter, you cannot use XChat.