XChat is the newest encrypted messenger on the market, launched inside the X (formerly Twitter) ecosystem on April 24, 2026. We score it 7.9 / 10: E2EE is on by default and there is no phone-number requirement, but the protocol is closed, no independent audit exists yet, and your identity is locked to your X account. For X users it's the easiest encrypted option in 2026; for high-threat-model users, Signal and Threema remain the safer choices.
Reviewed by the xchat.directory editorial team · Last reviewed
XChat at a glance
What Is XChat?
XChat is the newest end-to-end encrypted messenger on the mainstream market, launched by X Corp on April 24, 2026 inside the X (formerly Twitter) app. It replaces the long-running legacy direct-message system with a fully E2EE experience and ships with group chats of up to 1,000 members (350 at launch, growing), voice and video calls, screenshot blocking, and disappearing messages.
Unlike Signal, Threema, or WhatsApp, XChat does not require a phone number or an email address. Your identity is simply your X account handle — so if you already have an X account you can start messaging with anyone on X within seconds of upgrading the app. That tight integration with the social graph is XChat's killer feature and its biggest trade-off: switching off X means switching off XChat.
Privacy & Security — What We Know and What We Don't
XChat turns on end-to-end encryption by default for every chat, group, voice call, and video call. Screenshot blocking and disappearing messages are first-class features. So far, so good — and meaningfully better than the legacy X DMs which were not E2EE at all.
The catch is transparency. There is no published protocol specification for XChat, no public independent third-party security audit, and the client and server code are closed source. That means outside researchers cannot verify that the cryptography on the device actually matches what X Corp claims is happening, and what the server is actually doing. By contrast, the Signal Protocol has been peer-reviewed in academic journals and the Signal app has been audited repeatedly.
We treat XChat's encryption as a trust claim, not a verified property. For everyday conversations with people you know, that is a reasonable trade-off. For journalists, activists, or anyone with a high threat model, it isn't.
What XCorp can still see
- The body of messages is encrypted and unreadable to X.
- The metadata — who is messaging whom, when, how often — is held by X and is subject to lawful-access requests and to X's standard account policies.
- Your identity is your X handle, which is pseudonymous by default but not anonymous. Anything tied to your X profile (avatar, bio, followers) leaks through to XChat.
Features — What's Actually in the App
- One-to-one and group chats (up to 1,000 members) — E2EE by default
- Voice and video calls with E2EE on the same protocol
- Screenshot blocking for sensitive messages
- Disappearing messages with multiple timers
- X social-graph integration — start a chat with anyone who has opened DMs, no add-by-handle friction
- Cross-device on iOS, Android, and the web; no native iPad or desktop app at launch
What XChat doesn't ship at launch: standalone desktop clients, public broadcast channels comparable to Telegram, and a deep bot ecosystem. The roadmap matters here — X Corp has hinted at expanding group size, adding encryption to additional surfaces, and broader platform coverage.
Cost — Free, but Owned by a Commercial Company
XChat is free — no ads inside the chat UI as of mid-2026 and no paid tier. The business model is X Corp's existing platform model: investors expect ongoing revenue growth from the wider X ecosystem, not from XChat specifically. That makes XChat ad-light today, but it does not give you the strong nonprofit guarantees that Signal provides.
Who Should Use XChat?
XChat is the right pick if:
- You are already an active X user and want encrypted DMs without a separate app
- You don't want to give a phone number to a messenger
- Your threat model is "my messages should be encrypted against casual surveillance" — not "I need verifiable cryptographic guarantees"
- You want the convenience of starting a chat with anyone who has X DMs open
Choose Signal instead if privacy must be provable; choose Threema instead if you want no X account at all; choose Session if you want a random ID with no link to any social profile.
XChat vs Signal vs Threema — Quick Comparison
Vs Signal: Signal wins on transparency (open source, audited, nonprofit) and is the long-standing reference. XChat wins on no-phone convenience for X users.
Vs Threema: Threema is paid-once, fully open source, requires no phone or email, and ships in Switzerland. Threema's user base is tiny. XChat is free and tied to X.
Vs WhatsApp: Both are free, both E2EE-by-default, both require no verification. WhatsApp is Meta-owned and tracks metadata. XChat is X-owned and tracks metadata to a similar degree. Different social graph.
For the full breakdown see our Signal vs Threema comparison and our dedicated XChat overview.
The Honest Verdict
XChat is a real step up from the old X DMs — the encryption story is finally accurate and the feature set is competitive with Telegram or WhatsApp inside the X ecosystem. For hundreds of millions of X users it is the easiest way to get E2EE in 2026 without installing anything new.
Where XChat falls short is the part that privacy professionals care about most: there is no public audit, the protocol is closed, and your identity is bound to your X account. Until those change, XChat is "encrypted, with caveats" — not "encrypted, full stop."
What we like
- E2EE by default on every chat and call
- X social graph — you can DM people you already know on X
- No phone number required — X handle is your identity
- Screenshot blocking + disappearing messages built in
- Group chats up to 1,000 members
What we don't
- No published independent audit of the cryptography
- Closed source — implementation cannot be verified
- No iPad, Mac, or Windows desktop app at launch
- Identity is tied to your X account profile (pseudonymous by default but not anonymous)