What end-to-end actually means
When we say end-to-end encrypted, we mean your message is sealed on your iPhone and opened on your friend’s. In between — on wires, on servers, in backups — it is scrambled data nobody can read. Not us, not anyone.
That applies to your personal chats: the conversations between you and the people you choose.
On the wire, it’s noise. Only the two phones can read it.
A new key for every message
Sealing a conversation once wouldn’t be enough — one stolen key would unlock everything, forever. So every message you send is locked with its own fresh key, and the keys only march forward: each new one is derived from the last, and none of them can be reused or rewound.
That buys you something cryptographers call forward secrecy, and it’s easy to say in plain words: steal a key, read one message. Not your history. Not your future. By the time anyone has a key, the conversation has already moved on.
1A message is sealed with the current key.
2The ratchet turns — the next key is derived, the old one is spent.
3Spent keys open nothing. Yesterday’s key is a paperweight.
We didn’t invent our own crypto — we implemented the battle-tested Olm/Megolm double-ratchet design, in Rust. Applies to personal chats.
Key Transparency: the log that keeps us honest
Here’s the attack almost nobody talks about — and it isn’t about breaking the math. It’s about the introduction. When you message someone, a server hands your phone their encryption key. A dishonest server could hand you a different key — one it controls — and quietly read everything, while you both still see a padlock.
So we removed the trust. ToastyAI writes every user’s encryption keys to a signed, append-only public log — a notary’s book with numbered pages. Pages can be added, never torn out, never rewritten.
The consequence is the whole point: if our own server ever tried to slip a different key into your conversation, the log wouldn’t match and the swap would be detected. We built a system where even we get caught.
Almost no messenger ships this. We think it should be table stakes.
That’s the point. It can’t happen quietly.
Key published
Your device’s key is appended to the public log — a numbered page, written in ink.
Log signed
Every page is signed and chained to the one before it. History only grows — it can’t be rewritten.
Mismatch detected
A swapped key wouldn’t match the log. Your app notices — and so can anyone else who checks.
Verify a friend with emoji
Want to go one step past the log? Compare a short emoji sequence with your friend — in person, or on a call where you can hear their actual voice. Matching sequences prove something precise: your phones hold each other’s real keys, with no impostor sitting in the middle relaying messages between you.
Once you’ve verified someone, it sticks — your devices remember. Security checks shouldn’t feel like tax forms.
The formal name: Short Authentication String (SAS) verification.
New devices, without trusting us
Sign in on a new iPhone and approve it from a device you already trust. That approval is your own circle of devices vouching for each other — nobody outside the circle, including us, can add to it.
Your history comes back too. Your key backup travels in a sealed envelope our server stores but can never open; it’s decrypted only on your hardware. At no step does the server ever see a key.
Notifications that keep the secret
A private message that gets printed on your lock screen isn’t private. On encrypted chats, a ToastyAI notification carries only a lock glyph — never your words, never your friend’s. Nothing readable ever rides through push infrastructure or sits on your lock screen for someone else to glance at.
What we can never do
Because of the architecture, not a policy.
Can’t read your personal chats.They’re sealed before they ever reach us.
Can’t quietly swap keys.The public log would show it.
Can’t open your key backup.We store the envelope. We don’t have the opener.
Can’t put your words in a notification.The push never contains them.
Nothing to mine.So no ads, no tracking, no data harvesting.