Every major messaging platform in use today stores your conversations on servers owned by corporations. Those servers are breached. Those companies receive legal demands. Data is monetised. The result is that intimate conversations between real people routinely end up somewhere they were never meant to go.
Leaked photos destroy reputations. Exposed messages end relationships. Private words surface in the wrong hands at the worst possible moment. This is not a rare edge case. It is the predictable consequence of an architecture that treats your conversations as data to be held rather than messages to be delivered.
Aurora was built in response to that reality. It was designed so that the architecture itself makes the problem impossible: not by policy, not by promise, but by the way the system works.
A private messenger where messages are encrypted on the sender's device and travel directly to the recipient's, decrypted only on arrival. Nothing passes through a server; nothing is stored. A minimal rendezvous service helps two devices find each other across the internet, then removes itself from the conversation. What remains is a direct encrypted channel that no third party can access, read, or surrender.
Aurora was designed and built by Christian Lim Correa, a single developer, with the assistance of Claude by Anthropic. It began as a response to real harm: private conversations and media finding their way into the wrong hands and changing lives. The intent was never to build a product, but to build something that genuinely solved the problem. Aurora and ShadowMesh are free, and will remain so.
Aurora didn't start from scratch. It began as part of a larger project: ShadowMesh, a post-quantum mesh messaging network. Most of Aurora's foundation, especially its cryptography, was built there first and carried over rather than reinvented.
Building Aurora was a deliberate decision about scope. Rather than try to ship the entire mesh at once, the proven, working parts became something smaller and finishable: a direct, two-person encrypted messenger that can actually reach people's hands while standing on a serious cryptographic base.
ShadowMesh is paused, not abandoned. It may continue as its own project, or fold in as the mesh and relay backend that powers Aurora's optional ShadowMesh network. The relay already built into Aurora is the seam where that would happen. Either way, Aurora is the focus now, and it is built to grow well beyond a two-person messenger. Today's app is a foundation, not the finished shape.
The choices behind Aurora: what was decided, why, and the honest trade-off each one carries. Tap any to expand.
Cryptography & protocol
Hybrid post-quantum + classical
+Every key exchange and signature pairs a quantum-resistant algorithm with a proven classical one.
An attacker has to break both, and it hedges against an undiscovered flaw in either. The cost is larger keys and signatures.
Forward secrecy from ephemerality
+Pairing mixes in single-use keys that are destroyed right after, because post-quantum strength alone can't stop "record now, steal the key later."
If an attacker holds your real long-term key, no algorithm helps; only destroying an ephemeral prekey makes earlier recorded traffic unrecoverable.
Prekeys live on the server
+The forward-secrecy prekeys are fetched from the rendezvous server, not packed into the QR code.
The QR is already near capacity with the post-quantum identity key, and this mirrors how established designs work. If no bundle is available, pairing still completes with a simpler handshake.
Recognition, then verify
+You accept a request, then both confirm a short code shown on each other's screen.
Those codes are computed independently on each phone; a hidden middle-man would produce mismatched codes, so the connection is refused. The codes are never sent anywhere.
Your address is your keys
+Your network ID is derived from your public keys, so no one can claim it with different keys.
This makes impersonation impossible, at the cost that rotating your keys means a new identity.
A ratchet today, more tomorrow
+Each message uses a fresh key that's discarded; a deeper self-healing ratchet is planned.
Honest limit: today a conversation still rests on a single root secret, so full recovery-after-compromise isn't there yet. It's the next piece of work.
Architecture & infrastructure
No server in the middle
+The rendezvous server only helps two phones find each other, then steps aside; messages go direct.
It keeps a 15-minute, log-free address record and hides it among decoys. The honest cost is that it can tell a device is reachable.
Wake without push providers
+Aurora wakes your phone with a contentless signal instead of Google or third-party push.
No message content ever touches a push service. The trade-off is a lightweight always-on connection that reveals only reachability, which we disclose.
Hardware-backed key protection
+Keys are held on-device, protected by the phone's hardware-backed Keystore.
The post-quantum keys are too large to live inside the secure chip directly, so they're encrypted under a master key that is.
Erase means destroy the keys
+Clearing your data destroys the encryption keys rather than scrubbing files.
Flash storage makes byte-scrubbing unreliable; destroying the keys turns everything left into noise instantly. This pairs with the decoy PIN and the optional wipe-on-duress.
A pinned connection
+The app pins the rendezvous server's certificate.
Interception fails even against a rogue certificate authority; a backup pin keeps things working across certificate renewals.
Updates keep your data
+The local database is versioned so app updates migrate your data instead of wiping it.
From a fixed baseline onward, every change to how data is stored ships a real migration that preserves what's already on your phone.
Aurora and its rendezvous server are fully open source under the GNU Affero General Public License (AGPL-3.0). Security researchers, developers, and anyone curious can verify exactly what the code does. Because the AGPL also covers software run as a network service, anyone hosting a modified Aurora server must publish their changes too.
If this project is ever shut down, compromised, or compelled to act against its users, the code remains public and any developer in the world can continue it. No single point of control means no single point of failure.
It hasn't yet had an independent third-party security audit. See the limits we're explicit about in How it works.