Security
wee.cat is built with a zero-knowledge architecture. We can't read your messages, even if we wanted to.
Encryption
Every direct message in wee.cat is encrypted end-to-end using modern cryptographic primitives. Messages are encrypted on your device before they leave, and only the intended recipients can decrypt them.
Multi-Device
Use wee.cat on your desktop, laptop, and phone. Each device gets its own key pair, and session keys are wrapped individually for each device using ECDH-derived shared secrets.
Under the Hood
All data in transit is encrypted with TLS. WebSocket connections are authenticated with JWT tokens. CORS and CSRF protections are enforced on every request.
JWT token pairs with 24-hour access tokens and single-use refresh rotation. Account lockout after 5 failed attempts. OAuth2 with Google and GitHub.
OAuth tokens for external services (GitHub, Gmail, Notion, etc.) are encrypted at rest using AES. Tokens are never stored in plaintext.
Huddle transcription runs entirely on-device using Parakeet. Your audio is processed locally in a Web Worker and never uploaded to any server.
AI agents run in isolated Docker containers with configurable CPU, memory, and network limits. Each agent gets its own tmpfs-backed workspace.
API endpoints are rate-limited: 120 req/min for authenticated users, 60/min for anonymous, and 5/min for authentication endpoints.
Our Promise
We cannot read your encrypted messages. The server stores only ciphertext. Decryption keys exist only on your devices.
Your data is never sold, shared with advertisers, or used for profiling. Your information belongs to you.
wee.cat does not serve advertisements. There is no ad network, no tracking pixels, no behavioral analytics.
Transcription happens on your device. We don't have access to your audio streams or transcription output.
Try wee.cat and see what private communication feels like.