Design decisions

Why peer-to-peer, no accounts, and what that costs you

2026-07-09 · by the Bearhole team · 7 min read

Every chat app you have used runs the same way underneath: your messages pass through a company's servers. That company can read metadata, change the rules, get acquired, get breached, or simply decide your community is no longer welcome. Bearhole is built to remove that party entirely. There is no server to trust because there is no server.

That is a strong claim, and strong claims deserve an honest accounting. Here is what the architecture buys you, and — just as importantly — what it costs.

What "peer-to-peer" actually means here

Bearhole communities live on the Hyperswarm DHT. Peers find each other directly and replicate an append-only log of the community between themselves. There is no central database, no company cloud, and no account server issuing you a username. When you and three friends are online, your messages travel between your four machines, encrypted end-to-end, and nowhere else.

Content is block-encrypted from a per-community space key. Message bodies are sealed with AES-256-GCM under a rotating epoch key, wrapped to each device with a post-quantum hybrid KEM (X25519 + ML-KEM-768). Nobody who merely relays or stores the bytes can read them — not a seed operator, not an ISP, not us.

No accounts: your identity is a phrase

Because there is no account server, there is no email, no password reset, no "sign in with us". Your identity is a 12-word recovery phrase — a keypair you hold. It is the same across every community and every device you own. Nobody can lock you out, and nobody can impersonate you without the phrase.

This is liberating and, honestly, a little scary. So it is worth being blunt about the trade-off.

The cost, stated plainly

If you lose your recovery phrase and have no other device signed in, there is no company to recover it for you. Self-custody of keys is the price of having no middleman. We soften it with multi-device sync and optional SSO/passkey unlock — but the underlying deal is real, and we will not pretend otherwise.

Where SSO and passkeys fit — without giving up custody

"No accounts" does not have to mean "hostile to normal people". For onboarding, Bearhole optionally lets you sign in through SSO / OAuth — Google, GitHub, Discord, Twitch, or a self-hosted Keycloak — and unlock your keys with a FIDO2 passkey.

The important detail: none of these providers ever hold your keys or your messages. They authenticate you to your own device, which then unwraps the keys you already control. A community can even choose to SSO-gate membership — "only people who authenticate through our Keycloak may join" — without any of that plaintext or key material leaving the members' machines. It is convenience layered on top of self-custody, not a replacement for it.

The honest edges

We keep a threat model, and we lead with what encryption does not do:

Why we think the trade is worth it

You give up a safety net held by a company, and in return you get a community that cannot be sold, subpoenaed at the platform level, rate-limited into a paid tier, or switched off. Your data lives on your devices and the seeds you choose to run. The core is free forever, the whole thing is AGPL-3.0 with the full source published at 1.0, and an automated check confirms no plaintext ever crosses the wire or sits on a seed.

Peer-to-peer with no accounts is not the easy path, and it is not free. But for a community that wants to actually own itself, we think it is the honest one. If that resonates, the alpha is open.

← Back to the blog