Roadmap
Infrastructure
Section titled “Infrastructure”The entire application — Go backend, embedded NATS server, and compiled SvelteKit frontend — ships as one executable. A NATS server runs embedded inside the process by default with JetStream for persistent storage, so there’s nothing else to install or configure for a basic deployment.
Disable the embedded server and connect to an external NATS cluster instead. This enables multi-replica Chatto deployments behind a load balancer, all sharing the same message store.
Store file attachments in any S3-compatible object storage (AWS S3, MinIO, Cloudflare R2, etc.) instead of NATS. Recommended for deployments with significant file upload traffic.
Chatto can be installed as a Progressive Web App on desktop and mobile. This provides an app-like experience with its own window, home screen icon, and support for push notifications.
Configure JetStream streams and KV buckets for replication across a multi-node NATS cluster. Instance operators running a full NATS cluster will be able to ensure their data survives node failures without manual intervention.
Messaging
Section titled “Messaging”WebSocket-powered messaging with live updates across all connected clients. Messages appear instantly for everyone in the room without requiring a page refresh.
Reply to any message to start an organized discussion thread. Threads open in a dedicated side pane and keep tangential conversations from cluttering the main room timeline.
Edit your own messages within a configurable time window, or delete them entirely. Edits are clearly marked, and deletions use crypto-shredding — the encrypted content is destroyed, not just hidden, while a tombstone preserves conversation flow.
React to messages with emoji, synchronized across all clients in real-time. Multiple users can add the same reaction, and counts are displayed inline on each message. An autocomplete dropdown lets you find emoji by name without leaving the keyboard.
Mention users with @username to get their attention. Mentioned users receive a notification and the mention is highlighted in the message body.
See when others are typing in a room or thread. Indicators appear in real-time and automatically expire so they never get stuck.
Private one-on-one and group conversations with up to 10 participants. DM rooms are created on demand and persist across sessions so you never lose your conversation history.
Upload images and files to any message. Images get automatic thumbnail generation with smart format selection (JPEG for photos, WebP for transparent images, GIF for animations). Video uploads and animated GIF support are in progress.
Type @ in the message composer to get a filtered list of users in the current room, making it easy to mention someone without remembering their exact username.
Automatically fetch and display rich previews for URLs shared in messages — article titles, descriptions, and thumbnail images. Media links (YouTube, etc.) embed inline so users can preview content without leaving the conversation.
Generate a direct, shareable link to any specific message. Clicking a permalink scrolls the room to that message and highlights it for context.
Space admins can upload custom emoji that are available to all members. Custom emoji work everywhere regular emoji do — in messages, reactions, and autocomplete.
A built-in GIF picker in the message composer powered by Tenor or Giphy. Browse trending GIFs or search by keyword and insert them into messages with one click.
Spaces & Rooms
Section titled “Spaces & Rooms”Top-level workspaces that contain multiple rooms, similar to Discord servers or Slack workspaces. Each space has its own member list, roles, permissions, and branding (custom logos and banners). Users can browse a central space directory to discover communities, and browse available rooms within a space before joining.
Visual indicators in the sidebar show which spaces and rooms have unread messages. Direct @mentions get a distinct highlight so you can prioritize conversations that need your attention.
Drag-and-drop room list customization so you can put your most-used rooms at the top. Group rooms into categories and archive inactive ones to keep the sidebar focused. Room order and groups are saved per-user so everyone can organize their sidebar how they like.
Notifications
Section titled “Notifications”A built-in notification center collects @mentions, thread replies, and DM messages in one place. Notifications link directly to the relevant message so you can jump into context with one click.
Receive browser push notifications when the app is in the background or closed. Push notifications work on desktop and mobile browsers that support the Web Push API.
Granular control over which events trigger notifications — globally, per-space, or per-room. Mute specific spaces or rooms to stop receiving notifications from them entirely. Read state and notification preferences sync across all your devices in real-time.
Users & Authentication
Section titled “Users & Authentication”Self-service account registration, email verification, and password reset. Users can also sign in with Google, GitHub, and other OAuth providers. Instance admins can configure whether email is required and whether verification is enforced.
Each user has a profile with a display name, custom avatar, and presence status (Online, Away, Do Not Disturb). Presence automatically expires after inactivity so stale statuses don’t linger. Profiles are visible to all authenticated users on the instance.
Authorization & Permissions
Section titled “Authorization & Permissions”A three-tier permission system spanning instance, space, and room levels. Each tier supports custom roles with fine-grained permissions and a position-based hierarchy where higher-ranked roles take precedence. Room-level overrides enable patterns like read-only announcement channels or restricted rooms with different moderation rules.
Use @role syntax to mention and notify all users with a specific role. Useful for pinging all moderators, a project team, or any other defined group without listing individuals.
Administration
Section titled “Administration”A dedicated admin interface for managing the entire instance. View and manage users, spaces, roles, and permissions from a single dashboard. Configure instance name, message of the day, welcome message, and blocked usernames — changes take effect immediately without restarting the server. Includes NATS monitoring for JetStream streams, KV buckets, and connection metrics.
CLI commands for backing up and restoring all instance data. Backups intentionally exclude encryption keys so that exported data remains encrypted at rest.
Search across message history to find past conversations, decisions, and shared links. Results are scoped by the user’s permissions so you only see messages from rooms you have access to.
TTL-based automatic message cleanup. Configure how long messages are retained per space or globally, and let the system automatically purge expired content to manage storage costs.
Security & Encryption
Section titled “Security & Encryption”Every message body is encrypted with ChaCha20-Poly1305 using a unique per-user key. Messages are encrypted at rest in NATS and only decrypted when served to an authorized client. Deleting a user’s key renders all of their messages permanently unreadable — fast, reliable GDPR-compliant data destruction without needing to locate individual messages across streams.
All file attachment URLs are cryptographically signed with a server-side secret. This prevents URL tampering and ensures that only the server can generate valid download links.
Run the key management service as a standalone process for high-security deployments, with key material isolated on dedicated infrastructure or backed by hardware security modules. Includes key export and escrow for disaster recovery, so a lost server doesn’t mean permanent data loss.
Voice & Video
Section titled “Voice & Video”Voice and video calls for small groups using WebRTC peer-to-peer connections. No server-side media processing needed — participants connect directly to each other for low-latency, high-quality calls with up to 4-6 people.
Voice and video calls that scale beyond what peer-to-peer can handle, using a Selective Forwarding Unit (SFU) to relay media streams. Supports larger meetings without requiring every participant to maintain a direct connection to everyone else.
Share your screen or a specific application window during a call. Other participants see the shared content as an additional video stream alongside the speaker’s camera feed.
Lightweight, always-on voice channels that room members can drop in and out of at any time — similar to Slack huddles or Discord voice channels. No need to initiate a call; just join when you want to talk and leave when you’re done.
APIs & Extensibility
Section titled “APIs & Extensibility”A full-featured GraphQL API with queries, mutations, and subscriptions for building client applications and bot integrations. Supports real-time updates over WebSocket and covers all user-facing functionality including messaging, spaces, rooms, and permissions.
A NATS-based API for extending Chatto with custom services and integrations. Connect directly to the NATS message bus to subscribe to events, publish messages, and interact with JetStream streams — ideal for building backends that need tight, low-latency integration with the system.
Dedicated bot user accounts that can be created and managed by instance admins. Bots authenticate via API tokens instead of passwords and can post messages, react to events, and participate in rooms just like regular users.
Allow bots to render custom interactive UI elements — buttons, forms, cards — directly inside chat messages. Users can interact with these elements without leaving the conversation, enabling workflows like approvals, polls, and ticket management right in the chat.
Not Planned
Section titled “Not Planned”These are features we’ve considered but decided against — either because they don’t fit the project’s scope, or because the complexity isn’t worth the value they’d add.
Built-in game streaming or screen broadcasting to large audiences. Chatto is a chat application, not a streaming platform — dedicated tools like OBS, Twitch, or Discord’s Go Live do this much better. Screen sharing during calls covers the collaboration use case.
Client-side encryption where the server never sees plaintext. Chatto uses server-side per-user encryption which provides strong privacy guarantees (including crypto-shredding) while keeping features like search, moderation, and notifications possible. True E2EE would break most of these and add significant complexity for marginal benefit in a self-hosted context where you already control the server.
Connecting multiple Chatto instances into a federated network (like Matrix or ActivityPub). Federation adds enormous protocol complexity and makes it much harder to guarantee message delivery, encryption, and permission semantics. Chatto focuses on being excellent for a single organization or community.