Peer-to-peer encrypted messaging, honestly reviewed. No servers to shut down, no accounts to leak — and a reputation problem worth understanding before you trust it.

TL;DR

What it is: A peer-to-peer, serverless instant messenger with end-to-end encrypted text, voice, video, screen sharing, and file transfer. No central infrastructure exists to raid, subpoena, or shut down [2][4].
Who it’s for: Privacy-focused individuals who want a Skype replacement with zero server dependency and no accounts — and who are comfortable with technical rough edges.
Cost: Completely free, no tiers, no ads, no subscriptions — forever [homepage]. The software costs $0 and there’s no SaaS to compare against.
Key strength: Genuinely serverless architecture. Your conversations literally cannot be intercepted at a server level because there are no servers. The distributed DHT network means the project cannot be killed by seizing hardware [2][4].
Key weakness: The protocol has never received a formal independent security audit, the encryption model has known gaps, and several privacy communities consider it “not well maintained” as of 2024 [1][5]. This is not a minor caveat — it is the core reason most security-conscious users avoid it.

What is Tox

Tox is a peer-to-peer encrypted communications protocol, and a collection of clients built on top of it. The protocol handles text messaging, voice calls, video calls, screen sharing, file transfers, and group chats — all encrypted, all serverless.

The origin story is unusual. According to a 2014 Wired report [2], Tox was born in the tech forum of 4chan in the months after Edward Snowden’s NSA revelations. Users there started discussing the need for a Skype alternative that no single company controlled. They opened a GitHub repository, started uploading code, and eventually named the project Tox. The Wired piece described the result as “surprisingly easy to use” for a project of that origin, though it also flagged that it “has yet to receive the scrutiny that other security tools” had at the time [2].

Ten years later, that scrutiny still hasn’t fully arrived.

The project sits at around 2,597 GitHub stars for the core C library (c-toxcore). The website lists clients for every major platform: qTox for desktop, aTox for Android, a handful of others. There is no iOS client recommended by the project. There is no central server. When you install a Tox client, it generates a public/private key pair — your Tox ID is your public key. You share that ID with people you want to talk to, they add you, and the DHT (Distributed Hash Table) network routes connections directly between your machines [2][4].

The underlying encryption uses libsodium (based on the NaCl library by Daniel Bernstein), which is reputable. The question the security community raises is not whether the encryption primitives are sound — libsodium is — but whether the protocol design around those primitives is sound, and that question remains unanswered by any formal audit [1][4].

Why people choose it (and why some walk away)

The Reddit thread asking “Why does Tox have a bad reputation?” [1] is probably the most honest distillation of where Tox stands in 2024. The original poster explains exactly why someone would try Tox: it feels purpose-built for desktop (unlike Signal or Session, which feel like stretched mobile apps), it has real features, it doesn’t require an account or phone number, and it’s been around long enough to be somewhat stable.

The reputation problem breaks into three specific issues [1]:

1. It doesn’t use the standard encryption approaches. The privacy community has converged on a small set of well-audited protocols (Signal Protocol, Noise Protocol Framework). Tox uses NaCl/libsodium primitives but assembled in its own protocol design. That design has not been formally verified.

2. No independent security audit. The README itself states plainly: “This is an experimental cryptographic network library. It has not been formally audited by an independent third party that specializes in cryptography or cryptanalysis. Use this library at your own risk.” [4] This warning has been in the README since at least 2014 [2]. A decade of “experimental” is a signal.

3. IP address exposure. Because Tox is fully peer-to-peer, your contacts can see your IP address. If your threat model includes hiding your location from people you talk to, Tox does not solve that problem. You can route it through Tor, but the project acknowledges this is imperfect [1].

The Privacy Guides community thread [5] places Tox in a specific category: tools that are philosophically interesting but practically not recommended. The post that synthesizes the field describes Tox as “not well maintained” alongside Status and Berty, and disqualifies it from serious consideration alongside SimpleX and Session [5]. This is the privacy-focused community’s verdict, not a casual user’s complaint.

The Wired origin story [2] captures what made Tox compelling in 2014: it was a genuine distributed alternative to Skype at a moment when the world had just learned that Skype was being tapped. The architecture is still sound in principle. The execution — specifically the years of “experimental” status without a formal audit — is what has eroded trust.

A 2019 enterprise chat roundup [3] listed Tox as an option for self-hosted team communication but treated it as an afterthought, noting its distributed architecture without giving it serious weight against Rocket.Chat, Mattermost, or Matrix. That’s the correct instinct: Tox is not an enterprise communication tool.

Features

From the website and README:

Messaging and communication:

Encrypted instant messaging [homepage]
Voice calls (free, encrypted) [homepage]
Video calls [homepage]
Screen sharing [homepage]
File transfer (no artificial limits or size caps) [homepage]
Group chats with text, voice, and video [homepage]

Architecture:

Fully peer-to-peer, no central servers [2][4]
DHT-based contact discovery and routing [2]
Public/private key pair as your identity — no phone number, no email, no account [2]
Portable identity: copy one file to move your identity and contact list to a new device [2]
Audio/video requires libvpx and opus libraries at compile time [4]

What it does not have:

A single official client — the project maintains a protocol and a core library, and there are multiple clients with varying feature support
A formal threat model (one has been in discussion since at least issue #210) [4]
An iOS client with official recommendation [2]
Message delivery when both parties are offline — because peer-to-peer means someone has to be online to receive

The lack of offline message delivery is a fundamental architectural consequence of the serverless model. If you send someone a message and they’re offline, the message is not stored anywhere waiting for them. This is different from Signal, Matrix, or Session, which use servers (or a distributed network with store-and-forward) to hold messages until recipients come online [5].

Pricing: SaaS vs self-hosted math

This section is unusually short for Tox: there is nothing to calculate.

Tox is free software under GPL-3.0. The software costs $0. There is no cloud tier, no premium plan, no “Tox Business,” no per-seat fee. The website states this explicitly: “While other big-name services require you to pay for features, Tox is completely free and comes without advertising — forever.” [homepage]

There is no SaaS alternative to Tox to escape. The comparison is not Tox vs. a paid service — it is Tox vs. other free encrypted messengers (Signal, SimpleX, Session, Matrix/Element).

If you’re running a self-hosted Matrix homeserver for a team and paying for VPS hosting, switching to Tox eliminates that server cost entirely. But that framing only makes sense if Tox fits your use case, which for teams it generally does not [3][5].

Deployment reality check

Setting up Tox as a user is straightforward: download a client (qTox on desktop, aTox on Android), launch it, and your keys are generated automatically. You share your Tox ID (a long alphanumeric string) with contacts who want to reach you. There is no server to configure, no domain to set up, no database to manage [2][4].

The installation complexity comes if you want to compile the core library yourself or build a custom client. The README walks through a cmake build with libsodium, optionally libvpx and opus for A/V. This is a developer path, not a user path [4].

What can go wrong:

Firewall/NAT issues. Peer-to-peer connections require that at least one party can accept incoming connections. If both users are behind strict NAT or firewalls, the DHT bootstrapping may fail to establish a direct connection. The user experience in this case is “contact shows as offline even when they’re not” — and debugging it is non-trivial for non-technical users.
Client fragmentation. There is no single official Tox client. qTox, µTox, aTox, and others are developed by different teams with different feature sets and update cadences. Some have been abandoned. Choosing the wrong client means inheriting its maintenance status.
Group chats are limited. Group functionality exists but is less polished than one-on-one communication, and encrypted group chats have known limitations in the protocol [1].
No mobile push notifications. Because there’s no server, there’s no push notification infrastructure. Your phone’s Tox client needs to maintain a persistent connection to receive messages, which affects battery and background delivery.

Realistic setup time for a technical user: under 10 minutes to a working install. Realistic setup time for getting a non-technical friend to also use Tox and successfully connect: 30–60 minutes, mostly spent explaining Tox IDs and troubleshooting NAT.

Pros and cons

Pros

Genuinely serverless. There is no company server that can be subpoenaed, raided, or sold to a surveillance firm. The network exists only in its users’ machines [2][4]. This is a meaningful architectural property that Signal, Session, and even Matrix do not fully share.
No account, phone number, or email required. Your identity is a key pair. Nothing links you to the real world by default [2]. This is rare.
Free forever, no business model to corrupt. No investors, no monetization path, no incentive to degrade privacy for revenue [homepage].
Full feature set. Text, voice, video, screen sharing, file transfer, groups — in one protocol [homepage]. Most privacy messengers sacrifice features for security; Tox’s ambition here is notable.
Portable identity. One file = your entire identity and contact list [2]. Back it up, move it, done.
No artificial file transfer limits. Unlike most hosted services [homepage].

Cons

No formal security audit, ever. The README says “experimental” and means it [4]. This is not paranoia — this is the project’s own honest self-assessment. The protocol has open issues describing known weaknesses that have been open for years [1][4].
IP address exposure. Your contacts see your IP. For users with real threat models, this matters [1].
“Not well maintained” consensus in privacy communities. The Privacy Guides community [5] and the r/privacy thread [1] independently reach this conclusion. Development momentum has slowed compared to alternatives like SimpleX.
No offline message delivery. Peer-to-peer means both parties need to be online. In an emergency when the other person is unavailable, your message goes nowhere [5].
No iOS recommendation. No first-party or well-maintained iOS client exists [2]. If half your contacts use iPhones, this is a practical blocker.
Client fragmentation. Multiple clients with inconsistent feature support and maintenance status. There is no canonical Tox experience [2].
Group chat limitations. The group functionality is less mature than the one-on-one path [1].
Tor integration is unreliable. For users who want to hide their IP even from contacts, Tor routing is possible in theory but “never had much luck” in practice [1].

Who should use this / who shouldn’t

Use Tox if:

You want encrypted communication with technically sophisticated contacts who are comfortable with peer-to-peer software and can handle NAT issues.
Your specific threat model is server seizure or company compromise — not IP exposure to contacts.
You want a desktop-first experience with full A/V features and no accounts.
You understand and accept the “experimental” status and are not protecting against nation-state adversaries.

Skip Tox (use SimpleX Chat instead) if:

You want the strongest available privacy without formal audit gaps. SimpleX uses the Noise protocol framework and has received more scrutiny [5].
You need offline message delivery.
You want consistent mobile support including iOS.

Skip Tox (use Signal instead) if:

You need the most widely audited, production-grade encrypted messenger.
You’re fine with using a phone number as your identifier.
Your contacts are non-technical and need a polished onboarding experience.

Skip Tox (use Matrix/Element instead) if:

You’re setting up team communication for an organization.
You need offline delivery, persistent chat rooms, and admin controls [3].

Skip Tox (use Session instead) if:

You want no phone number requirement AND no IP exposure to contacts AND offline delivery — Session routes through its Lokinet-adjacent infrastructure to provide these [5].

Alternatives worth considering

SimpleX Chat — No user IDs of any kind (not even public keys), no metadata stored on servers, has received serious security attention from the privacy community. Recommended as the strongest privacy option by Privacy Guides community contributors [5]. The main trade-off is a more complex mental model for adding contacts.
Session — No phone number, no email, no central servers in the Signal sense. Routes through a decentralized node network. Offers offline delivery. Less polished on desktop than Tox [1][5].
Signal — Requires a phone number, uses centralized servers, but has the most rigorous independent security audits of any mainstream encrypted messenger. The right choice if threat model is content interception, not contact graph exposure.
Matrix/Element — Federated, self-hostable, supports large teams, offline delivery, persistent rooms. Requires running a homeserver for full control. The right choice for team communication [3][5].
Briar — Also peer-to-peer, also serverless, with the addition of Tor routing built in and Bluetooth/Wi-Fi mesh as fallback. Requires both users to be online simultaneously. More security-focused than Tox but fewer features [5].

Bottom line

Tox solved a real problem in 2014: it gave people a technically elegant, fully distributed alternative to Skype at the moment the world learned Skype was being tapped. The architecture is still genuinely interesting — truly serverless, no accounts, portable identity, full A/V features. But Tox has been “experimental” for a decade, and the privacy community has had time to build alternatives that address the gaps Tox never closed. No formal security audit. IP exposure to contacts. No offline delivery. Fragmented client ecosystem. The project’s own README tells you to use it at your own risk.

For a non-technical founder, Tox is not a practical choice: the onboarding friction, NAT troubleshooting, and “no iOS client” problems make it a tool for hobbyists, not teams. For a privacy-focused individual who needs a desktop-first, serverless messenger and understands the trade-offs, Tox is still functional — just not the strongest option available. SimpleX Chat and Session have closed the gap on the features that once made Tox distinctive, without carrying a decade of unaudited protocol debt.

Sources

r/privacy — “Why does Tox have a bad reputation?” (Reddit, 4 years ago). https://www.reddit.com/r/privacy/comments/x2qxr8/why_does_tox_have_a_bad_reputation/
Klint Finley, Wired — “Out in the Open: Hackers Build a Skype That’s Not Controlled by Microsoft” (September 2014). https://www.wired.com/2014/09/tox/
Sravya M, Medium — “Top 10 Team Chat Software for a Self-Hosted Environment Specifically Designed for Large Enterprises” (December 2019). https://medium.com/@sravya.m60/top-10-team-chat-software-for-a-self-hosted-environment-specifically-designed-for-large-enterprises-e154fa653651
Libre Self-Hosted — “Tox project”. https://libreselfhosted.com/project/tox/
Privacy Guides Community — “Which private messaging / communication app is best?” (December 2024). https://discuss.privacyguides.net/t/which-private-messaging-communication-app-is-best/23335

Primary sources:

GitHub repository (c-toxcore): https://github.com/toktok/c-toxcore
Official website: https://tox.chat/
Downloads and clients: https://tox.chat/download.html
Wiki and FAQ: https://wiki.tox.chat/

Features

Integrations & APIs

REST API

Related Communication & Messaging Tools

View all 128 →

LobeChat

74K

An open-source AI chat platform with multi-model support, agent building, MCP integration, and plugin ecosystem — a self-hosted alternative to ChatGPT.

communication

Rocket.Chat

45K

Rocket.Chat is an open-source team communication platform that combines messaging, video conferencing, and omnichannel customer engagement in a single self-hosted deployment.

communication