Help Center

City of Hats is a privacy-first secure messaging platform. Every user communicates through disposable or permanent "Hat" identities — private aliases that protect your real identity. Messages are end-to-end secure, and disposable hats auto-expire after 24 hours by default.

Unlike conventional messengers tied to your phone number or email, City of Hats lets you create throwaway identities (hats) for each conversation. There are no contact lists, no phone number requirements for basic use, and no way for us to read your messages. Think of it as secure, private communication by design.

No. You can start a secure channel immediately with a disposable hat — no sign-up required. Creating an account unlocks additional features like Resident Hats, higher limits, and persistent identity across devices.

A Hat is your private identity on City of Hats. Each hat has a unique HAT-ID (like HAT-ABCDEF) that others can use to reach you. Disposable hats expire after 24 hours. Premium Resident Hats are permanent and let you choose your own HAT-ID.

A Resident Hat is a permanent identity. You choose your own custom HAT-ID and it never expires. Your first Resident Hat is free when you create an account. Additional Resident Hats can be purchased for a one-time fee. Your identity persists across devices and can be recovered if you lose access.

Free disposable hats auto-expire after 24 hours. Premium users can extend hat duration up to 30 days. Resident Hats never expire — your first one is free when you create an account.

Removing a hat immediately ends your session and removes the hat from your device. The HAT-ID remains on the server until its natural expiry, but you can no longer send or receive messages with it.

Enter a friend's HAT-ID in the input row on the Channels page and tap Start. You can also open the Contact Book (star icon) to quickly reconnect with a bookmarked or recent contact — just tap their name to create a channel instantly.

Yes. All channel messages use end-to-end security with X25519 key exchange, AES-256-GCM, and double-ratchet forward secrecy. We cannot read your messages — the keys exist only on your devices.

The Contact Book is a full-screen address book with three tabs: Favorites (bookmarked contacts), Recents (sorted by last message), and All Contacts (every hat you've interacted with). Tap any contact to instantly open a secure channel. You can also search, edit nicknames, and bookmark contacts.

The Remove All button at the bottom of your channel list lets you delete multiple channels at once. You can choose to remove only incoming disposable hat channels or all channels. This is useful for a quick cleanup when you want to start fresh.

When a disposable hat expires, all associated channels and messages are permanently deleted from our servers. There is no way to recover them.

A Dead Drop is a secure, one-time message package. You compose a message, receive a unique retrieval code, and share that code with the recipient through any channel. The drop can only be retrieved once and is deleted after retrieval.

Sealed Tips let you receive private secure messages through an Intake Hat. Share your intake link publicly — anyone can send you a tip without revealing their identity. Useful for journalists and private feedback.

An Intake Hat is a special hat designed to receive Sealed Tips. You create one from the My Hats page, get a public intake link, and anyone with the link can send you secure tips. Tips appear in your inbox — the sender remains private.

GhostFrame lets you embed a secure message inside any ordinary image. The image looks completely normal to anyone who sees it, but any City of Hats user can import the image and retrieve the message.

When you create a GhostFrame, your message is secured with AES-256-GCM and stored on our server. A small token (retrieval code + key) is embedded into the image pixels. The modified image is exported as PNG so the token survives intact.

The embedded token alters only the least-significant bits of a few hundred pixels — the visual change is imperceptible to the human eye. To external observers, it is just a regular picture.

Platforms that recompress images (WhatsApp, Instagram, Facebook) may strip the embedded token. For best results, share the image as a file — via email, AirDrop, cloud storage, or any file-sharing service. The "Share as file" option in most messaging apps also works.

The same options as Dead Drops: delete after viewing, limited read count, auto-delete timer, and time-lock (the message unlocks only after a specific date and time). These are configured when you create the GhostFrame.

Yes. All users can create 1 GhostFrame per day for free. Premium subscribers get unlimited GhostFrame usage with no daily cap.

EchoDrop is a voice-passphrase-triggered secure message retrieval system. You create a message, set a passphrase, and share only the passphrase with your recipient. They speak or type it into City of Hats to retrieve and read the message.

When you create an EchoDrop, your message is secured client-side with AES-256-GCM using a key derived from your passphrase via PBKDF2 (600,000 iterations). Only a hash of the passphrase is stored on the server for matching — the actual passphrase and key never leave your device.

No. Speech-to-text conversion happens entirely on your device using your browser's built-in speech recognition engine. No audio is sent to City of Hats servers. You can also type the passphrase instead of speaking it.

EchoDrop always includes a "Type" mode as a fallback. You can switch between voice and text input at any time. Voice is a convenience feature, not a requirement.

We use X25519 for key exchange, AES-256-GCM for message protection, and a double-ratchet protocol for forward secrecy. Each message uses a unique key — compromising one message cannot reveal others.

No. Messages are secured on your device before leaving it and can only be read by the intended recipient. We have zero knowledge of message contents. This is verifiable through the Device Crypto Proof feature.

Device Crypto Proof is an auditable log of all security operations performed on your device — key generation, message protection, verification, and ratchet steps. You can verify the integrity of the entire chain to confirm no tampering has occurred.

Yes. On supported devices, you can enable fingerprint or face unlock to protect access to the app. This is configured automatically when biometric hardware is available on your device.

On supported mobile devices, screenshot protection is enabled by default. If someone tries to capture the screen, the output will appear black — similar to banking apps. This prevents accidental or malicious screen captures of your private conversations.

Yes. Sign in with your account on any device and your Resident Hat, keys, and contacts sync automatically. Our multi-device sync ensures your security state stays consistent across all devices without compromising forward secrecy.

Premium unlocks unlimited GhostFrame and EchoDrop usage (free users get 1/day each), the ability to purchase additional Resident Hats, recoverable identity across devices, 50 disposable hats per month, extended 30-day hat duration, unlimited dead drops, 20 concurrent channels, 5 files per drop, and early access to new privacy features.

Tap the "City of Hats Premium" button in the left drawer or go to Settings > Available Plans. Choose yearly ($3.33/mo) or monthly ($4.99/mo) and complete checkout via Stripe.

City of Hats is available as a web app at hats.cityofhats.com and as a native app on iOS and Android. All platforms share the same features and your account syncs seamlessly across them.

Open the right drawer and you'll see a QR code section. Switch between Resident and Disposable tabs to show the corresponding QR code. Others can scan it with their camera to instantly connect with you. You can also tap the QR to enlarge it, or use the copy/share buttons on the hat switcher.

Yes. Open the right drawer and tap "Notifications & Haptics". You can toggle vibration feedback individually for each action: removing a channel, sending a message, pairing a new channel, unlocking the app, and error alerts.

Toggle the Light/Dark Mode switch in the right drawer. New users start with light mode by default. Your preference is saved and persists across sessions.

City of Hats delivers instant push notifications when you receive a message — even when the app is closed or in the background. Notification volume is controlled through your phone's system settings.

Open the right drawer and tap "Delete Account" at the bottom. You'll be asked to confirm by typing DELETE. This permanently removes all your data, hats, channels, and subscription info.

City of Hats supports multiple sign-in methods: username and passphrase for private accounts, or email-based sign-in which also supports social login providers. All methods are available on every platform.

An Official Hat ID is a verified, permanent identity for businesses and organizations on City of Hats. It appears in the Official directory within the Contact Book, allowing users to discover and connect with your brand directly.

Go to the My Hats tab and tap "Apply for Official Hat ID". Fill in your organization details — name, industry category, and a brief description. Your application will be reviewed, and once approved, your hat is upgraded to Official status with a permanent badge.

Official Hats are listed in the Official directory, display a verified badge, never expire, and can include a custom description and profile photo. They also unlock the ability to create and manage Events.

Events let Official Hat holders create and manage gatherings — conferences, meetups, product launches, and more. Attendees can join events by entering an Event ID or scanning a QR code, and organizers can track registrations and attendance.

Navigate to the Events tab and tap "Create Event". Add a title, description, date, location, and an optional cover image. You can set the event as public, private, or invite-only. Once created, you get a unique Event ID and QR code to share.

Attendees join by entering the Event ID or scanning the Event QR code from a promotional stand, website, or shared link. Once joined, the event appears in their Events tab.

Yes. As an organizer, tap "Export Attendees" on your event page to download a formatted list of all registered attendees. This is useful for analysis and planning.