9 Security Modes
Every message and attachment you send through City of Hats can be wrapped in one of nine security modes — granular controls that dictate exactly how content is viewed, verified, and destroyed.
Security Modes in Action
When sending images or file attachments, choose from 9 security modes to control exactly how your content is accessed.
Choose Your Mode
Each mode adds a distinct layer of protection. Tap any mode below to learn how it works and when to use it.
View Once
View Once turns every message into a self-destructing capsule. The recipient gets exactly one viewing — once they close the content, it is permanently erased from our servers and their device. There is no cache, no thumbnail, and no recovery path. The sender receives a confirmation that the message was viewed and destroyed. Combined with screenshot protection, View Once is the closest digital equivalent to a whispered conversation.
A lawyer shares a privileged settlement figure with opposing counsel. The number is seen once, absorbed, and gone — no screenshots, no forwarding, no paper trail.
Recall
Recall gives the sender a permanent undo button. Even after a message has been delivered and read, you can pull it back. The content is removed from the recipient's device and our servers instantly. Unlike email recall (which is just a polite request), City of Hats Recall is server-enforced — the content is cryptographically shredded. Works on text, images, files, and voice messages.
A CEO accidentally sends a board-confidential revenue forecast to the wrong group chat. One tap, and the message is erased everywhere before anyone takes a second look.
Sealed File
Sealed File wraps your attachment in a PIN-protected vault. The recipient receives a notification that a sealed file is waiting, but cannot view its contents until they enter the correct PIN. You share the PIN through a separate channel — a phone call, an in-person meeting, or another message. This two-factor approach ensures that intercepting the message alone is not enough to access the content.
An accountant sends tax documents to a client through City of Hats, then calls the client and verbally gives them the 6-digit PIN to unlock the files.
Unlock Content
Unlock Content places a payment gate on any file or image you share. The recipient must pay a fee set by the sender before the content is decrypted and revealed. Payments are processed securely, and the sender receives a notification when the content is purchased. This mode is designed for creators, consultants, and anyone who wants to monetize their digital content directly through a conversation.
A freelance photographer sends a client the full-resolution image set from a shoot, locked behind a payment gate. The client previews blurred thumbnails and pays to unlock the originals.
Verified Eyes Only
Verified Eyes Only requires the recipient to pass a real-time biometric face liveness check before the message content is decrypted. This is not a simple face-unlock — the system verifies the recipient is physically present, alive, and matches their registered identity. The check runs entirely on-device: no biometric data is transmitted or stored on our servers. This ensures that only the intended human being can read the message.
A hospital sends a patient's test results through City of Hats. The patient must verify their face with a live selfie before the medical report decrypts on their screen.
GeoLock
GeoLock ties message access to a specific physical location. The sender defines a GPS coordinate and radius — the recipient can only decrypt and view the content when their device confirms they are within the approved zone. Leave the zone, and the content locks again. GeoLock is enforced at the application level with server verification, preventing GPS spoofing through multiple validation layers.
A defense contractor shares classified blueprints that can only be viewed inside their secure facility. If an employee tries to open the file from home, it remains encrypted.
Voice Lock
Voice Lock requires the recipient to speak a specific passphrase that matches a voice signature registered during setup. The speech recognition runs entirely on-device using a neural model — no audio leaves the phone. The system checks both what is said and how it is said, creating a voice biometric gate that is extremely difficult to bypass with recordings or synthetic speech.
A family sets up a shared emergency plan. Critical documents are Voice-Locked so that only a family member speaking the agreed passphrase can access them — not a thief who stole the phone.
Hold to Reveal
Hold to Reveal requires the recipient to maintain continuous physical contact with their screen to view the message content. The moment they lift their finger, the content is instantly hidden behind an overlay. This prevents over-the-shoulder reading, casual screenshots, and screen recording. The content is only visible for as long as the recipient is actively pressing the screen.
An executive reads a confidential merger proposal on a crowded train. The document is only visible while their thumb presses the screen — glancing away or lifting their finger instantly hides the content from nearby eyes.
Certified Send
Certified Send opens the message in a tamper-proof Protected Viewer and generates a cryptographic receipt proving exactly who opened the content, on which device, at what time, and from what location. This receipt is signed and immutable — it can be used as evidence in legal or compliance contexts. The sender receives the receipt automatically, creating an auditable chain of custody for sensitive communications.
A compliance officer sends a regulatory disclosure to a trader. The Certified Send receipt proves the trader opened and read the disclosure at 9:02 AM on March 15 — creating an irrefutable audit trail.
Mode Comparison
See how each security mode differs in terms of who controls it, what content types it supports, and what authentication is required.
| Mode | Controlled by | Reversible | Works with | Authentication |
|---|---|---|---|---|
| View Once | Sender | ✗ No | Text, Files, Images | None |
| Recall | Sender | ✓ Yes | Text, Files, Images | None |
| Sealed File | Sender | ✗ No | Files, Images | PIN code |
| Unlock Content | Sender | ✗ No | Files, Images | Payment |
| Verified Eyes Only | Recipient | ✗ No | Text, Files, Images | Face liveness |
| GeoLock | Sender | ✗ No | Text, Files | GPS location |
| Voice Lock | Recipient | ✗ No | Text, Files | Voice match |
| Hold to Reveal | Recipient | ✗ No | Text, Files, Images | Continuous touch |
| Certified Send | Sender | ✗ No | Text, Files | Crypto signature |
Try Security Modes
Download City of Hats and send your first secured message with any of the 9 modes — free on Android, iOS, and Web.
Get the App