OpenCirkle Core is the foundation for a secure, self-hostable chat platform inspired by Discord. The project is split into a TypeScript/Fastify backend and a Vite/React frontend with real-time communication powered by Socket.IO. Passwords are hashed with Argon2, messages are encrypted at rest with AES-256-GCM, and JWT-based session handling keeps authentication stateless yet revocable.
- User registration and login with email verification-ready workflows
- JWT access/refresh token pair with rotatable refresh sessions stored in Postgres
- Server (guild) creation with member roles and invite codes
- Channel management with per-server text channels
- Direct message conversations with inbox previews and real-time delivery
- Real-time chat over Socket.IO with encrypted message storage
- Comprehensive input validation with Zod and rate limiting via Fastify
- Shared type definitions between API and client for safer integration
- Node.js 20+
- pnpm 9+ (recommended) or npm 9+
- Docker (for Postgres via
docker-compose)
# start the database
docker compose up -d
# install dependencies across the monorepo
pnpm install --recursive
# apply database schema and generate Prisma client
pnpm prisma migrate dev -C backend
pnpm prisma generate -C backend
# launch backend and frontend together from the repo root
pnpm devThe dev script starts Fastify on http://localhost:4000 and Vite on http://localhost:5173 (or the next free port). Update the .env files if you need different hostnames or ports.
Signed-in users can jump to /app/dms to access personal conversations. The inbox shows unread indicators, the ability to start new conversations with any user, and live updates when messages arrive over Socket.IO. The frontend relies on the /api/dms and /api/users endpoints that ship with the backend.
Copy the provided .env.example files to .env in backend and frontend folders. Never commit actual secret values.
backend/ Fastify + Prisma API and Socket.IO gateway
frontend/ Vite + React client
packages/
shared/ Shared types and validation schemas
- All secrets must be kept out of source control. Rotation is supported for JWT refresh tokens and message encryption keys.
- Run production traffic behind HTTPS (e.g., Caddy, Nginx, or a cloud load balancer).
- Tailor rate limits, CORS policy, and session durations to your deployment requirements.
Please open issues or pull requests to suggest improvements. The roadmap includes voice channels, granular permissions, audit logs, and federation support.