X is widening access to XChat, its end-to-end encrypted direct messaging feature, moving it beyond a limited beta and into more users’ hands, including those who aren’t paying for X Premium. The secure inbox lives alongside the existing DM system and is designed for private, media-rich chats that stay locked to participating devices.
What’s new and what’s included
XChat runs as a separate, opt-in inbox with end-to-end encryption, meaning messages are encrypted on the sender’s device and can only be decrypted by the recipient’s device. The feature supports media uploads, group chats, pinned messages, and read/unread controls. An ephemeral “vanishing” mode has been rumored, signaling the company’s intent to match privacy features found on other secure messengers.
Crucially, XChat is not replacing the longstanding DM system. Traditional messages continue to appear under an “unencrypted” tab, while encrypted conversations sit in their own space. That separation minimizes confusion for users and clarifies which messages are protected end-to-end.
How to find XChat and get started
Users who are part of the broader rollout will see XChat in the Messages area on desktop—look for a “Chat” option above Message Requests. On mobile, “Chat” appears in the left navigation bar above Communities. Because the system is opt-in, you’ll only be able to start encrypted threads with people who have enabled it as well.
Before sending your first encrypted message, X prompts you to set a four-digit code that protects access to the encrypted inbox. It’s similar to local passcodes on apps like Signal and adds a basic layer of protection if someone gains physical access to your device. For best security, pairing that code with strong device-level biometrics or a longer device passcode is recommended by digital safety groups.
Security expectations and open questions
As with any end-to-end encrypted rollout, technical details matter. Security practitioners typically look for characteristics such as forward secrecy, robust group key management, resistance to SIM-swap or device-clone attacks, and clear, user-friendly ways to verify contact keys to prevent man-in-the-middle interception. The Electronic Frontier Foundation and academic labs like Citizen Lab regularly encourage platforms to document cryptographic design, threat models, and how multi-device sync and backups are handled.
Another area to watch is key verification. Competing services offer different approaches: Signal uses safety numbers, Apple added iMessage Contact Key Verification for high-risk users, and WhatsApp implements transparent key changes with alerts. If XChat adds a simple, reliable verification workflow—especially for group chats—it would meaningfully strengthen user trust.
How XChat compares to rivals
Signal remains the reference point for open, audited end-to-end encryption and minimal metadata collection. WhatsApp provides default end-to-end encryption for personal and group chats to a global audience it says exceeds two billion users, and it has layered in account protections like device verification to counter malware and account takeovers. Apple’s iMessage is end-to-end encrypted by default within Apple’s ecosystem and offers additional protections for targeted users.
Telegram’s approach differs: standard chats are cloud-based and not end-to-end encrypted by default, while “Secret Chats” enable end-to-end encryption on a per-thread basis and historically have not supported full-featured groups. XChat’s choice to separate encrypted and unencrypted inboxes—plus early support for group chats and rich media—positions it closer to WhatsApp and iMessage in everyday usability, with Signal as the gold standard for transparency and security posture.
Privacy gains and moderation trade-offs
End-to-end encryption protects the content of messages from platform providers, network operators, and intruders. It is especially valuable for journalists, activists, and communities at risk, a point long emphasized by civil society groups. At the same time, encrypted messaging can complicate platform safety work by limiting server-side scanning for spam or known abuse material. Organizations like the National Center for Missing & Exploited Children have raised concerns about the impact on detection workflows, while privacy advocates argue that strong encryption is essential and that safety should rely on client-side tools, metadata limits, and robust reporting mechanisms.
Regulators in multiple regions continue to debate how child-safety mandates intersect with encryption. Platforms have responded by investing in user reporting flows, rate-limiting, behavioral signals, and optional client-side safety features that do not break end-to-end encryption. How X balances these pressures—and how transparently it communicates the trade-offs—will shape confidence in XChat.
Why this rollout matters for X
Expanding XChat beyond a small beta signals that encrypted conversations are becoming a first-class feature on the platform, not a premium-only perk. If adoption grows, X could see more sensitive or high-value interactions move on-platform rather than spilling to external apps. That, in turn, raises the bar on reliability across devices, secure backups, and clear recovery paths when users lose phones—areas where mature messengers have learned hard lessons.
For now, the broader release is a pragmatic step: users get a dedicated encrypted inbox with familiar chat features, and X keeps legacy DMs intact for everyone else. The next phase will hinge on transparency about the cryptography, thoughtful safety design, and whether X can make encrypted messaging feel seamless enough that it becomes the default way its community communicates.