Questions, answered plainly.

An end-to-end encrypted messenger for Windows and Linux. Your keys are generated on your device and sealed in its keychain; the server only ever routes encrypted bytes it cannot read. No phone number or email is required. It is built for small circles first, and it tells you exactly what works and what doesn't on the status section.

Yes — downloading and using Mercury costs nothing. The source code is source-available under the PolyForm Noncommercial 1.0.0 license (commercial use requires a separate license), and the Helix policy/validator layer that backs Mercury's security decisions is fully open source at github.com/Questeria/helix.

No — and not because we promise not to. Messages are encrypted on your device before they touch the network, and the relay holds no key material, so there is no decrypt path on our side. The same is true for anyone who might seize, subpoena, or hack the relay: they'd get opaque ciphertext. What the relay does see is routing metadata (account ids, timestamps, ciphertext sizes) — spelled out on the privacy page.

Today: Windows 10/11 (signed installer, auto-update) and Linux as a .deb (unsigned — verify the SHA-256; update by re-download). An AppImage is built in CI and ships once a large-file host is set up.

Not yet: macOS (awaits an Apple signing certificate) and iOS/Android (on the roadmap). We won't pretend otherwise.

Your identity is a cryptographic account id — the hash of your identity key, so it's self-authenticating. Nothing about your real-world identity (phone, email, name) is required to message. You share it conveniently via a pairing code (short-lived, single-use), a username (backed by a key-transparency log), or an invite link.

None of those change the trust model: the safety number you compare with your contact over a channel you already trust is what proves there's no one in the middle.

Messages arrive in real time while Mercury is running — including minimized to the system tray (closing the window keeps it running; turn on "start at login" to receive automatically). If the process is fully quit, messages wait — still encrypted — in the relay's queue until your next launch. There is no OS push for a quit app yet; it's on the roadmap.

On Windows, Mercury checks a signed update manifest on launch and periodically. When a newer signed build exists, it shows an install prompt — one click downloads, applies, and restarts. It never installs silently. On Linux, re-download the .deb from this site. You can always verify any download against its published .sha256 — see how to verify.

Mercury is built so an AI can only ever participate the way a person does: visibly, by explicit invitation, end-to-end encrypted, with scoped permissions — and you can block it like anyone else. There is no hidden plaintext side-channel for AI, full stop. In-app AI assistant features are still on the roadmap, and when they ship they run behind exactly these gates.

Yes. The app ships pointed at our hosted relay (relay.mercury-messaging.com), which only routes opaque ciphertext — but you can stand up your own relay with one Docker command and point Mercury at it. Since the relay holds no keys either way, using ours is a convenience, not a trust decision.

Not yet — and we say so out loud. The cryptographic primitives come from reviewed libraries, and security decisions are mirrored into an open-source deterministic validator (Helix) cross-checked in CI. But until an independent third-party audit exists, this site will not use the word "audited". When it happens, you'll see the report.

Linux: sha256sum -c Mercury-Linux-amd64.deb.sha256 — expect OK. Windows: Get-FileHash in PowerShell, compare to the published .sha256, and check the Authenticode signature under file Properties → Digital Signatures. Full instructions on the security page.