Microsoft sign-in, MFA, key management, day-to-day chat, multi-device, troubleshooting, and security model — everything you need to use Platytalk safely.
Do this once, before you sign in to Platytalk.
If you don't already have one, sign up at signup.live.com. It costs nothing — you can use any email address you control (Gmail, Proton, your own domain). Pick a long, unique password or have your password manager generate a 24-character random one.
Install Microsoft Authenticator on your phone. Sign in to account.microsoft.com/security, click Advanced security options → Add a new way to sign in or verify → Use an app, and scan the QR with Authenticator. Confirm the test prompt and enable Two-step verification.
On the same security page, choose Change verification options and put Microsoft Authenticator at the top of the list. Every sign-in (including Platytalk) will then push a notification to your phone. SMS and email codes become a fallback only.
Add a recovery email or phone number that you alone control. Print or save the one-time recovery code somewhere safe (password manager, sealed envelope). Without it, losing your authenticator phone can lock you out of Platytalk forever.
Review Sign-in activity and sign out anything you don't recognize. Remove unused App passwords. Turn on Passwordless account if your phone supports it — your password becomes optional and Authenticator becomes the primary credential.
Patch your OS. Run PlatypusTools' System Hardening view at least once. On Windows, enable BitLocker on the drive that holds %APPDATA%\PlatypusTools\Platytalk\ — that's where your private keys live.
Open the web client or PlatypusTools → Platytalk and click 🔑 Sign in with Microsoft. Approve the Authenticator push. The browser tab says "Signed in" and Platytalk flips to the chat UI with your handle in the right rail.
Phone numbers leak your real-world identity, are easily SIM-swapped, and are expensive to verify. Microsoft accounts are free, support phishing-resistant MFA out of the box, and let you rotate the underlying email without rotating your Platytalk handle. Platytalk never sees your password, only a signed assertion of who you are.
Type the contact's Platytalk handle (e.g. quiet-otter-h7k2c) into the add by handle field and click + Add. The relay returns the contact's public identity key. Compare the 60-character safety number in person or over a trusted channel — when both match, you have an authenticated end-to-end channel.
Select a contact, click Open chat. Each message uses a fresh ephemeral ECDH share so even if one message key leaks, prior and future messages stay private (forward secrecy).
Type a group title and click Group on the desktop app. Each recipient gets an individually encrypted copy of every message — no group key the server can reuse.
Click Disappearing in the chat header to toggle a 24-hour TTL. Both sides purge messages locally after that window. The relay always deletes once acknowledged regardless.
Click the small Delete everywhere badge on any message you sent. The app sends a tombstone to all recipients; their clients remove the message from view and storage on receipt.
Each device generates its own keypair. To rotate, click Wipe local data and sign back in — new keys are uploaded; contacts will see a safety number changed badge until they re-verify. Lost a device? Sign out at account.microsoft.com/security, then on a remaining device sign back in to overwrite the public keys.
Wipe local data removes the local SQLite store, key files, and JWT. Delete my Platytalk account calls DELETE /v1/me on the relay and cascades to your contacts, groups, prekeys, and pending messages. Your Microsoft account is not affected — sign out of Microsoft separately if you also want that gone.
Some other app is using ports 53682 – 53685. Close VPN clients, other OAuth-using apps (gh CLI, Azure CLI), or restart the machine.
The relay's Microsoft credentials are wrong or expired. Email platytalk@platysoft.com. (Self-hosters: rotate the secret in the Azure Portal and update PLATYTALK_MS_CLIENT_SECRET.)
The contact has signed up but has not yet completed /v1/keys/identity upload. Ask them to open Platytalk once on a device that's online.
Your firewall is blocking inbound on localhost. Allow PlatypusTools.UI.exe through Windows Defender Firewall (Private network), or use the web client.
The contact rotated keys (new device, wiped data, or — worst case — account takeover). Do not send sensitive messages until you re-verify the safety number out-of-band.
If you lose Authenticator and your recovery codes, you cannot get back in. Microsoft account recovery can take 30 days and is not guaranteed. Your Platytalk identity is gone with it; create a new account and ask contacts to re-add you.
Routing metadata — your Platytalk userId, recipient userIds, message size, timestamp, and the ciphertext blob. It never sees plaintext, and it never holds your private keys.
P-256 ECDH for key agreement, AES-256-GCM for encryption, HKDF-SHA256 for key derivation, Ed25519 (or P-256 ECDSA on the web) for signatures. Each message uses a fresh ephemeral DH share; the AAD binds the ciphertext to ${conversationId}|${messageId}.
The PlatypusTools project. Source for every relay endpoint is in platytalk/{db,auth,routes,ws}.js so you can audit it. You can also self-host: set PLATYTALK_MS_CLIENT_ID, PLATYTALK_MS_CLIENT_SECRET, PLATYTALK_REDIRECT_URI, and PLATYTALK_JWT_SECRET to your own values and point the clients at your domain.
Not yet by a third party. The crypto primitives are standard and the code is small. If you're relying on Platytalk for high-stakes communication, treat it as alpha-grade and prefer Signal Desktop until a formal audit lands.