EchoBoard
Feedback without
friction.
A self-hosted feedback platform where anyone can submit ideas, report bugs, and vote - without creating an account. Your community speaks freely. You keep the data. Nobody gets tracked.
Philosophy
Feedback for everyone.
Accounts for no one.
Most feedback tools make people create accounts before they can say a word. EchoBoard flips that - anyone can show up and participate immediately. No email harvesting, no tracking, no dark patterns. Just a place to listen.
No barriers to entry
A browser cookie is your identity. Show up, post, vote, comment. No sign-up wall, no email, no password.
Your server, your data
Self-hosted means your feedback data never leaves your infrastructure. No third-party analytics, no cloud dependency.
Privacy by architecture
No email column in the database. Display names encrypted at rest. Lookups via blind indexes. Privacy isn't a feature - it's the foundation.
Truly free forever
CC0 licensed. No premium tier, no vendor lock-in, no strings. Fork it, modify it, run it forever.
Pick your level of commitment.
No one should be forced to create an account to share an idea. EchoBoard offers a spectrum - participate anonymously, or gradually opt into persistence. Your choice, every step of the way.
Just show up
A random token in a browser cookie. Immediate participation. No sign-up, no email, no nothing.
Default for everyoneRecovery phrase
A six-word phrase that lets you get back to your posts if you clear cookies or switch browsers. Hashed with bcrypt, expires in 90 days.
Optional persistencePasskey
WebAuthn-based biometric or device PIN. Private key stays on your device. The server only stores a public key. No password to steal.
Full persistenceShow up and be heard.
Post, vote, discuss.
Submit feature requests and bug reports with structured templates. Vote with configurable budgets. Comment with markdown, @mentions, emoji reactions, and file attachments.
Find what matters.
Full-text search across all boards. Similar post detection prevents duplicates before you submit.
Stay in the loop.
Push notifications when your post's status changes. RSS feeds per board. Subscribe to specific threads.
Built for everyone.
WCAG 2.2 AAA. Full keyboard navigation, screen readers, 7:1 contrast, 44px touch targets, reduced motion support. Dark and light themes that follow your system preference.
Run the show. Your way.
Roadmap and changelog.
Kanban-style roadmap with custom status columns. Changelog with scheduled publishing. Give your community visibility into what you're building and what shipped.
Team without email.
Invite admins and moderators with a link. No email required - they pick a display name and secure with a passkey.
Granular control.
Lock post edits, comments, threads, and voting independently. Merge duplicate posts with vote consolidation. Full edit history with rollback.
Connect to your stack.
Webhooks fire on status changes, new posts, and comments. Embed widget for external sites. Export data as CSV or JSON.
Custom statuses and tags.
Define your own status workflows per board. Categorize with tags. Pin important posts. View counts track engagement.
Extend it. No restart.
Upload a zip file. EchoBoard loads it instantly. Plugins can add API routes, react to events, store data, and access the full database. No server restart, no redeployment.
What plugins can do
- Add custom API routes
- React to events (new posts, status changes, comments)
- Store scoped key-value data
- Full database access via Prisma
Build things like
Trust is engineered.
Security isn't bolted on - it's in the architecture. Field-level encryption, proof-of-work spam prevention, and zero third-party scripts.
AES-256-GCM encryption
Display names and sensitive fields encrypted at rest. Lookups via HMAC-SHA256 blind indexes.
ALTCHA proof-of-work
No CAPTCHAs, no third-party scripts. Invisible computational challenge stops bots without annoying humans.
WebAuthn passkeys
Public-key cryptography. Private key stays on your device. No password database to breach.
Per-endpoint rate limiting
100/min for browsing, down to 3/15min for recovery codes. Exponential backoff on failed auth.
Security headers
HSTS, CSP, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy out of the box.
Safe file uploads
Content validation via magic bytes. Path traversal blocked. Orphan cleanup for abandoned uploads.
See it in action.
Three steps to listening.
Deploy it
Clone the repo, set your .env, run docker compose up -d. Two containers - the app and PostgreSQL.
Create your first board
Visit /admin, create your admin account, set up your first feedback board with custom statuses and categories.
Share it
Give your community the link. They show up, they post, they vote. No sign-up friction. You start listening.
Solid foundations.
A Fastify API server with Prisma ORM and PostgreSQL. React frontend built with Vite. Deployed via Docker Compose. Automatic database migrations on startup.
Start listening.
Give your community a voice without asking them to create an account. Self-hosted, private, genuinely free.