Key takeaways
• There’s no universal winner among Firebase, SendBird and a custom Node.js + Socket.io build. The right answer depends on your scale, regulation, integration depth, and whether chat is core differentiation or a checkbox.
• SaaS chat (SendBird, Stream, Twilio, Ably) wins for mainstream products. One to two weeks to MVP, predictable feature set, but pricing scales with MAU and lock-in is real after a year.
• Firebase wins for early-stage mobile-first products. Cheap and fast at small scale; cost and limits start hurting between 300k–500k MAU.
• Custom Node.js + Socket.io (or Go + Centrifugo) wins when chat is the product, regulation is heavy, or the SaaS bill exceeds the engineering bill. 6–10 weeks to a real MVP with a focused team.
• The 12 features that matter aren’t exotic. Typing, presence, read receipts, threads, reactions, attachments with virus scanning, search, push, moderation, edit/delete, retention, and an E2EE option for regulated tiers. Get those right; the rest is taste.
Why Fora Soft wrote this guide
Fora Soft has been shipping communication products with embedded chat since the WebRTC era began. Recent examples: Sprii (live video shopping with high-burst chat), TransLinguist (interpretation chat alongside video), BrainCert (classroom chat at scale), MyOnCallDoc (HIPAA-grade clinical messaging), Nucleus (on-premise messaging for regulated industries) and Speakk (anonymous voice + chat).
We’ve shipped on Firebase, on SendBird, on Stream, on raw Socket.io, on Centrifugo. We have no SaaS partnership to defend in this comparison. The recommendations below reflect what we’d pick for our own founders if we were starting again today.
Picking a chat backend in the next sprint?
30 minutes with a Fora Soft architect — we’ll size scale, regulation and total cost across SaaS, Firebase and custom paths and tell you which one fits.
The 2026 chat-backend landscape, in five shifts
1. End-to-end encryption is now table stakes for regulated tiers. Healthcare, finance, legal and government RFPs assume E2EE as an option. SaaS vendors that don’t support it lose deals.
2. AI moderation matured fast. Production-grade automated moderation for spam, abuse, PII and CSAM lifts the floor on what custom builds need to ship. SaaS vendors all bundle it; custom builds plug in OpenAI or Perspective API.
3. Video + chat is the default surface. Standalone chat products are commoditised; chat embedded inside a video, live-shopping or telemedicine flow is the new battleground.
4. MAU pricing is under pressure. Buyers compare SendBird-style MAU bills against fully-loaded custom-build costs and increasingly find the second cheaper above 500k MAU. Vendors are responding with negotiated caps and per-feature pricing.
5. Data residency stopped being optional. EU, KSA, India and Russia all require regional storage for personal data. Federated stacks (Matrix) and self-hostable open source are getting fresh attention.
The three paths — SaaS SDK, managed realtime, custom build
Most chat-backend conversations end up in one of three buckets. Pick the path first; the vendor afterwards.
Path A — SaaS chat SDK
SendBird, Stream Chat, Twilio Conversations, Ably. Drop in an SDK, get the standard feature set in a week or two, run on the vendor’s infrastructure. Pricing is MAU-based with feature add-ons. Best when chat is a feature, not the product, and total chat MAU stays under ~500k for a while.
Path B — managed realtime database
Firebase Realtime Database / Firestore, Supabase Realtime, Ably channels. You build the chat UX yourself but lean on a managed realtime backend for sync. Cheaper at small scale, more flexible than a chat SDK, no MAU ceiling on the realtime layer itself — but you own the moderation, history, search, and push integrations.
Path C — custom build
Node.js + Socket.io, Go + Centrifugo, Phoenix Channels (Elixir), or a Matrix federation. Postgres or Cassandra for storage; Redis for presence; Kafka or NATS for fan-out; FCM/APNs for push. Most operational burden, most flexibility, lowest unit cost above ~500k MAU. The path Fora Soft picks when chat is core to the product.
Comparison matrix — the three protagonists head-to-head
Indicative numbers below assume a B2B/B2C chat with mainstream features (DM + group, attachments, push, search, moderation). Pricing changes — verify before procurement.
| Dimension | Firebase | SendBird | Custom Node.js + Socket.io |
|---|---|---|---|
| Time to MVP | ~1 week | 1–2 weeks | 6–10 weeks (small senior team) |
| Up-front engineering | Low | Low | High |
| Bundled features | Sync only — you build everything else | Full chat (presence, push, moderation, threads, reactions) | What you build |
| Approx. cost @ 100k MAU | Low (usually low four figures) | Mid four figures, MAU-priced | Infra mid four figures + on-call burden |
| Approx. cost @ 1M MAU | Low–mid five figures (Firestore costs scale) | High five figures + (negotiated) | Mid four to low five figures |
| Customisation ceiling | High (you own the layer) | Medium (SDK constraints) | Unlimited |
| Encryption posture | In transit + at rest; E2EE not built-in | In transit + at rest; E2EE on premium tier | As you build it — including E2EE |
| Compliance fit | GDPR yes, HIPAA possible with care | SOC 2, GDPR, HIPAA available | Your responsibility, no ceiling |
| Data residency | Multi-region but limited control | Region selectable, contractual | Wherever you deploy |
| Lock-in risk | Medium (Firestore data model) | High (proprietary SDK + API) | Low |
| Best for | Mobile-first, early-stage, <300k MAU | Mainstream B2B/B2C, <500k MAU | Differentiated chat, regulated, or >500k MAU |
Reach for SendBird (or Stream/Twilio) when: chat is a checkbox feature, you want to ship in a sprint, you’ll renegotiate at scale, and you accept vendor lock-in for the next 18 months.
Firebase — the cheapest path until it isn’t
Firebase Realtime Database and Firestore give you instant data sync, offline support, and integrated push (FCM) on a generous free tier. Auth, storage, and security rules round out the package. For a mobile-first app with <300k MAU, you can ship a working chat in five days and pay almost nothing.
Strengths. Mobile SDK quality is excellent. Offline sync “just works.” FCM is the canonical push channel. Security rules are good enough for most cases.
Weaknesses. No native chat features — you build presence, history, search, moderation, threads, reactions. Firestore document reads multiply quickly with chat read patterns; the bill bites unexpectedly. E2EE isn’t bundled. Data residency control is coarse. HIPAA-eligible only with the right configuration and BAA paperwork.
Reach for Firebase when: chat is small, mobile-first, the team can build features themselves, and you’ll re-evaluate at 300k MAU. Don’t reach for Firebase when E2EE is a customer requirement on day one or your buyer demands EU-only data residency.
SendBird — the fastest path to a polished chat
SendBird ships everything: 1:1 and group chat, threads, reactions, presence, typing, read receipts, push, moderation, AI moderation, message search, attachments, voice and video calls, broadcast channels. Mature SDKs across iOS, Android, web, React Native, Flutter, Unity. SOC 2, GDPR, HIPAA available.
Strengths. Production-grade out of the box. Time-to-MVP measured in days. SLAs and enterprise support. Compliance documentation off the shelf.
Weaknesses. MAU-based pricing escalates above ~500k MAU. Customisation hits a ceiling on UX, moderation rules, and data shape. Lock-in is real — migrating off SendBird is a multi-quarter project. E2EE only on the premium tier and with constraints.
Reach for SendBird when: the chat features you need are mainstream, you can defend MAU-priced costs to your CFO at the next funding milestone, and engineering attention is better spent elsewhere. Stream Chat, Twilio Conversations and Ably play in the same bucket with different trade-offs — benchmark all three.
Custom Node.js + Socket.io — when chat is the product
Socket.io on Node.js (or Centrifugo / nchan / Go WebSockets, Phoenix Channels in Elixir) lets you own every layer. The realistic stack: WebSocket gateway behind a load balancer; Redis for pub/sub and presence; Postgres for history; S3 (or KMS-encrypted equivalent) for attachments; Kafka or NATS for fan-out at scale; FCM and APNs for push.
Strengths. Total control of features, data shape, latency budget, encryption model, moderation rules, and unit economics. Cleanest fit when chat is tightly coupled to other product surfaces — live shopping carts, video co-watch, regulated workflows.
Weaknesses. The team owns scaling, on-call, abuse, search relevance, and every edge case the SaaS vendors handle for you. Underestimating the operational tail is the single biggest mistake we see.
A 6-week MVP shape for a custom chat build
Week 1–2 WebSocket gateway (Socket.io / Centrifugo) + auth + JWT Week 2–3 Postgres message store + sequence numbers + history API Week 3–4 Redis presence + typing indicators + read receipts Week 4 Push (FCM / APNs) for offline delivery Week 5 Attachments (S3 + virus scan) + image/video previews Week 5–6 Moderation (regex + Perspective / OpenAI moderation API) Week 6 Search (Postgres tsvector or OpenSearch) + retention policies Week 6 Observability + load test + chaos drill
Scaling math — what to expect from each layer
A single Node.js Socket.io process comfortably holds ~5,000 concurrent connections; with care and tuning, 10k. Go-based gateways (Centrifugo, custom WebSocket servers) hit 30k–50k per node. Plan horizontal scaling with sticky sessions or Redis-backed pub/sub from day one.
Push is usually the cheapest layer (FCM and APNs are free); messaging storage and search dominate cost above 500k MAU. Run the unit-economics model before you commit; our hosting comparison covers cloud-vs-bare-metal trade-offs.
Reach for custom Node.js + Socket.io when: your projected 18-month MAU is >500k, chat is core differentiation, regulation requires data residency or E2EE the SaaS vendors won’t configure for you, or your moderation rules are too business-specific to fit a generic moderation API.
Want a custom chat backend that won’t fall over at 500k MAU?
We ship custom chat stacks with E2EE option, HIPAA-grade audit logs, and unit-cost-per-MAU baked in — in 8–12 focused weeks.
Other vendors worth comparing in your shortlist
Don’t treat the comparison as Firebase vs SendBird vs Custom only. The right shortlist for 2026 also includes:
Stream Chat (getstream.io). SendBird’s closest competitor — comparable feature set, often cheaper at scale, strong React/React Native SDKs.
Twilio Conversations. Pairs well if you’re already on Twilio for SMS or voice. Federation across SMS, WhatsApp and chat is the differentiator.
Ably. Realtime channels with strong delivery guarantees; sits between Firebase Realtime DB and SendBird in scope. Great for multi-tenant chat where you build the chat layer yourself.
Supabase Realtime. Postgres + WebSockets with row-level security. Strong choice if your data already lives in Postgres and you want chat as a feature, not a separate stack.
Matrix protocol (Element / Synapse / Dendrite). Federated, open-source, self-hostable, E2EE-by-default. The right answer when sovereignty and federation matter (defence, public sector, multinationals).
XMPP servers (ejabberd, MongooseIM). Old, battle-tested, still in production at telcos. Reach for them when you need millions of concurrent users on commodity hardware and the team can run them.
The twelve chat features that actually matter in 2026
If your chat ships only these twelve and gets each one right, you’ve covered 95% of real demand.
| # | Feature | Where it lives |
|---|---|---|
| 1 | 1:1 and group messaging | All paths |
| 2 | Typing indicators & presence | Redis (custom) / built-in (SaaS) |
| 3 | Read receipts & delivery state | Per-channel state |
| 4 | Threads & replies | Schema design (parent_id) |
| 5 | Reactions | Reactions table or JSON column |
| 6 | Attachments + virus scanning | Object storage + ClamAV / VirusTotal |
| 7 | Push notifications | FCM / APNs |
| 8 | Moderation (auto + manual) | OpenAI / Perspective + queue |
| 9 | Search | Postgres FTS / OpenSearch |
| 10 | Edit / delete with audit | Soft-delete + edit history |
| 11 | Retention & data residency | Lifecycle policies + region pinning |
| 12 | E2EE option for regulated tiers | Signal-style protocol or vendor add-on |
Compliance, in plain language
GDPR. Data residency for personal data; data subject access & deletion within 30 days; lawful basis (Article 6); DPA with every processor; breach notification within 72 hours. All three paths can comply with the right configuration.
HIPAA. AES-256 at rest, TLS 1.2+ in transit, RBAC, audit logs, BAAs with every sub-processor, 6+ year retention. SendBird and Twilio offer HIPAA tiers; Firebase requires careful configuration on a HIPAA-eligible Google Cloud footprint; custom builds put you in full control. More on the NFR side here.
SOC 2 Type II. Increasingly demanded by enterprise buyers. SaaS vendors usually have it; on a custom build budget for a 12-month roadmap to your own SOC 2.
E2EE. Optional for B2C, contractual for healthcare and legal. Signal Protocol on a custom build, vendor premium tier on SaaS, third-party libraries on Firebase.
A five-question decision framework
Q1. Is chat your differentiator or a feature? Differentiator → custom. Feature → SaaS or Firebase.
Q2. What’s your realistic 18-month MAU? <100k → Firebase or SaaS. 100k–500k → SaaS sweet spot. >500k → model the custom-build economics.
Q3. What regulation applies? HIPAA / strict residency / E2EE-mandatory → custom or SendBird/Twilio premium. Standard B2B SaaS → any path.
Q4. How tightly is chat coupled to other product surfaces? Loose (Slack-style standalone) → SaaS. Tight (live shopping, telemedicine, in-game) → custom.
Q5. Can you afford the operational tail? If your team can’t carry on-call, search relevance, abuse moderation and push reliability, take the SaaS hit and ship.
Five pitfalls that wreck chat backends
1. Underestimating WebSocket scale. Latency is fine at 5k connections per node, painful at 30k. Plan multi-node from day one and load test honestly.
2. Sloppy message ordering. Distributed systems lose “happens-before.” Use sequence numbers per channel, not server timestamps.
3. Push delivery as an afterthought. FCM and APNs both refuse delivery for many reasons. Real push success is 80–90% — not 99%. Build for it.
4. Ignoring moderation until launch. Manual moderation queues drown teams of 50,000+ MAU. Layer regex + automated moderation + human review from week one.
5. SaaS MAU explosion. A free user is still an MAU. Inactive cohorts cost the same as active ones. Negotiate caps or build retention before scaling marketing.
KPIs that prove your chat is healthy
Reliability KPIs. Connection success rate (target >99%), message delivery latency p95 (target <300 ms), durability (zero-message-loss policy), push delivery success (target >90%).
Quality KPIs. Moderation false-positive rate (target <1%), false-negative rate (target <0.1%), search relevance (manual sample), attachment scan success.
Business KPIs. Cost per active user, cost per delivered message, gross margin per MAU, retention of chat-active users at 30 days, share of users who send a second message in week one (the activation gate that predicts retention).
Mini case — from SendBird to custom at 600k MAU
A consumer marketplace client crossed 600k MAU on SendBird and watched their chat bill grow faster than revenue. Their differentiator wasn’t chat — but chat costs were eating margin. Their team had two choices: renegotiate, or migrate.
We modelled both. The renegotiated SendBird tier saved ~30%; a custom Node.js + Centrifugo stack hosted on Hetzner with Postgres + Redis modelled out at ~40% of SendBird’s renegotiated price — even after fully-loaded engineering and on-call costs. The win: ten weeks of focused build, a parallel run with traffic mirroring, and a clean cutover. Six months in, gross margin per MAU is up by 22 points and the team owns the moderation rules they could never customise on SendBird.
The lesson isn’t “always go custom.” It’s that the SaaS-vs-custom math flips somewhere between 300k and 1M MAU depending on your features — and most teams discover the flip too late.
Worried your SaaS chat bill is outrunning your revenue?
We do fixed-fee migration audits — written cost model, parallel-run plan, cutover timeline — in two weeks.
When custom chat is the wrong choice
If chat is a feature inside a product whose differentiator is elsewhere, your projected MAU stays under ~300k for the next 18 months, and you don’t have HIPAA-grade requirements, custom is almost certainly wrong. Pay SendBird or Stream, ship in two weeks, ship the differentiator with the time you saved.
Likewise, if your team has no realtime experience and no plan for on-call, custom chat will eat your roadmap. Build the muscles on a less-critical realtime feature first.
FAQ
Is Firebase scalable for chat at 1M MAU?
Technically yes — Firestore can handle the throughput — but the per-read pricing model is unkind to chat’s many small reads. Bills at 1M MAU are routinely uncomfortable. Most teams that started on Firebase end up either heavily denormalising, sharding, or migrating to a SaaS or custom stack between 300k and 1M MAU.
When does SendBird get expensive?
Pricing is MAU-based with feature add-ons (advanced moderation, video, broadcast, E2EE). Most teams renegotiate around 250k–500k MAU, and the custom-build math starts to win above ~500k MAU for products where chat is critical. Verify with current quotes — tiers and discounts move.
Can I add end-to-end encryption on Firebase?
Not natively. You can encrypt message bodies client-side using a library like libsignal before writing to Firestore, while metadata (who messaged whom, timestamps) stays visible. It’s a 2–4 week project to get right and adds complexity in key management, search and moderation. For E2EE-by-default, custom builds and SendBird’s premium tier are the cleaner paths.
What does it realistically cost to build chat from scratch?
A credible MVP — 1:1 + group, presence, push, moderation, attachments, search, retention — ships in 6–10 weeks with a small senior team using Agent-Engineering tooling. Add 4–8 weeks for E2EE, or per regulatory framework. Operational cost depends on cloud choice and traffic shape; our hosting comparison walks through realistic envelopes.
How long does a Firebase → SendBird (or vice-versa) migration take?
For a chat with mainstream features and <500k MAU, plan 4–8 weeks of engineering plus 2–4 weeks of parallel-run with traffic mirroring. The risky parts are message-history migration, attachment URL rewrites, and push-token re-association. The migration cost is usually paid back inside 6–12 months from the new economics or lifted compliance posture.
Is Socket.io still the right WebSocket library in 2026?
For Node.js shops, yes — it’s mature, battle-tested, and has good fallbacks. If you’re willing to leave Node, Centrifugo (Go) and Phoenix Channels (Elixir) hold significantly more concurrent connections per node and are friendlier to operate at scale. Pick by team skill, not nostalgia.
Can I use the same chat backend for video chat?
Chat and video are usually layered: chat over WebSocket / SDK; video over WebRTC / SFU (LiveKit, Janus, mediasoup). SendBird and Twilio bundle both. On a custom build, run them as separate services and connect via shared identity, presence and signalling. Agora alternatives covered here.
What about Matrix / federated chat?
Matrix (via Synapse, Dendrite, Conduit) is the right answer when you need data sovereignty, federation across organisations, or E2EE-by-default with no vendor in the trust path. The trade-off is operational complexity — running a Matrix homeserver at scale is non-trivial. Reach for it in defence, public sector, or large multinationals; not for a consumer SaaS chat.
What to Read Next
Real-time
Agora.io alternatives in 2026
Pairing chat with custom WebRTC stacks — LiveKit, mediasoup, Jitsi.
Hosting
AWS vs DigitalOcean vs Hetzner
Where to host a custom chat backend at 100k–1M MAU.
NFRs
Non-Functional Requirements: a 2026 buyer’s playbook
Specifying latency, availability and security for chat workloads.
Security
WebRTC security in plain language
Companion piece for E2EE and transport on the realtime side.
Scaling
Building a scalable video streaming app
When chat sits inside a high-traffic video product.
Ready to pick the right chat backend?
If chat is a feature, ship on SendBird or Stream and revisit at 250k MAU. If chat is the product, plan a custom Node.js + Socket.io (or Go + Centrifugo) stack from day one and budget the operational tail. Firebase still has a place — for mobile-first early-stage apps that won’t cross 300k MAU before a Series A.
The mistake we see most often is choosing on time-to-MVP alone and discovering the SaaS bill or feature ceiling at the wrong moment. Run the unit-economics math; ship for where you’ll be in 18 months, not where you are this sprint.
Let’s pick the right chat backend together
30 minutes with a Fora Soft architect — bring your scale plan, leave with a recommendation, cost envelope and ship plan.
.avif)
Comments