One-Time Secret

Share passwords, API keys, and sensitive data securely. Secrets are encrypted end-to-end in your browser and auto-delete after viewing.

Secret Content

0 / 100,000 characters

Expires After

Max Views

Password Protection (Optional)

Without password, encryption key will be in the URL fragment (never sent to server)

How It Works

True End-to-End Encryption

Your secret is encrypted in your browser using AES-256-GCM before being sent to the server. Without a password, the encryption key is stored only in the URL fragment (the part after #), which is never sent to our servers.

Self-Destructing

Secrets are automatically deleted after being viewed the specified number of times, or when they expire - whichever comes first.

Zero Knowledge

We never see your unencrypted data. With password protection, the key is derived from your password using PBKDF2. Without a password, the key exists only in the URL fragment.

API Usage

The secret API requires client-side encryption. The server stores only pre-encrypted blobs and cannot decrypt your secrets.

For CLI/API usage, you must encrypt your content with AES-256-GCM before sending it to the server. The encryption key should be shared via the URL fragment (after #) or derived from a password using PBKDF2.

For the simplest experience with true end-to-end encryption, use this web interface.

How End-to-End Encryption Works

End-to-end encryption (E2E) ensures that only the sender and recipient can read the data. In our implementation, your secret is encrypted in your browser using AES-256-GCM -- the same encryption standard used by governments and financial institutions. The encryption key never touches our servers, making it mathematically impossible for anyone (including us) to read your secrets.

When you create a secret without a password, a random 6-byte key is generated in your browser and placed in the URL fragment (the part after #). Browsers never send URL fragments to servers, so the key stays entirely client-side. When you set a password, the key is derived using PBKDF2 with SHA-256 and 100,000 iterations, which makes brute-force attacks on the password computationally expensive.

Our Security Model

AES-256-GCM Encryption

Industry-standard authenticated encryption that provides both confidentiality and integrity verification. Any tampering with the ciphertext is detected.

URL Fragment Security

The encryption key lives in the URL fragment (#), which browsers never include in HTTP requests, server logs, or referrer headers.

PBKDF2 Key Derivation

Password-protected secrets use PBKDF2 with 100,000 iterations of SHA-256 to derive the encryption key, making password brute-force attacks impractical.

Zero-Knowledge Design

The server stores only encrypted blobs. Without the key, the stored data is indistinguishable from random noise. No metadata about the secret content is retained.

Frequently Asked Questions

How does end-to-end encryption work here?▼

Your secret is encrypted entirely in your browser using AES-256-GCM before it ever leaves your device. The encryption key is either generated randomly and placed in the URL fragment (the part after the # symbol), or derived from a password you provide using PBKDF2 with 100,000 iterations. The URL fragment is never sent to our servers by browsers, so the server only ever sees the encrypted ciphertext -- never the key or the plaintext.

Can the server read my secret?▼

No. This is a zero-knowledge system. The server stores only the encrypted blob (ciphertext + IV). Without the encryption key -- which exists only in the URL fragment or is derived from your password -- the server cannot decrypt your data. Even if our database were compromised, the encrypted secrets would be useless without the corresponding keys that we never possess.

What happens after the secret is viewed?▼

Once a secret has been viewed the specified number of times (default: 1), it is permanently deleted from our servers. There is no way to recover it. Additionally, secrets are automatically deleted when they reach their expiration time, even if they have not been viewed. This dual mechanism ensures that sensitive data does not persist longer than necessary.

Is it safe to share passwords this way?▼

Yes, this is significantly safer than sending passwords via email, chat, or text messages. Those channels typically store messages indefinitely and may transmit them in plaintext. With our one-time secret tool, the data is encrypted end-to-end, automatically deleted after viewing, and the encryption key can be shared separately from the link for additional security using the password protection option.