Skip to main content
Mon-Fri: 8AM to 5PM
One-Time Secret

How It Works

One-Time Secret is a zero-knowledge sharing tool. Your message and files are encrypted inside your browser before anything is sent to our server. We never receive the key and cannot read your data.

Zero-Knowledge Architecture

When you create a secret, your browser generates a random 256-bit AES key using the Web Crypto API. Your message and any attached files are encrypted with that key directly inside your browser. The resulting ciphertext is what gets uploaded to our server.

The decryption key is placed in the URL fragment (the part after the # symbol). Web browsers never send the URL fragment to the server in HTTP requests, which means:

  • Our server receives only the encrypted ciphertext.
  • The decryption key is transmitted exclusively between the sender and recipient via the full link.
  • Even if our server were compromised, the stored blobs cannot be decrypted without the key.

Step-by-Step Flow

  1. You create a secret. Type a message and/or attach files. Optionally set a passphrase and expiry time.
  2. Your browser encrypts everything locally. A random 256-bit AES-GCM key is generated. Your message and each file are encrypted in-browser. The key never leaves your device in plaintext.
  3. Only the encrypted blobs are uploaded. The server stores the ciphertext and a token. It does not store or see the key.
  4. You receive a one-time link. The link contains the token (for the server to look up the ciphertext) and the key in the #fragment (for the recipient's browser to decrypt).
  5. The recipient opens the link and clicks "Reveal Secret". Their browser sends the token to our server.
  6. The server returns the ciphertext and permanently deletes the record. No copy is kept. The secret cannot be viewed again.
  7. The recipient's browser decrypts the content. Using the key from the URL fragment, the browser decrypts the message and any files entirely client-side. The plaintext never travels over the network.

What the Server Stores

We store We do not store
Encrypted message ciphertext (unreadable without the key) The decryption key
Encrypted file blobs (unreadable without the key) The original plaintext message
Original file names and MIME types (unencrypted metadata) The original file contents in readable form
A bcrypt hash of the passphrase (if set) The passphrase itself
Expiry timestamp Your IP address or identity

File names and MIME types are stored unencrypted so the recipient sees the correct file name and can download the right file type. If this is sensitive, consider naming your files generically before attaching them.

Passphrase Protection

Passphrase protection adds a second layer of access control on top of the encrypted link. When a passphrase is set:

  • Only the bcrypt hash of the passphrase is stored. The server cannot recover the original passphrase.
  • A recipient must enter the correct passphrase before the server will return the ciphertext and burn the record.
  • An incorrect passphrase does not burn the secret, so the recipient can try again.
  • Share the passphrase through a separate channel (e.g. a phone call) for maximum security.

File Attachments

Up to 10 files (up to 500 MB each) can be attached to a secret. Each file is encrypted individually inside your browser using AES-256-GCM before upload. The process works as follows:

  • Encrypted file blobs are stored alongside the secret on the server.
  • When the recipient reveals the secret, the server atomically burns the main secret record and creates a temporary download bundle valid for 10 minutes.
  • The recipient's browser fetches each encrypted blob through the bundle, decrypts it client-side, and presents a download button.
  • Each file blob is deleted from disk immediately after it is downloaded. Remaining blobs are purged when the bundle expires.
  • Save all files before closing the page. Download links are only available for the duration of that single page load.

Expiry

Every secret has a configurable expiry time (5 minutes to 7 days). If the secret is not viewed before it expires, it is automatically deleted by a background cleanup process. No copy is retained after deletion.

Expiry is a safety net for secrets that are never delivered or accidentally left open. It is not a substitute for keeping the link confidential. Anyone who has the full link (token + key fragment) can reveal the secret before it expires.

Blocked File Types

To protect recipients, certain file types are refused at both the browser and server level. This includes Windows executables (.exe, .msi, .bat, .cmd), scripts (.ps1, .vbs, .jse, .wsf), server-side web files (.php, .asp, .jsp), and macro-enabled Office documents (.xlsm, .docm, .pptm). If you need to share a file of this type, compress it into a .zip archive first.

Create a Secret