Create a client-side encrypted one-time link to a secret

Safely send credentials, API keys and other secrets over the wire

Length exceeded, please use a shorter secret.

  Log in to access all settings and features like expiration time, notifications, custom layouts and API.

What if someone reads the passwords you send over email?
We have a solution. is perfect for sending user passwords, Cisco ASA, IKE and other pre-shared VPN keys, WLAN passwords, license keys for games and software and anything alike. Create a link to the secret that works only one time and get a notification when the link has been accessed. Encryption and decryption of the secret always happens in the browser using an encryption key fully known only by the browser that generates the link.

Our service encrypts the secret and seals it behind a link that can be opened just once. If the link recipient is unable to open the secret, then someone else has already seen it and proper actions should be taken. Different kind of notifications can also be configured to be sent right away when the secret has been viewed. Encrypting and decrypting the secret always happens in the browser and the actual secret cannot be seen by us.

We also have an API which can be used to easily integrate the service into any application or service. In addition we also offer licenses to the full source code of the service so companies can run it in their internal networks or other private services, modify it to suit their needs and be sure that they are in full control of all data passed through the service. is being used by all kinds of technology companies all around the world.

How it works

Technical details

When you submit the secret for secure delivery first two 18 characters long random strings are generated - let's call them public and private encryption key parts. We use seedrandom.js for strong random number generation. The secret is then encrypted right in the browser using the Stanford Javascript Crypto Library (SJCL) using AES 256 bit in GCM mode. The actual encryption key used in the encryption is a concatenation of the public and private encryption key parts. The public encryption key part is stored in the unique password link that the browser generates and is never seen by us. The private encryption key part is sent to our servers along with the ciphertext returned by SJCL.

Once the unique password link is accessed, our servers send the private encryption key part with the ciphertext and then the actual password is decrypted in the viewer's browser using the public encryption key part in the link and the private encryption key part from our database. After this our servers wipe the private encryption key part and the ciphertext from our database making the accessed password link completely void. Our servers will never see the public encryption key part because it is stored in the URL as a fragment identifier (#...). A browser does not send the fragment identifier to a server.

As the whole service uses HTTPS only, you can be sure that the secret can not be seen by anyone else than those who have access to the original, unique password link. If, however, someone has accessed the password link before the actual recipient, the link will show a message that the password has already been seen and actions should be taken. Notifications can also be sent when the secret has been viewed (read more about the additional features).

We deliberately have strict limits for the service usage for unregistered users. If you need raised usage limits or more features, consider creating a free account or subscribing to one of our paid plans.

Privacy is important to us

We never store more data from our users than is absolutely needed to run the service.

We don't have any kind of tracking scripts or codes on our service - we do not track where our users come from or where they go. That's none of our business.

The service loads third party scripts only when dealing with payments, never on any page that creates or shows secrets.

When creating an account on our service, we only need a minimal set of information. For example we never store or see full credit card numbers.

View and store secrets using API

Our simple but powerful REST API allows creating fully customized, self-hosted store secret and view secret pages. All encryption and decryption actions can be done completely outside of our service, without loading any script or assets from our service.

Feel free to read our API documentation on how the API works. It's a basic, simple REST API.

We also have a couple of fully working API examples on how to use the API and get you going quickly.