A quiet place to leave a secret.

Share secrets. Then they're gone.

Encrypted one-time links for passwords, API keys, and secrets.

Views

Expires

Encrypted in your browser Zero knowledge

Why not just use Slack

You paste a password into Slack, or Teams, or an email.

It never goes away. It's in the channel history, and the next export, and the backup after that. Everyone who was in that channel has it on their laptop. Anyone who joins later can scroll up and find it. A password you sent two years ago is still sitting there, still working, unless someone thought to change it.

Your secret stays here until the link is opened or the time runs out. Then it's gone.

Why passwords in Slack are a problem

Security is not a feature. It is the absence of information.

How it works

Locked before it leaves you

Your secret gets encrypted on your own machine before it goes anywhere. I can't read it.

It deletes itself

You set a view count or a timer. When either one runs out, it's deleted.

No account, no login

Paste your secret, pick when it expires, get a link.

Want the details? Read the encryption protocol or check the FAQ.

What people use it for

A new developer starts Monday and needs the staging database password. A contractor needs an API key for a two-week project. Someone's visiting the office and needs the Wi-Fi credentials. A .env file needs to get to staging.

You need to send the credential to someone else, and then it needs to stop existing in the channel you sent it through.

› Sharing passwords with clients or teammates
› Sending API keys to developers or contractors
› Handing off .env files and configuration secrets
› Onboarding credentials that shouldn't persist in email

What You Get: Encrypted Secret Sharing Features

One-time links with view limits from 1 to 25. Set the expiry anywhere from 15 minutes to 30 days. Attach files up to 20 MB — .env files, SSH keys, config files, anything that shouldn't live in a chat log.

Paranoid mode splits the link and the decryption key into separate values. Send the link over one channel and the key over another. Anyone intercepting only one gets nothing.

No account, no signup, no ads, no tracking. Paste, encrypt, send. The one-time link works until the views run out or the timer expires, then the data is gone.

See how this compares to Privnote, OneTimeSecret, and Password Pusher

How the encryption works

Your browser encrypts every secret with XChaCha20-Poly1305 through libsodium before anything leaves your machine. The decryption key is in the URL fragment, the part after the #, and your browser never sends that to the server.

I don't have the key. I can't read your secret. That's not a policy choice. The cryptography makes it impossible.

The protocol page documents every step: the cipher, the key derivation, the domain binding, and what happens when a secret expires.