Question 1

Is this actually secure?

Accepted Answer

Yes. Your browser encrypts the secret with XChaCha20-Poly1305 before it goes anywhere. The server never sees the plain text or the key.

Question 2

How many views can a secret have?

Accepted Answer

You choose the view limit when you create it. Each open uses one. When views hit zero, the secret gets deleted.

Question 3

How does expiry work?

Accepted Answer

You set a time limit. If it runs out before the views are used, the secret gets deleted.

Question 4

What if I lose the link?

Accepted Answer

The Broker can't recover it. The decryption key was part of the link, and the Broker never had it.

Question 5

How do I share the link safely?

Accepted Answer

Send it through whatever channel you'd normally use. If the secret is sensitive enough, send the link and the context about what it's for in separate messages or channels.

Question 6

Will you email the link for me?

Accepted Answer

No. The link contains the decryption key. If the Broker sends it, it has seen it. That defeats the point.

Question 7

Do I need an account?

Accepted Answer

No. No accounts, no signup.

Question 8

Do you log secrets?

Accepted Answer

No. The secret is encrypted before it gets to the server. It can't be read, so there's nothing to log.

Question 9

Which algorithms?

Accepted Answer

XChaCha20-Poly1305 for the secret. TLS in transit. AES-256 at rest.

Question 10

Can I report a vulnerability?

Accepted Answer

Yes. Send details to security@secret.broker.

FAQ