One-Time Secret Link Generator

One view, then it's gone.

What a one-time link is

A URL that works exactly once. The first person to open it reads the content. The encrypted data is deleted immediately. Anyone who tries the link after that gets nothing.

After delivery, the encrypted data is deleted and the link stops working.

Why one-time matters

A password shared over Slack sits in the channel forever. A link shared over Slack works once and then it's dead. What's left in the chat is a URL that points to nothing.

How to create a one-time link

1 Go to the tool and paste the secret. Your browser encrypts it with XChaCha20-Poly1305 before sending anything to the server.

2 Set the view limit to 1. Choose an expiry as a safety net. If nobody opens the link within that time, it's deleted anyway.

3 Copy the link and send it. The decryption key is in the URL fragment, the part after the #. Your browser never sends that part to the server.

4 The recipient opens the link, reads the secret, and the encrypted data is hard-deleted. The link goes dead.

What happens under the hood

Your browser generates a random 256-bit key, encrypts the secret with XChaCha20-Poly1305, and sends only the ciphertext to the server. The key goes into the URL fragment.

When the recipient opens the link, their browser requests the ciphertext, reads the key from the fragment, and decrypts locally. After that single view, the server overwrites the ciphertext and marks the record destroyed. This is a hard delete, not a soft delete or a tombstone.

The protocol page documents the full encryption stack.

Multi-view links

Not every secret is for one person. Set the view limit to match the audience. 3 views for a team of three. 10 views for a distribution list. Each open decrements the counter. When it hits zero, the data is deleted.

The encryption is the same regardless of the view count.

Paranoid mode

For high-value secrets, paranoid mode splits the link and the decryption key into separate values. Send the link over email and the key over Signal. Anyone who intercepts only one channel gets ciphertext they can't open.

The encryption is identical to normal mode. The only difference is how the key reaches the recipient.

When to use a one-time link

  • Sending a password to a client or contractor
  • Handing off an API key to a developer
  • Sharing .env files during onboarding
  • Any credential that needs to get to someone and then stop existing in the channel
Create a One-Time Link