The developer problem

A new developer joins the project. They need the Stripe key and the database connection string. Someone pastes them into a Slack DM. The developer copies them, sets up their environment, and gets to work.

Two months later, someone else joins. They search Slack for "stripe key" and find the original message. The key is still there, still valid. Now two people got it from the same Slack message, and neither knows who else has searched for it since.

The real risk

API keys leaked in messaging tools are a real and measured problem. Keys get scraped from Slack exports and Git history by automated tools. Once a key is in a message, it's in every system that stores or indexes that message: the platform's search index, compliance exports, device backups, and any third-party integrations with read access to your workspace.

A key that exists in a message for two minutes before being rotated is a different risk than a key that sits in a channel for eighteen months. Keeping that window short is the point.

How to share an API key with Secret.Broker

1 Go to the tool and paste the API key. Your browser encrypts it with XChaCha20-Poly1305 before anything is sent to the server.

2 Set the view limit to 1 (for one developer) and the expiry to 1 hour. If the developer doesn't open it in time, the key is deleted and you create a new link.

3 Send the link. The decryption key is in the URL fragment and never reaches the server.

4 The developer opens the link, copies the key, and the encrypted data is hard-deleted. What's left in Slack is a dead link.

Sharing .env files

Pasting individual keys works for one or two values. For a full .env file with a dozen variables, attach the file instead.

Click the attachment button, select the .env file, and your browser bundles it into a compressed archive, then encrypts the whole thing with the same XChaCha20-Poly1305 cipher used for text. The recipient opens the link and downloads the decrypted file. Maximum file size is 20 MB, which covers any reasonable configuration file.

This also works for JSON config files, SSH keys, certificates, and anything else that shouldn't end up in Git history or a chat log.

High-value keys

Some keys are worth more than others. A read-only analytics key is different from a production AWS key with admin access.

For high-value keys, use paranoid mode. It gives you the link and the decryption key as separate values. Send the link over Slack and the key over Signal, or whatever second channel your team uses. Anyone who intercepts only one of the two gets ciphertext they can't open.

What this is not

This is not a secrets manager. It doesn't store keys long-term or rotate them or inject them into your deployment pipeline. HashiCorp Vault and AWS Secrets Manager solve those problems.

This is not a replacement for .gitignore. If your .env file is in your repository, a self-destructing link doesn't fix that. Fix the repository first.

This handles the handoff. A developer needs a key, you need to get it to them, and you need it to stop existing in the channel once they have it.

How the encryption works

Your browser encrypts the key before it leaves your machine. The server stores ciphertext it can't read, bound to the secret.broker domain so it can't be replayed from a phishing site. The protocol page has the full technical breakdown.

How to Send and Share API Keys Securely