How to share credentials with contractors and freelancers

The contractor credential problem

You bring on a freelance developer for a two-month project. They need the staging database password, an API key for the payment processor, and a .env file for local development. You send them over Slack. The project ends. The contractor leaves the workspace. The credentials are still in the DM history, in the workspace export, in the compliance archive.

The credentials outlast the engagement. Anyone who can search the workspace history can find them. If they haven't been rotated, they're still valid.

How to send credentials securely

1 Go to the tool and paste the credential. Your browser encrypts it with XChaCha20-Poly1305 before sending anything to the server.

2 Set the view limit to 1 and the expiry to something short. An hour if the contractor is online. A day if they're in a different timezone.

3 Copy the link and send it over Slack, email, or whatever channel you use with the contractor. Label what the link contains in the message. The credential stays behind the encrypted link.

4 The contractor opens the link, saves the credential, and the encrypted data is hard-deleted from the server. The link in the chat history points to nothing.

What happens when the contract ends

The credentials were deleted from Secret.Broker the moment the contractor opened them. What's left in Slack or email is a dead link that returns nothing. The contractor still has whatever they saved locally, so rotate credentials when the engagement ends. That part is on you.

The difference is what persists in the channel. Without a self-destructing link, the credential sits in the DM history indefinitely. With one, the channel contains a dead URL and nothing else.

For high-value credentials

If you're sending production keys or payment processor credentials to an external party, use paranoid mode. It splits the link and the decryption key into two separate pieces. Send the link over email and the key over Signal, or any second channel. Anyone intercepting only one channel gets nothing usable.

The protocol page documents how paranoid mode works and what it protects against.

What about NDAs and access policies?

Self-destructing links reduce the technical surface, not the legal one. If you need audit trails showing who accessed what and when, use a secrets manager. This handles the handoff. It gets the credential from you to the contractor without leaving a copy in the channel.

For long-term contractor access, set them up in your secrets manager or password vault. For the initial handoff before that's in place, use a self-destructing link. See also onboarding credentials and secrets management vs secret sharing.