One-Time Secret LogoOne-Time Secret

How It Works: Secure, Ephemeral, and Private

Our platform is built with a "zero-knowledge" philosophy. This means that we have designed the system so that we can never see, access, or read your secrets. The entire process of encryption and decryption happens exclusively in your browser.

The Secret Creation Flow

When you create a secret, your data never leaves your browser unencrypted.

In-Browser Encryption

You type your secret message into our web interface. Before anything is sent to our servers, the application running in your browser generates a new, cryptographically strong, random encryption key.

Client-Side Encryption

Your secret is immediately encrypted using this key and the AES-256-GCM encryption standard.

Secure Storage

Only the encrypted message is sent to our servers for storage. We have no way of decrypting it because we never receive the key.

The Unique URL

A unique, shareable URL is generated for you. The decryption key is attached to this URL as a "URL fragment" (the part after the #). URL fragments are a special part of a URL that is only processed by the browser and is never transmitted to the server.

The Secret Retrieval Flow

Opening a secret is just as secure as creating one.

Burn After Reading

By default, every secret is set to "burn after reading." When the unique URL is visited for the first time, our server delivers the encrypted message to the browser and then immediately and permanently deletes it. If you need the secret to be accessible more than once, you can disable this feature during creation.

In-Browser Decryption

The application code running in the browser reads the decryption key from the URL fragment.

Revealing the Secret

The key is used to decrypt the message, revealing the original secret to the recipient. This entire process happens locally, and the plaintext secret only ever exists on the recipient's machine.

Enhanced Security Features

For an additional layer of protection, you can use these optional features.

Optional Passphrase

You can choose to protect your secret with a passphrase.

  • This passphrase is used as an additional input to the encryption algorithm.
  • It is never stored anywhere. We do not save it, and it is not part of the URL.
  • You are responsible for sharing this passphrase with your recipient through a separate, secure channel. Without it, the secret cannot be decrypted.

Automatic Expiration

No secret should live forever.

  • You can set an expiration time when creating a secret, ranging from a few minutes to several days.
  • If a secret is not viewed before its expiration time, it will be automatically and permanently deleted from our servers.