one-time links · client-side encrypted · open source

share a secret. once.

paste a password, api key, whatever. get a link. the first person to open it sees it. the second person sees nothing. secrets are encrypted in your browser before the server sees them, so even i can't read what you sent. 

you type
  ┌────────────────────────────────────┐
  │ my api key: sk-live_A3kQpZ...      │
  └────────────────────────────────────┘
        ↓  encrypt + upload
  https://shh.frkhd.com/x/gf83hdL2kM#k7Q...

you send the link in telegram
                ↓
friend opens it, sees the secret
                ↓
                page self-destructs.
                next refresh: 404.
how it works

three moving parts.

  1. 1.

    your browser generates a key, encrypts the secret, ships only the ciphertext to the server.

  2. 2.

    the server stores the ciphertext behind a random slug. the decrypt key lives in the url fragment (#...) which browsers don't send to servers.

  3. 3.

    first GET for the slug returns the ciphertext, then deletes the row. second request 404s.

same pattern password-pusher and privatebin use. nothing clever, just done small.

try it

burn a secret now

no account. no email. no cookies. just the secret, a link, and thirty seconds.

share a secret →

open source at github.com/f4rkh4d/shh · mit