one-time links · client-side encrypted · open source

share a secret. once.

paste a password, api key, whatever. get a link. the first person to open it sees it. the second person sees nothing. secrets are encrypted in your browser before the server sees them, so even i can't read what you sent. 

you type
  ┌────────────────────────────────────┐
  │ my api key: sk-live_A3kQpZ...      │
  └────────────────────────────────────┘
        ↓  encrypt + upload
  https://shh.frkhd.com/x/gf83hdL2kM#k7Q...

you send the link in telegram
                ↓
friend opens it, sees the secret
                ↓
                page self-destructs.
                next refresh: 404.
how it works

three moving parts.

  1. 1.

    your browser generates a key, encrypts the secret, ships only the ciphertext to the server.

  2. 2.

    the server stores the ciphertext behind a random slug. the decrypt key lives in the url fragment (#...) which browsers don't send to servers.

  3. 3.

    first GET for the slug returns the ciphertext, then deletes the row. second request 404s.

same pattern password-pusher and privatebin use. nothing clever, just done small.

install

not public yet

there's a web ui at shh.frkhd.com you can use right now. the cli source drops on github soon, i'm still cleaning up the repo. ping me at bennett@frkhd.com if you want early access.