Share a secret with a one-time link
Paste a password, API key, or note. It is encrypted in your browser and turned into a link that reveals it once, then self-destructs. No signup, and we never see the contents.
Zero-knowledge. The decryption key lives in the link, not on our servers, and the stored copy is deleted the moment it is viewed.
Encrypted in your browser before it leaves. We only ever store ciphertext we can't read.
How it works
- You paste the secret. Your browser makes a one-off AES-256-GCM key and encrypts it locally.
- Only the ciphertext is sent to us. The key is tucked into the link after the
#, which never reaches a server. - You send the link. The first person to open it decrypts the secret in their own browser, and the stored copy is destroyed on read.
- If it is never opened, it expires and deletes itself after the window you picked.
What it is not
This is a great way to hand off a single secret safely. It is not a place to store credentials, it can't prove who opened what for a team, and it can't take access back once someone has read the value. Those are jobs for a vault with approvals and an audit trail, not a one-time link.
Common questions
- Do you ever see the secret?
- No. Your browser generates a random AES-256-GCM key, encrypts the secret locally, and only sends us the ciphertext. The key is placed in the link's fragment (the part after #), which browsers never transmit to a server. We store something we cannot read.
- What happens after someone opens the link?
- The ciphertext is deleted the instant it is fetched, in a single atomic operation. Open the link a second time and there is nothing to return. If nobody opens it, it self-destructs on its own after the expiry you chose.
- How is this safer than pasting it into Slack or email?
- Slack and email keep a permanent, searchable copy that anyone who later gains access can read, and neither records who actually read it. A one-time link is gone after one view and leaves no lingering copy in a chat history.
- Do I need an account?
- No. This tool is free and needs no signup. If you do this often for a team and want approvals, per-person access, and an audit log of who opened what, that is what Vendor Access Vault adds.
Keep reading
- Sharing an API key with a contractor?The full decision, and when a one-time link is and isn't enough.
- Is it safe to share passwords in Slack?Why the chat-history copy is the problem a one-time link avoids.
- Doing this for a whole engagement?Give a contractor access you can approve, time-box, and revoke.
Sharing secrets with the same people, over and over?
A one-time link is perfect for a one-off. When it is a team and a repeated need, Vendor Access Vault adds request-and-approve access, expiry, offboarding, and an audit log of who opened what. Free while we build it.