One-Time Secret
Share a password or note via a link that works once, then self-destructs. End-to-end encrypted in your browser — the server only holds an unreadable blob.
published
- [FREE]
- [NO_SIGNUP]
- [SAVES_DATA]
⚠ Unlike most of the site, this tool sends your input to a server and stores it to work. It tells you exactly what it keeps and why — see the tool and the privacy page.
A one-time secret link lets you hand someone a password or sensitive note that can be opened exactly once and then self-destructs — encrypted end-to-end in your browser.
How it stays private
- You type the secret. Your browser generates a random AES-256-GCM key and encrypts the secret locally.
- Only the ciphertext is sent to the server. The key is placed in the link after
#— the URL fragment, which browsers never send to any server. - The recipient opens the link; their browser fetches the ciphertext and decrypts it locally with the key from the link.
- On that first fetch, the server deletes the secret (atomic burn-on-read). Open it again → nothing.
The server only ever holds an unreadable blob. It can’t decrypt your secret, because it never has the key.
Why it needs a server
Even though it’s end-to-end encrypted, the blob has to be stored somewhere the recipient can reach, and the “destroy after one read” rule has to be enforced server-side. That’s all the backend does (Cloudflare Pages Functions + D1) — store ciphertext, hand it over once, burn it.
Good to know
- Lost link = lost secret. We can’t recover it; we never had the key.
- First opener wins. Anyone who opens the link first sees the secret and burns it — send it over a trusted channel. If the real recipient finds it “already viewed,” treat that as a tamper signal.
- Expiry is a backstop: unopened secrets are deleted after the time you pick.
Related tools
- Password Generator — make a strong secret to share.
- Hash Generator — verify a file or string by checksum instead.
- URL Shortener — the other server-backed tool here.
Frequently asked questions
How is this safe to send a password through?
The secret is encrypted in your browser with AES-256-GCM before anything is sent. Only the ciphertext reaches the server; the decryption key is placed in the link after the # (the URL fragment), which browsers never transmit to a server. So the server stores an unreadable blob and literally cannot decrypt it. The recipient's browser pulls the blob and decrypts it locally using the key from the link.
What does "one-time" mean exactly?
The moment the link is opened and the secret is fetched, the server deletes it (an atomic burn-on-read). A second person opening the same link gets nothing. If no one opens it, it's deleted at the expiry you chose (1 hour to 7 days).
Why does this need a server at all if it's end-to-end encrypted?
The encrypted blob has to live somewhere the recipient can fetch it from, and the "destroy after one read" guarantee has to be enforced server-side. So a small backend (Cloudflare Pages Functions + D1) stores the ciphertext and burns it on first read. It never sees the key or the plaintext.
What if I lose the link?
It's gone. We can't recover or re-show it — the key only ever existed in that link, and we never had it. Create a new secret.
Can you read my secret?
No. The key never leaves the link's fragment, which isn't sent to the server. We only store ciphertext + the random IV. Standard host-level request metadata (IP, timestamp) may be logged by Cloudflare as on any site, but that reveals nothing about the secret.
Should I still trust the recipient and the channel?
Yes — send the link over a channel you trust, and remember anyone who opens it first gets the secret (and burns it). If the link is intercepted and opened, the real recipient will see it's already been viewed — a useful tamper signal.