End-to-end encrypted. One-time view. Zero trust.
This link will work exactly once, then self-destruct.
Decrypting in your browser.
This secret has been deleted from the server.
When you create a secret, your browser generates a random 256-bit key using the Web Crypto API and encrypts your data with AES-256-GCM — the same standard used by governments and banks. This all happens locally; the plaintext never leaves your device.
The encrypted blob is sent to the server and stored with a random ID. The server has no knowledge of what's inside — it's indistinguishable from random noise without the key.
The decryption key is placed after the # in the link. The fragment portion of a URL is never sent to the server in HTTP requests — it's processed entirely by the browser. So the server never sees the key.
When the recipient opens the link, the browser fetches the encrypted blob using the ID, reads the key from the # fragment, and decrypts locally. The server permanently deletes the ciphertext after this single retrieval. Even if someone gets the link later, the data is gone.
AES-256-GCM — authenticated encryption with 256-bit keysWeb Crypto API — browser-native cryptography (no JS crypto libraries)crypto.getRandomValues() — cryptographically secure random number generation#) for zero-knowledge key transport