About

How security works

This app lets you share secrets via one-time links. Here's how we keep your data safe:

Encryption at rest — Secrets are encrypted with AES-256-GCM before being stored in the database. The encryption key is derived from a server-side environment variable and never leaves the server.
Authenticated encryption — GCM mode provides both confidentiality and integrity. Tampering with the ciphertext is detected and decryption will fail.
Unique IV per secret — Each secret gets a random 16-byte initialization vector (IV), ensuring the same plaintext produces different ciphertext every time.
One-time view — When a secret is retrieved, it is decrypted and shown once, then immediately deleted from the database. The link cannot be used again.
Unguessable links — Share links use 12-character nanoid identifiers, making them practically impossible to guess.

Secrets are sent to our server over HTTPS before encryption. Only share links with people you trust — anyone with the link can view the secret once.