Secure Share

Your message is encrypted in your browser using AES-256-GCM before it reaches our server. The decryption key lives in the URL fragment (#) which browsers never send to servers. We literally cannot read your secrets.

No. The server only stores encrypted ciphertext. The decryption key is embedded in the link fragment and never transmitted to the server. Even if our database were compromised, your secrets remain private.

Yes. Secure Share is specifically designed for sharing sensitive credentials like passwords, API keys, tokens, and private notes. The one-time-read mechanism ensures the data is permanently destroyed after the recipient views it, and zero-knowledge encryption ensures it cannot be intercepted in transit or at rest.

Once decrypted, the message is visible in the browser like any text — screenshots are technically possible. For maximum security, we recommend: (1) telling the recipient to expect the message, (2) using a passphrase that you share on a separate channel, and (3) keeping secrets minimal (e.g. just the password, not the username + password). Secure Share ensures the secret can't be accessed again — preventing the most common breach vector.

Yes. Because encryption and decryption happen entirely in your browser, and the decryption key never travels to the server, your secret is protected even on untrusted networks. All communication with our servers uses HTTPS/TLS, and the actual message content is AES-256 encrypted on top of that — effectively double-encrypted in transit.

Yes! You can add an optional passphrase that the recipient must enter before decryption. The passphrase derives the encryption key via PBKDF2 with 600,000 iterations, adding a strong second layer of protection.

Unread messages automatically expire based on your selected TTL (30 minutes to 7 days) and are permanently deleted from our servers. There is no recovery mechanism.

Currently, once a secret is created, it can only be consumed by opening the link or by waiting for it to expire. We recommend using a short TTL (30 minutes) if you want the message to self-destruct quickly. A manual revoke feature is planned for a future update.

If the recipient opens the link and sees the secret, it is permanently deleted from our server. If you (or anyone) try to open the same link again, you'll see a "Message Not Found" screen — confirming it was already consumed. This serves as a built-in read receipt.

Yes. Secure Share is a Progressive Web App (PWA) that works on any modern mobile browser. You can even install it to your home screen for instant access — no app store download required. Creating and reading secrets works identically on desktop and mobile.

Secure Share is completely free with no sign-up required. Core features including encryption, passphrase protection, and adjustable TTL are available at no cost. Our encryption source code is publicly auditable.

No. We've implemented a click-to-reveal gate that prevents automated link-preview bots from triggering the one-time read. When a bot crawls the link, it sees the gate page but cannot execute the JavaScript required to fetch and delete the message. Only a real user clicking the reveal button will consume the secret.

Secure Share works in all modern browsers that support the Web Crypto API, including Chrome, Firefox, Safari, Edge, and their mobile versions. Internet Explorer is not supported.

Not yet, but it's on our roadmap. A REST API would allow teams to programmatically create and share secrets from CI/CD pipelines, deployment scripts, and internal tools. If you're interested, let us know.

Secure Share's zero-knowledge architecture means we never access, process, or store identifiable health information — the server only holds encrypted blobs it cannot decrypt. While we don't sign BAAs, the architecture inherently minimizes PHI exposure. For regulated workflows, we recommend adding a passphrase and using the shortest TTL available.

Signal and WhatsApp disappearing messages require both parties to have the app installed and an account. Messages may still be cached, quoted, or backed up before they disappear. Secure Share is web-based (no install needed), truly one-time (server-side deletion, not client-side timer), and anonymous (no account, no phone number). The recipient doesn't need any software — just a browser.