End-to-end encrypted. The server never sees your content.
We built secretshare for our own use running a business primarily online. Sometimes we need to share sensitive information—like site keys—that we don’t want online platforms such as Discord to scan, or risk in a potential third‑party data breach. Secretshare lets us send a one-time link instead; the recipient opens it, sees the secret, and it’s gone.
Your secret is encrypted in your browser using AES-256-GCM before anything is sent to the server. We never see plaintext, only ciphertext.
The decryption key lives only in the #fragment of the share link. Fragments are never sent in HTTP requests, so the server has no way to decrypt your secret even if it wanted to.
No. The moment a secret is opened, it is permanently deleted from the database. There is no second read, for anyone.
Every secret has a time limit you set. If nobody opens the link before it expires, the secret is deleted automatically and never waits around indefinitely.
Before displaying anything, the page verifies that the key in your link actually decrypts the secret correctly. A wrong or tampered key shows nothing.
No. We operate a zero-log policy. We don’t store access logs, request logs, or any data that could identify who shared or viewed a secret. Secrets exist only as encrypted blobs until they’re opened or expired, then they’re deleted.