Free, open-source one-time secret sharing with end-to-end encryption.
Share passwords, API keys, and sensitive data through self-destructing links.
Live Demo · How It Works · Self-Hosting · Security · Self-Host Guide
- Encrypt — Your browser generates a 256-bit key, encrypts the secret with AES-256-GCM, and splits the key in half
- Store — One key half goes in the URL fragment (never sent to the server), the other is stored server-side with the encrypted blob
- Share — Send the link to your recipient
- Decrypt — The recipient's browser recombines the key halves and decrypts locally
- Delete — The secret is permanently deleted after one view
The server never has enough information to decrypt the secret.
- End-to-end encryption — AES-256-GCM via Web Crypto API, entirely in the browser
- Split-key architecture — Decryption key split into two halves; server only stores one
- One-time access — Secrets atomically retrieved and deleted on first view
- Password protection — Optional PBKDF2-derived double encryption (100K iterations)
- Auto-expiry — Configurable TTL: 1 hour, 24 hours, 7 days, or 30 days
- Zero knowledge — Server never receives the full key, plaintext, or URL fragment
- Strict CSP — Blocks inline scripts, external JS, and clickjacking
- Zero client dependencies — Pure Web Crypto API
| Layer | Technology |
|---|---|
| Frontend | Vanilla TypeScript, HTML, CSS |
| Backend | Cloudflare Workers |
| Storage | Cloudflare KV (TTL-based auto-expiry) |
| Encryption | Web Crypto API (AES-256-GCM, PBKDF2) |
| Testing | Vitest + fast-check (property-based) |
Deploy your own instance of SecureShare in under 2 minutes:
Click the button, connect your GitHub/GitLab, and Cloudflare handles the rest — KV namespace provisioning, build, and deployment are all automatic.
See the full Self-Hosting Guide for custom domains, configuration, and updating.
git clone https://github.com/MeetanshiInc/SecureShare-OSS.git
cd SecureShare-OSS
npm install
npm run dev
# → http://localhost:8787npm test484 tests including property-based tests for encryption, key splitting, one-time access, and more.
| Data | Server Access |
|---|---|
| Full decryption key | No |
| URL fragment (public key half) | No |
| Plaintext secret | No |
| User password | No |
Secret -> Generate 256-bit key -> Split key in half
-> Encrypt with AES-256-GCM -> [Optional: PBKDF2 password layer]
-> Send encrypted blob + private key half to server
-> URL contains secret ID + public key half in fragment
Open link -> Extract public key half from fragment (never sent to server)
-> Fetch encrypted blob + private key half from server
-> Server deletes secret immediately
-> [If password-protected: prompt + PBKDF2 decrypt]
-> Recombine key halves -> AES-256-GCM decrypt -> Display
All responses include CSP (script-src 'self', frame-ancestors 'none'), HSTS, X-Frame-Options DENY, no-referrer, and nosniff.
src/
frontend/ Client-side HTML, TypeScript, assets
shared/ Crypto utilities (AES-256-GCM, PBKDF2, key splitting)
worker/ Cloudflare Worker backend (routing, handlers, KV store)
tests/
frontend/ Frontend unit tests
property/ Property-based tests (fast-check)
shared/ Shared utility tests
worker/ Worker handler tests
See CONTRIBUTING.md for guidelines.
MIT — Built by Meetanshi Technologies