The thirty-second version
- You paste a secret and click Create secret link.
- Your browser encrypts it and gives you a link.
- You send that link to someone.
- They open it once, read the secret, and it’s destroyed — permanently.
No account. No app. No password to remember. If you can copy and paste, you can use it.
Why it’s actually private
It’s encrypted in your browser
Before your secret ever leaves your device, OneTime encrypts it with AES-256-GCM
using the Web Crypto API built into your browser. The encryption key is generated locally and
tucked into the part of the link after the # — the URL fragment.
The key never reaches our server. Browsers, by design, never transmit the
part of a URL after #. So we receive only the encrypted blob. We could hand our
entire database to anyone and the secrets inside would still be unreadable — the keys simply
aren’t there. This is what “zero-knowledge” means.
It self-destructs after one view
The first time the link is opened and the secret revealed, we hand over the ciphertext and delete it in the same database transaction. A second person opening the same link gets a polite “this secret is gone.” There is no second look, and no recovery.
It expires on its own
You choose how long an unopened link survives — from five minutes to seven days. If nobody ever opens it, it’s automatically purged when that window passes.
No tracking, no third parties
There are no analytics pixels, no advertising scripts, and no third-party requests of any kind — not even a font CDN. The page you’re reading talks to exactly one server: ours. The whole point of a tool like this is to leave no trace.
The optional passphrase
For extra-sensitive secrets you can add a passphrase under Advanced. When you do, the link alone isn’t enough — the recipient also has to type the passphrase, which is mixed into the encryption key in their browser (via PBKDF2). Share the passphrase through a different channel than the link. If the link ever leaks, it’s still useless without the passphrase.
Good things to send
- A password or recovery code for a teammate or client
- An API key, token, or database credential
- A private note you don’t want sitting in someone’s inbox forever
- Anything you’d normally — and nervously — paste into a chat
A few honest limits
- If a link is opened by the wrong person first, they get the secret and the real recipient gets nothing. Send links over channels you trust, and use a passphrase for the sensitive ones.
- We can’t recover a secret once it’s been viewed or has expired — that’s the feature, not a bug.
- Secrets are capped at 100,000 characters. It’s built for credentials and notes, not file transfer.
Who makes this
OneTime is a free tool from Champlin Enterprises, an AI-first software studio. We built it because we wanted a secret-sharing tool we could fully trust — so we run our own, and we’re sharing it with everyone.