Frequently Asked Questions

What is One Time Secret Link?

One Time Secret Link is a secure way to share sensitive information, such as passwords, API keys, or any confidential data, via chat or email. Think of it as a digital equivalent of passing a secret note that self-destructs after being read. Once the link is opened and the secret is viewed, it's automatically deleted from the servers and won't be available anymore. This ensures that sensitive information doesn't linger in inboxes or chat logs where it might be discovered by unintended recipients.

How does it work?

  1. You enter your secret on the website. This could be anything from a simple password to a lengthy confidential message.
  2. Your secret is encrypted right in your browser using AES-256 encryption. This is a very strong encryption method used by governments and financial institutions.
  3. The encrypted version of your secret (which looks like gibberish to anyone without the key) is sent to the server and stored temporarily.
  4. You receive a unique URL. This URL contains two important parts: a secret key (which tells the server which encrypted secret to retrieve) and an encryption key (which allows the secret to be decrypted).
  5. When the recipient opens the URL, their browser retrieves the encrypted secret from the server using the secret key, then decrypts it using the encryption key. The decrypted secret is then displayed to them.
  6. Immediately after this, the encrypted secret is permanently deleted from the server.

Why is this approach secure?

  • End-to-end encryption: Your secret is encrypted in your browser before it ever leaves your device. This means that even if someone were to intercept the data being sent to the server, they wouldn't be able to read your secret.
  • One-time use: Once the secret is viewed, it's immediately and permanently deleted from the server. This means that even if someone were to get hold of the URL later, they wouldn't be able to access the secret.
  • Encryption key in URL fragment: The part of the URL after the '#' symbol is called the fragment. This part is never sent to the server when a browser requests a web page. The encryption key is put in this part, which means the server never sees the key needed to decrypt your secret.
  • Temporary storage: Even if a secret isn't viewed, it isn't kept forever. You can choose how long it should be stored, and after that time, it will be automatically deleted.

How long are secrets stored?

You have flexibility in choosing how long your secret should be available. The options are 1, 3, 7, 14, or 30 days. Remember, this is a maximum - if someone views the secret before this time is up, it will be deleted immediately. Think of it as an expiration date: the secret will definitely be gone by that date, but it might be "consumed" earlier.

Is the code open source?

Yes, the entire codebase for One Time Secret Link is available on GitHub.

  • Transparency: Anyone can review the code and see how it works.
  • Personal use: If you're technically inclined, you could set up your own instance of the service.

Is this service SOC2 or ISO compliant?

The One Time Secret Link service itself hasn't gone through the formal SOC2 or ISO certification process.

However, the service is built entirely on Cloudflare's infrastructure:

  • Cloudflare Workers for running server-side code
  • Cloudflare KV (Key-Value storage) for temporarily storing the encrypted secrets
  • Cloudflare Pages for hosting the website users interact with

Cloudflare is a major player in internet infrastructure and security, and they have obtained numerous certifications and compliance attestations. These include SOC 2 Type II, ISO 27001, and PCI DSS 4.0. While this doesn't automatically make the service compliant, it does mean that the underlying infrastructure is held to very high security standards.

How is the secret shared?

After you create a secret, you'll receive a unique URL. You have several options for sharing this URL:

  1. Copy the URL and send it through your preferred method.
  2. Use built-in sharing options to send it directly via platforms like email, Slack, or Teams.

Remember, anyone with this URL can potentially access the secret, so be careful how you share it!

What technology stack is used?

The service uses a modern, efficient technology stack:

  • Frontend: Svelte with TypeScript. Svelte is a modern JavaScript framework that provides a fast, efficient user interface.
  • Backend: Cloudflare Workers handle server-side operations. These are lightweight, serverless functions that run close to the user for fast performance.
  • Storage: Cloudflare KV (Key-Value) storage is used to temporarily hold the encrypted secrets.
  • Hosting: Cloudflare Pages hosts the frontend, providing fast, secure static site hosting.
  • Encryption: The CryptoJS library is used to perform AES-256 encryption. This is a well-regarded, widely-used encryption library.

This stack allows for a service that's fast, secure, and globally available.

Is there a limit to the size of the secret?

The service is designed to handle secrets of various sizes efficiently:

  • Performance: While encrypting and decrypting larger amounts of data in the browser might take slightly longer. For most secrets, you shouldn't notice any significant delay.
  • Storage: The backend uses Cloudflare KV, which can handle a wide range of data sizes. However, as with any service, there are practical upper limits to consider.

While there are no strict size limits imposed, it's recommended to keep secrets to a reasonable size. This service is ideal for sharing sensitive information like passwords, API keys or small confidential messages.

If you need to share very large files securely, you might want to consider a dedicated encrypted file-sharing service. But for most secret-sharing needs, this service should be more than capable.

Remember, the goal is to share sensitive information securely and temporarily.

Can I create multiple secrets?

You can create as many secrets as you need. Each secret gets its own unique URL, so you can share different pieces of information with different people. After you've created and shared one secret, you can easily create a new one by clicking the "Create new secret" button. This will take you back to the initial screen where you can enter a new secret.

Remember, each secret is independent, so you can have multiple secrets with different expiration times or share them with different people as needed.

Why is it free?

One Time Secret Link is free to use thanks to Cloudflare's generous free tier. However, this might change in the future if Cloudflare decides to change pricing plans or if usage limits are reached.