About Disposable Secret

Share sensitive information securely. Leave no trace.

Stop the digital paper trail

Every time you send a password, API key, or private note by email or chat, a copy stays behind forever. It sits in your sent folder, the recipient's inbox, and on every server in between. If any of those accounts are ever compromised, that sensitive information is exposed too.

Disposable Secret solves this. We generate a secure link that works exactly once. The moment your recipient views it, the information is permanently and irreversibly destroyed. There is no copy left anywhere - not on our servers, not in a database, nowhere.

How it works

Paste your text, generate a link, and share it with your recipient. When they open it, their browser decrypts and displays the information, and it is immediately and permanently destroyed. The link stops working straight away and cannot be opened again. If nobody views it within 24 hours, it deletes itself automatically.

Zero-knowledge encryption

This is what makes Disposable Secret different. Your secret is encrypted in your browser, before it is sent to us. We only ever store an encrypted blob that we have no ability to read. Even if someone demanded we hand over your data, there would be nothing useful to hand over - unlike other platforms, we genuinely do not hold the keys to your information.

In standard mode, the decryption key is embedded in the link you share, in the part after the # symbol. Browsers never send that part to a server, so it never touches our systems at all. Only the person with the full link can decrypt the secret, and only once. When using a passphrase, there is no key in the URL - the key is derived from the passphrase directly in the recipient's browser.

Read the full technical explanation on our Security page →

Optional passphrase protection

For an extra layer of security, you can require the recipient to enter a passphrase before viewing. The passphrase is used to derive the encryption key entirely within their browser - we never see it, never store it, and could not use it to decrypt your secret even if we wanted to. Share the link one way and the passphrase another, by phone or text message for example, and even a fully intercepted link is useless without both.

Privacy by design

We do not store IP addresses. If you opt in to view notifications, we record only the approximate city and country of the viewer using a local lookup - never a precise location - and that is deleted along with the secret. If you provide a notification email address, it is encrypted before being stored and deleted the moment the notification is sent. We do not use third-party tracking, advertising, or analytics, and our servers are located in Europe.

A tip worth following

If you are using a passphrase, send the link by email and the passphrase by text message or phone. Even if someone intercepts one, they cannot use it without the other.

Questions? Get in touch at [email protected]. For more detail on how we protect your data, read our Security page, Privacy Policy, and Terms.