How it works

The server stores encrypted bytes. The browser creates and keeps the key.

1

Key generation

Your browser generates a 256-bit AES-GCM key with the Web Crypto API.

2

Local encryption

Your message is encrypted locally with a random IV before upload.

3

Ciphertext only on server

The server receives ciphertext, IV, expiry settings, and optional hashed gates — never plaintext.

4

Key hidden in URL fragment

The generated link puts the decryption key after #. URL fragments are not sent in HTTP requests.

5

Server-side checks on open

When the recipient unlocks the note, the server returns ciphertext once the expiry, password, and view-limit checks pass.

6

Local decryption + destruction

The recipient browser decrypts the note locally and the server marks the encrypted row as consumed.

Important link handling
The full link includes the key. Share it only with the intended recipient.