OneTimeSecret FAQ: Security, Features, and Alternatives Compared

OneTimeSecret is an open-source secret sharing tool that creates encrypted, self-destructing links for passwords, API keys, and confidential messages. Core features include:

• Self-destructing messages — deleted after a single view
• Zero-knowledge encryption — the decryption key never reaches the server
• Password protection — optional passphrase for extra security
• Expiration controls — TTL from 1 hour to 30 days
• Open-source — auditable code, self-hosting supported

Learn more about OneTimeSecret →

OneTimeSecret combines client-side encryption with automatic server-side deletion:

1. Encryption: Your message is encrypted in your browser using AES-256 before anything is sent to the server
2. Key separation: The decryption key is placed in the URL fragment (after #), which browsers never transmit to servers
3. Zero-knowledge storage: Only encrypted ciphertext is stored — the server has no way to read it
4. One-time viewing: When the link is opened, the recipient's browser decrypts the data and the server permanently deletes the ciphertext

See the detailed technical process →

Both create self-destructing messages, but they differ in key areas:

OneTimeSecret is the stronger choice for users who value transparency, password protection, and self-hosting. Privnote is simpler but closed-source.

Popular alternatives to OneTimeSecret include:

• Privnote — simple self-destructing notes, closed-source, no password option
• Password Pusher — open-source, focused on credential sharing with view-count limits
• Bitwarden Send — integrates with Bitwarden vault, requires an account
• scrt.link — minimal-UI encrypted sharing
• Yopass — lightweight, containerized, open-source
• PrivateBin — encrypted pastebin with discussion support
• Vaulted — team-focused secret management
• Hemmelig — open-source with file attachment support

OneTimeSecret remains the best-known open-source option that combines self-destruction, zero-knowledge, password protection, and expiration controls in a single free tool.

OneTimeSecret provides strong security through several mechanisms:

• AES-256 Encryption: The same standard used by governments and military organizations — billions of years to brute-force.
• Zero-Knowledge Architecture: The server never sees the decryption key or plaintext content.
• Ephemeral Design: Data that no longer exists cannot be stolen in future breaches.
• Open-Source: Unlike Privnote or scrt.link, anyone can audit OneTimeSecret's code.

Security also depends on how you share the link and the security of sender/recipient devices. For the highest protection, enable password protection and share links via a separate channel.

No. OneTimeSecret uses zero-knowledge encryption:

1. Your message is encrypted in your browser before it is sent anywhere
2. The decryption key is placed in the URL fragment (after the # symbol)
3. URL fragments are never sent to web servers — this is part of the HTTP specification
4. The server stores only encrypted ciphertext that is meaningless without the key

Even if the OneTimeSecret operator were compelled by law enforcement, they technically cannot decrypt your content. This same approach is used by Password Pusher, Bitwarden Send, and Yopass.

Yes. OneTimeSecret is one of the safest ways to share passwords:

• Unlike email, the password does not sit in inboxes indefinitely
• Unlike Slack or Teams, it will not appear in searchable message history
• The credential exists only for the moment it is viewed
• With password protection, even intercepted links are useless without the passphrase — a feature Privnote does not offer

Best practice: Share the username via email and the password as a OneTimeSecret link via SMS or another separate channel.

If an attacker opens the link before your intended recipient:

• They see the content — this is a risk with any link-based sharing
• The intended recipient gets an error ("this secret no longer exists"), immediately alerting you to the interception

Mitigation strategies:

• Enable OneTimeSecret password protection — the interceptor also needs the passphrase
• Share the link through a different channel than usual
• Set the shortest practical expiration time
• Confirm receipt with the intended recipient

Only the first person to open the link will see the content:

1. Person A opens the link → sees the message → message is deleted
2. Person B opens the same link → sees an error ("this secret no longer exists")

This is by design. If you need to share the same data with multiple recipients, create a separate OneTimeSecret link for each person.

OneTimeSecret lets you choose an expiration time (TTL) for your secret:

• 1 hour — for time-sensitive credentials
• 24 hours — the most common default
• 7 days — for less urgent sharing
• 30 days — maximum on most instances

Unviewed secrets self-destruct when the timer expires. Recommendation: always use the shortest TTL that is practical for your situation.

No. Once viewed, the data is permanently deleted from all servers. There is no recycle bin, no backup, and no recovery mechanism. This guaranteed destruction is the foundation of OneTimeSecret's security model.

If you need to reference information later, a self-destructing link is not the right tool. Consider an encrypted password manager like Bitwarden instead.

No. OneTimeSecret works without registration, providing:

• Anonymity: No personal data linked to your secrets
• Convenience: Instant use with zero signup friction
• Privacy: No account that could be compromised later

This is a key advantage over Bitwarden Send, which requires a Bitwarden account. Password Pusher and Yopass also support anonymous use.

Both are open-source and support self-hosting. The main differences:

Choose OneTimeSecret for strict single-view destruction. Choose Password Pusher if you need multi-view support with a configurable limit.