What is OneTimeSecret? Open-Source Secret Sharing Explained
OneTimeSecret is an open-source, zero-knowledge secret sharing tool. Learn its features, encryption model, and how it compares to Privnote, Password Pusher, and Bitwarden Send.
Understanding OneTimeSecret
OneTimeSecret is an open-source secret sharing tool that creates encrypted, self-destructing links for passwords, API keys, and confidential messages. Each link can only be viewed once — after the recipient reads the content, it is permanently and irrevocably deleted from all servers.
Unlike email, Slack, or SMS where messages persist indefinitely in inboxes and server logs, OneTimeSecret provides ephemeral, zero-knowledge sharing. The decryption key lives exclusively in the URL fragment and never reaches the server, so not even the OneTimeSecret operator can read your data. The project is fully open-source, allowing anyone to audit the code or self-host an instance.
The Core Principle
OneTimeSecret operates on a simple but powerful principle: information that no longer exists cannot be stolen, leaked, or compromised. By destroying data after a single view and keeping zero knowledge of plaintext, OneTimeSecret eliminates the risk of future breaches exposing your sensitive communications.
OneTimeSecret Key Features
OneTimeSecret stands out among secret sharing tools because it combines six essential security properties in a single, free platform:
- Self-destructing messages — encrypted content is permanently deleted after the first view, leaving no server-side trace
- Zero-knowledge architecture — the decryption key stays in the URL fragment; the server never sees plaintext
- One-time viewing — each link works exactly once, then becomes permanently invalid
- Password protection — an optional passphrase adds a second encryption layer, unlike Privnote which lacks this feature
- Expiration controls — set TTL from 1 hour to 30 days; unread secrets auto-destruct when the timer expires
- Open-source — fully auditable code with self-hosting support, unlike closed-source alternatives such as Privnote or scrt.link
The idea of ephemeral messaging goes back to Privnote (2008), but OneTimeSecret (2011) advanced the concept with password protection, configurable expiration, and full open-source transparency. Today, other tools like Password Pusher, Bitwarden Send, Yopass, PrivateBin, Vaulted, and Hemmelig occupy the same space, each with different trade-offs.
How OneTimeSecret Works at a Glance
Single-View Encrypted Links
Each OneTimeSecret link can only be opened once. After the first view, the encrypted data is permanently deleted. There is no way to retrieve it — not even for the sender or the service operator.
Zero-Knowledge Encryption
OneTimeSecret encrypts data in your browser using AES-256 before transmission. The decryption key is embedded in the URL fragment (after #), which never reaches the server — ensuring true zero-knowledge privacy.
Configurable Expiration
Set a TTL from 1 hour to 30 days. Even if the recipient never opens the link, OneTimeSecret automatically deletes the encrypted data when the timer expires.
No Registration Required
OneTimeSecret works without accounts or personal information, providing complete anonymity for both sender and recipient. Unlike Bitwarden Send, no sign-up is needed.
OneTimeSecret vs Privnote vs Password Pusher
Understanding how OneTimeSecret differs from popular competitors helps you pick the right secret sharing tool:
Privnote
- Closed-source — no code audit possible
- No password protection for notes
- Limited expiration options
- Cannot be self-hosted
- Established in 2008, well-known brand
OneTimeSecret
- Fully open-source and auditable
- Optional password protection
- Configurable expiration (1 h – 30 d)
- Self-hosting supported
- Zero-knowledge, AES-256 encryption
Password Pusher and Bitwarden Send are also strong alternatives. Password Pusher is open-source and focused on credential sharing with view-count limits. Bitwarden Send integrates into the Bitwarden ecosystem but requires an account. Other tools like scrt.link, Yopass, PrivateBin, Vaulted, and Hemmelig each serve slightly different niches.
What You Can Share with OneTimeSecret
OneTimeSecret is designed for any sensitive information that should not persist in email threads, chat logs, or server databases:
- Should not persist in email or chat history
- Contains sensitive credentials like passwords or API keys
- Includes financial information such as credit card numbers
- Contains private or personal information
- Involves confidential business data
- Requires confirmation that it was received and read
Learn more about specific applications in our detailed use cases guide.
Security Considerations
OneTimeSecret provides strong protection, but understanding its boundaries helps you use it appropriately:
What OneTimeSecret Protects Against
- Future data breaches exposing old messages — data is deleted after viewing
- Unauthorized forwarding — links work exactly once
- Messages lingering in email servers or chat logs
- Server-side attacks — zero-knowledge means the server never holds plaintext
Limitations of Any Secret Sharing Tool
- Recipients can take screenshots of displayed content
- Compromised recipient devices may expose data
- Man-in-the-middle attacks if the link is shared over an insecure channel
- Social engineering attacks targeting the recipient
For maximum security, share OneTimeSecret links through a different channel than your usual communication and enable password protection for highly sensitive data. These measures apply equally to alternatives like Password Pusher, Yopass, or Bitwarden Send.