One-Time Message

Secure pastebin for secrets. Share passwords, API keys, or sensitive notes that self-destruct after one view.

Your Secret Message

Never stored in plaintext0 / 8000

AES-256-GCMRead onceAuto-expire (7 days)

How One-Time Messages Work

Server-blind encryption with single-read enforcement

Message Lifecycle

Browsergenerates key + encrypts message

plaintext → ciphertext

Upload(ciphertext only)

→ Server

Serverstores ciphertext + returns ID

ID: abc123

Share link:/otm/abc123#key=...

Recipientrequests encrypted message

from Server

Serverdeletes message immediately

🔥 destroyed

Browserdecrypts using #key

✓ plaintext restored

End-to-End Encryption (AES-256-GCM)

Your message is encrypted in your browser using AES-256-GCM before it ever leaves your device. The server only receives encrypted ciphertext that is mathematically impossible to decrypt without the key.

You──(encrypted)──▶Server──(encrypted)──▶Recipient

Per-Message Random Keys (256 bits)

Every message gets its own unique, random 256-bit encryption key generated in your browser. Keys are never reused across messages, ensuring perfect forward secrecy.

URL Fragment (#key=...) Never Sent to Server

The decryption key lives in the URL fragment after the #. Browsers never send anything after # to servers—this is a fundamental web standard since 1995.

Server sees: /otm/abc123

Server does NOT see: #key=...

Blind Storage: Server Sees Only Ciphertext

Our server stores only encrypted blobs—random bytes that are meaningless without the key. Even as the operator, we cannot read your messages. We have zero knowledge of message content.

Single-Read Enforcement & Auto-Destruct

The moment someone opens your link, the encrypted blob is permanently deleted from the server. The message cannot be read again—ever. Messages also auto-expire after 7 days if never opened.

One-Time Messages FAQ

Self-destructing encrypted messages — common questions about security and usage

One-time messages are perfect for sharing sensitive information that should only be read once: sharing passwords or access codes temporarily, sending API keys or authentication tokens securely, distributing private invitation links or URLs, sharing temporary Wi-Fi passwords with guests, sending confidential data like social security numbers or account numbers, sharing cryptocurrency wallet recovery phrases or private keys, distributing one-time verification codes, sending banking details or credit card information temporarily. Any scenario where you need to share a secret that must self-destruct after being viewed once is ideal for encrypted one-time messages.

One-Time Message

How One-Time Messages Work

Message Lifecycle

End-to-End Encryption (AES-256-GCM)

Per-Message Random Keys (256 bits)

URL Fragment (#key=...) Never Sent to Server

Blind Storage: Server Sees Only Ciphertext

Single-Read Enforcement & Auto-Destruct

One-Time Messages FAQ

What are common use cases for one-time messages?

What is a one-time message?

When should I use a one-time message instead of a group room?

Can I send passwords or sensitive data with one-time messages?

How long is a one-time message valid?

What happens if someone clicks my link twice?

Can zkChat or the server read my one-time messages?

What if I lose the link or the #key part?