ashbox

Send a secret. Encrypted in your browser, destroyed on first read.

Expires after

Or sooner — destroyed the moment it's read.

How this works
  1. Your browser generates a random 128-bit AES-GCM key.
  2. It encrypts the secret locally and uploads the ciphertext.
  3. The key is placed in the URL fragment (after #) — fragments are never sent in HTTP requests, so the server never sees it.
  4. On first read, the server atomically deletes the row and returns the ciphertext exactly once.

Protects against

  • Server compromise or DB leaks
  • Network interception
  • Link scrapers without the fragment

Doesn't protect against

  • A compromised sender or recipient device
  • Malicious extensions or screen capture
  • Sharing the link with the wrong person