Send a secret.
Watch it vanish.
Share passwords, API keys, and sensitive notes through one-time links that are end-to-end encrypted in your browser. Once viewed, it's gone — we literally can't recover it.
Trusted by security-conscious teams
Three ways to move sensitive data
Whatever the shape of the secret, Sealed handles it without ever seeing the contents.
Send
Drop a password, key, or note. Get a one-time link. It self-destructs on view.
Receive
Send someone a Secret Request link so THEY can hand you a credential safely — no email, no Slack DM.
Chat
Ephemeral encrypted chat for back-and-forth when one message isn't enough. Disappears after read.
We can't read your secrets,
and that's the whole point.
Your secret is encrypted in your browser with a key we never see. We store the ciphertext; your browser keeps the key in the URL after the # symbol. Browsers don't send that part over the network — so only the person you share the full link with can ever decrypt it.
- ✓AES-256-GCM. Industry-standard authenticated encryption.
- ✓Zero-knowledge. Server only ever sees ciphertext. Keys never leave the browser.
- ✓Self-destructing. Records are deleted when the view limit hits zero.
- ✓Optional password gate. A second factor before the cipher is even returned.
// 1. Mint key locally — server never sees this
const key = await crypto.subtle.generateKey(
{ name: "AES-GCM", length: 256 },
true,
["encrypt"]
);
// 2. Encrypt before sending
const ciphertext = await encrypt(secret, key);
// 3. Send ONLY ciphertext
POST /api/secrets { ciphertext, ... }
// 4. Link you share with someone
https://usesealed.com/s/<id>#<key>
↑
key lives in the URL fragment
— never sent to our serverYour secret. Their eyes only.
Then nothing at all.
No credit card. No trackers. No reason not to seal your first one right now.