Security model
We can't read your secrets.
Sealed is built so that even if our database were stolen, the attacker would walk away with useless ciphertext. Here's exactly how that works.
1. The key is generated in your browser
When you click Create one-time link, your browser calls crypto.subtle.generateKey() to mint a fresh 256-bit AES key. This happens entirely in your tab — our server has no involvement in this step.
2. Your secret is encrypted before it leaves your tab
We use AES-256-GCM, an authenticated encryption algorithm that also detects tampering. A unique 12-byte initialization vector is generated for every secret and prepended to the ciphertext.
3. Only the ciphertext is sent to us
Our API receives the encrypted blob, your view-limit preference, and an expiry. The encryption key is never transmitted. We store the blob in our database with no way to read it.
4. The key lives in the URL fragment
The link we generate looks like:
https://usesealed.com/s/<id>#<key>
Browsers never send the fragment (the part after #) over the network. When the recipient opens the link, the fragment stays client-side. Their browser pulls the ciphertext from our API, then decrypts it locally using the key from the URL.
5. Self-destruct
Once the view limit is reached, the database record is deleted — permanently. Even an emergency database restore wouldn't recover it because (a) we wipe the row, and (b) without the key from the URL fragment, the row is useless anyway.
What we don't do
- We don't log secret bodies or decrypted content.
- We don't embed third-party JavaScript trackers.
- We don't require an account to send a one-time link.
- We don't store the URL fragment server-side.
What you should still do
- Share links through an authenticated channel (Signal, encrypted email, a Slack DM) — not a public forum.
- For very high-value secrets, set a separate password on the link and share it through a different channel.
- Rotate the underlying credential after sharing if you can. The most secure secret is the one you immediately invalidate.