Open source — inspect the code on GitHub

Share passwords, API keys, and secrets with one-time encrypted links

Stop DM'ing passwords. Send a secret once — the key never touches our servers.

Built for developers, freelancers, agencies, and small teams. Free forever, no account required.

🔐 The encryption key never leaves your browser

Encrypted in your browser
Key never reaches server
No account required
Open source
No analytics on secret pages

Expired secrets become inaccessible immediately and are automatically deleted by Firestore TTL, typically within 24 hours.

Simple by design

Create a secure handoff in seconds

iKrypt is for the quick moments when you need to send one sensitive value without leaving it permanently in someone's inbox or chat history.

1

Paste your secret

Add a password, API key, .env value, or temporary credential.

2

Choose limits

Pick an expiry time and how many times the link can be viewed.

3

Share the link

Send the encrypted one-time link through email, Slack, chat, or a ticket.

4

It self-destructs

The secret becomes inaccessible after the final view or expiry.

Trust-first architecture

Encrypted before it leaves your browser

The server stores encrypted data only. The key is part of the link fragment and is not sent to iKrypt servers in normal requests.

Encrypted before upload

Your secret is encrypted in the browser before it leaves your device.

Only ciphertext is stored

iKrypt stores encrypted data, expiry settings, and view limits — not plaintext.

Key stays in the link fragment

The decryption key lives after the # in the URL, which is not sent to the server in normal HTTP requests.

One-time viewing is server-enforced

View limits are enforced with Firestore transactions, so concurrent requests cannot over-deliver a one-view secret.

Expired secrets are blocked immediately

Once a secret expires, the API blocks access. Firestore TTL removes expired encrypted data automatically, typically within 24 hours.

Secret pages stay clean

The pages where secrets are created or viewed do not load third-party analytics scripts.

What iKrypt protects against

  • Secrets sitting forever in Slack, email, or DM history
  • Plaintext credentials being accidentally forwarded
  • A secret being accessed more times than intended
  • Plaintext secrets being stored on iKrypt servers

What it does not protect against

  • A compromised sender or recipient device
  • Malicious browser extensions reading page content
  • Someone forwarding the full link including the key after #
  • Screenshots or copy/paste after the secret is revealed

Common use cases

Useful for quick, sensitive handoffs

API keys

Passwords

Login credentials

SSH keys

.env values

Client access

Contractor handoffs

Temporary notes

Frequently asked questions

Plain answers about what iKrypt does, what it stores, and where the trust boundary is.

Can iKrypt read my secrets?

No. iKrypt only stores encrypted ciphertext. The decryption key stays in the URL fragment and is not sent to our servers.

What can I share with iKrypt?

iKrypt is useful for passwords, API keys, .env values, login credentials, SSH keys, and other short-lived secrets.

What happens after the link expires?

The secret becomes inaccessible immediately after expiry. The encrypted data is then automatically removed by Firestore TTL, typically within 24 hours.

Is it free?

Yes. Basic one-time secret sharing is free and does not require an account.