Frequently Asked Questions

When you create a secret — whether it's text, an image, a PDF, an archive, or a combination — your browser generates a random AES-256-GCM encryption key using the Web Crypto API. Everything is encrypted entirely in your browser — the plaintext never leaves your device. The encrypted data is sent to our server and stored temporarily in Redis. The encryption key is placed in the URL fragment (after the # symbol), which browsers never send to servers. When the recipient opens the link, the encrypted data is retrieved and permanently deleted in a single atomic operation. Their browser then decrypts the secret using the key from the URL.

Yes. Only Once Share uses a zero-knowledge architecture, meaning our server only stores encrypted data it cannot read. The encryption key exists only in the URL fragment, which is never transmitted to any server — this is a fundamental property of how web browsers handle URL fragments (defined in RFC 3986). Even if our server were compromised, your secrets would remain encrypted and unreadable.

We use AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), which is the same encryption standard used by governments, financial institutions, and military applications worldwide. Keys are derived using HKDF-SHA-256, and each secret gets a unique derived key. The secret ID is bound as Additional Authenticated Data (AAD) to prevent ciphertext substitution attacks.

No. Unlike some secret sharing tools that perform encryption on the server (where the server briefly handles your plaintext), Only Once Share encrypts everything in your browser before any data is transmitted. Our server only receives and stores encrypted ciphertext. The decryption key is never sent to the server — it stays in the URL fragment, which browsers do not include in HTTP requests.

The secret is permanently destroyed. When a recipient opens the link, the encrypted data is retrieved and atomically deleted from our Redis database using a GETDEL operation. There is no window where a second read is possible. The link will show "Secret Not Available" for any subsequent access attempt.

You can choose an expiration time between 1 and 72 hours (1h, 4h, 12h, 24h, 48h, or 72h). Secrets automatically expire after the chosen time even if they are never viewed. Once expired or viewed, the data is permanently deleted from our servers. No data persists beyond the expiration window.

Yes, completely free with no limits. Unlike some competitors that restrict free users to a handful of secrets per month or impose size caps, Only Once Share has no artificial limitations. You can share text secrets up to 50,000 characters and attach images, PDFs, or archives up to 10 MB (JPEG, PNG, GIF, WebP, PDF, ZIP, RAR, 7Z, TAR.GZ), with no account required. The tool is also open source under the MIT license.

No. Only Once Share requires no registration, no email, no account. Just enter your text, optionally attach an image, PDF, or archive, choose an expiration time, and share the generated link. This zero-friction approach means there's no personal data to protect and no credentials that could be compromised.

Yes. Only Once Share is fully open source and designed for easy self-hosting with Docker. Clone the repository from GitHub, configure your environment variables, and run docker compose up. The entire stack (React frontend, Flask API, Redis storage) runs in containers. Self-hosting gives you complete control over your data and is ideal for organizations with data residency requirements.

Yes. The complete source code is available on GitHub under the MIT license. This means you can inspect every line of code, including the encryption implementation, to verify our security claims. You can also fork the project, modify it, and deploy your own version.

The key difference is encryption architecture. OneTimeSecret and some other tools encrypt secrets on the server, meaning the server handles your plaintext data before encrypting it. Only Once Share encrypts everything in your browser using the Web Crypto API — our server never sees your plaintext. Additionally, Only Once Share is completely free with no limits, supports 6 languages, and uses HKDF key derivation with AAD binding for stronger cryptographic guarantees.

Only Once Share is available in 6 languages: English, Chinese, Spanish, Hindi, Arabic, and Portuguese. The language is automatically detected from your browser settings and can be changed using the language selector.