Security model

We can't read your secrets.

Sealed is built so that even if our database were stolen, the attacker would walk away with useless ciphertext. Here's exactly how that works.

1. The key is generated in your browser

When you click Create one-time link, your browser calls crypto.subtle.generateKey() to mint a fresh 256-bit AES key. This happens entirely in your tab — our server has no involvement in this step.

2. Your secret is encrypted before it leaves your tab

We use AES-256-GCM, an authenticated encryption algorithm that also detects tampering. A unique 12-byte initialization vector is generated for every secret and prepended to the ciphertext.

3. Only the ciphertext is sent to us

Our API receives the encrypted blob, your view-limit preference, and an expiry. The encryption key is never transmitted. We store the blob in our database with no way to read it.

4. The key lives in the URL fragment

The link we generate looks like:

https://usesealed.com/s/<id>#<key>

Browsers never send the fragment (the part after #) over the network. When the recipient opens the link, the fragment stays client-side. Their browser pulls the ciphertext from our API, then decrypts it locally using the key from the URL.

5. Self-destruct

Once the view limit is reached, the database record is deleted — permanently. Even an emergency database restore wouldn't recover it because (a) we wipe the row, and (b) without the key from the URL fragment, the row is useless anyway.

What we don't do

  • We don't log secret bodies or decrypted content.
  • We don't embed third-party JavaScript trackers.
  • We don't require an account to send a one-time link.
  • We don't store the URL fragment server-side.

What you should still do

  • Share links through an authenticated channel (Signal, encrypted email, a Slack DM) — not a public forum.
  • For very high-value secrets, set a separate password on the link and share it through a different channel.
  • Rotate the underlying credential after sharing if you can. The most secure secret is the one you immediately invalidate.