Skip to content

How it works

When you share a password by email or Slack, it remains readable by every intermediary. Secret Drop ensures a secure exchange of your confidential data: everything is encrypted in your browser before it leaves your screen. The server only receives noise.

How your secret is protected

  1. You write your secret

    You enter your message or select a file in your browser.

  2. Encryption in your browser

    Your browser generates a random key and encrypts the content locally with AES-256-GCM via the Web Crypto API. The server only receives encrypted data.

  3. Server stores ciphertext

    The server only stores encrypted data. It cannot decrypt it because it never has access to the key.

  4. Key stays in the URL

    The decryption key is placed in the URL fragment (after #). This part is never sent to the server by the browser.

  5. Recipient decrypts

    When the recipient opens the link, their browser fetches the encrypted data and uses the key from the URL to decrypt locally.

  6. The secret is destroyed

    Once the read limit is reached or the expiration passes, the encrypted content is permanently deleted from the server. Only a trace of its existence remains — there is nothing left to decrypt.

Secure by design

Security is not a feature we added — it is the foundation of every architectural decision.

Zero-knowledge

The server never receives the encryption key — following OWASP cryptographic storage principles. Even if the database is compromised, an attacker only gets useless noise. This is not a promise — it is a mathematical impossibility.

Passwordless authentication

A single-use magic link replaces the password. Nothing to steal, leak or brute-force. A compromised database reveals no credentials, because there are none.

The key never leaves your device

The decryption key lives in the URL fragment (after the #). By HTTP protocol design, this part is never sent to the server — not in requests, not in logs, not anywhere.

Permanent destruction

A secret that has been read no longer exists. The encrypted content is deleted from the server — only a trace of its existence remains. Expiration and read limits reduce the window of exposure to the strict minimum.

Hosted in France

Infrastructure hosted in France, under European Union jurisdiction. Your data is subject to GDPR and never leaves the EU. No transfer to third countries, no exception.

No tracking

No third-party cookies, no tracking pixels, no external services. No data is shared with third parties. Your activity on this site is not profiled, sold or monetized.

Create a secure secret
Discover use cases →