You need to send someone a password. Maybe it's a database credential for a new hire, an API key for a contractor, or a WiFi password for a client.

You know you shouldn't paste it into Slack. But what should you use instead?

Here are nine tools built for this exact problem — ranked by how well they protect the secret from everyone except the intended recipient.

What to look for in a secret sharing tool

Before the list, here's what actually matters:

Client-side encryption — Does encryption happen in your browser, or on the server? If the server sees your plaintext, a breach exposes everything.
Self-destruction — Can the secret auto-delete after being viewed? One-time links are the gold standard.
No account required — Does the recipient need to sign up? Every extra step reduces the chance they'll use it.
View limits — Can you control how many times a secret is viewed before deletion?
Expiration — Can you set a time-based TTL so secrets don't linger?

1. Vaulted

Encryption: Client-side AES-256-GCM (zero-knowledge) Pricing: Free Account required: No

Vaulted encrypts secrets in your browser using the Web Crypto API. The encryption key lives only in the URL fragment — the part after # — which never gets sent to the server. The server stores ciphertext it cannot decrypt.

View limits are configurable from 1 to 10, or unlimited. Expiration ranges from 1 hour to 30 days. Optional passphrase protection wraps the encryption key with PBKDF2 for a second factor.

Also available as a CLI (npx vaulted-cli "secret") and a GitHub Action for CI/CD workflows.

Best for: Quick, zero-friction sharing when you want real encryption without creating accounts. Developers who want CLI and API access.

Limitation: Text only (up to 1,000 characters). No file sharing yet.

2. Bitwarden Send

Encryption: Client-side AES-256-GCM (zero-knowledge) Pricing: Free (text only), $1.65/month for files (bundled with Bitwarden Premium) Account required: Yes (sender needs a Bitwarden account)

Bitwarden Send is built into the Bitwarden password manager. Secrets are encrypted client-side with zero-knowledge architecture. Supports both text and file sharing (files on paid plans). You can set expiration dates, view limits, and optional passwords.

Best for: Teams already using Bitwarden as their password manager.

Limitation: The sender must have a Bitwarden account. The recipient doesn't need one, but the sender-side requirement adds friction if you're not already in the ecosystem. View limits are less flexible than dedicated sharing tools.

3. scrt.link

Encryption: Client-side AES-256-GCM Pricing: Free (basic), ~$1/month (paid tiers) Account required: No

scrt.link encrypts secrets client-side, similar to Vaulted. It offers API access and a Slack integration on paid tiers. Clean interface with a focus on simplicity.

Best for: Teams that want a simple web-based tool with Slack integration.

Limitation: Single-view only — no configurable view limits. Limited expiration options. Opaque enterprise pricing.

4. Yopass

Encryption: Client-side PGP (OpenPGP.js) Pricing: Free (open source, self-hosted only) Account required: No

Yopass encrypts secrets client-side using PGP encryption. It's fully open source and designed for self-hosting. If you want to run your own secret sharing infrastructure, Yopass is a strong option.

Best for: Teams with the infrastructure to self-host and a preference for running their own services.

Limitation: No hosted version — you must run it yourself. Single-view only, 7-day maximum expiration, no passphrase support. Requires operational overhead to maintain.

5. Password Pusher

Encryption: AES-256-GCM (server-side) Pricing: Free (open source), $19-29/month (hosted pro tiers) Account required: No

Password Pusher has been around for years and is a solid, mature tool. It offers a REST API for automation, configurable view and day limits, and self-hosting options. Open source with an active community.

Best for: Teams that want an established, API-driven tool and are comfortable with server-side encryption.

Limitation: Encryption happens server-side — the server sees your plaintext during processing. The free open-source version and paid hosted version have feature gaps that create community tension.

6. OneTimeSecret

Encryption: Server-side Pricing: Free (basic), $35/month (premium) Account required: No

One of the original secret sharing tools. Simple interface, straightforward concept: paste a secret, get a link, link works once. Has been around since 2012 and has name recognition in the space. Open source and self-hostable.

Best for: People who want the simplest possible experience and don't need client-side encryption.

Limitation: Server-side encryption — the server has access to your plaintext. Single-view only (no configurable limits). 14-day maximum expiration. Steep price jump from free to $35/month.

7. Privnote

Encryption: Server-side (opaque implementation) Pricing: Free (ad-supported) Account required: No

Privnote is the tool most people have heard of. It's been around for years, has a simple interface, and creates self-destructing notes. Offers optional read notifications.

Best for: Non-technical users sharing non-critical information who want the simplest possible tool.

Limitation: Server-side encryption with an opaque implementation — they don't disclose their encryption model. Ad-supported, which means third-party scripts run on a "privacy" tool. Single-view only with no expiration control. Multiple phishing clones exist using similar domain names.

8. 1Password (Psst! links)

Encryption: Client-side AES-256-GCM Pricing: From $2.99/month (requires 1Password subscription) Account required: Yes

1Password's "Psst!" feature lets you create shareable links to individual items in your vault. The recipient doesn't need a 1Password account. Strong encryption, backed by a well-audited security model.

Best for: Teams already paying for 1Password who occasionally need to share a credential externally.

Limitation: Requires a 1Password subscription. No view limits — links expire by time only. Not purpose-built for one-time sharing, so the workflow is heavier than dedicated tools. You're sharing a vault item, not a disposable secret.

9. Signal (Disappearing Messages)

Encryption: Signal Protocol (end-to-end) Pricing: Free Account required: Yes (phone number required)

Signal isn't a secret sharing tool, but many people use it as one. Disappearing messages (30 seconds to 4 weeks) provide time-based expiry, and Signal's end-to-end encryption is industry-leading.

Best for: Sharing a credential with someone you already message on Signal.

Limitation: Not purpose-built for secrets. No view limits — messages persist on both devices until the timer expires. Both parties need Signal installed. The recipient can screenshot or copy the message before it disappears. No CLI, no API, no automation.

Quick comparison

| Tool | Encryption | Account needed | View limits | Free tier | CLI/API | |------|-----------|---------------|-------------|-----------|---------| | Vaulted | Client-side | No | 1-10 or unlimited | Full product | CLI + API + GitHub Action | | Bitwarden Send | Client-side | Sender only | Limited | Text only | Via Bitwarden CLI | | scrt.link | Client-side | No | Single view | Yes | API (paid) | | Yopass | Client-side | No | Single view | Self-host only | No | | Password Pusher | Server-side | No | Configurable | Yes | REST API | | OneTimeSecret | Server-side | No | Single view | Yes | Community CLIs | | Privnote | Server-side | No | Single view | Yes (ads) | No | | 1Password | Client-side | Yes | No | No | Via 1Password CLI | | Signal | E2E | Yes | No | Yes | No |

The bottom line

If you care about the server never seeing your secrets, use a tool with client-side encryption — Vaulted, Bitwarden Send, scrt.link, or Yopass.

If you need zero friction for both sender and recipient, use a tool that requires no accounts — Vaulted, scrt.link, Password Pusher, or OneTimeSecret.

If you want programmatic access for automation, your options narrow to Vaulted (CLI + API + GitHub Action), Password Pusher (REST API), or Bitwarden Send (via Bitwarden CLI).

Pick the tool that matches your threat model and workflow. The worst option is the one most people still use: pasting the password directly into Slack.

Need to share a secret right now? Create an encrypted link — it takes three seconds.