What is URL Fragment?

URLs have a defined structure: scheme, authority, path, query string, and fragment. The fragment (everything after the #) was originally designed for navigating to a specific section within a page. However, its most important property from a security perspective is that browsers are explicitly required by the HTTP specification to never send the fragment to the server.

When you visit a URL like example.com/page#section, the browser sends a request for example.com/page — the #section part is stripped before the request is made. The fragment remains in the browser's address bar and is accessible to JavaScript running on the page, but the server has no knowledge of it. This behavior is mandated by the HTTP specification and is consistent across all modern browsers.

This property makes URL fragments uniquely useful for passing sensitive data in web applications. If encryption keys or other secrets are placed in the fragment, they are available to the client-side JavaScript that needs them for decryption but are never transmitted to the server, logged by proxies, or recorded in server access logs.

How Vaulted uses URL Fragment

Vaulted places the AES-256-GCM encryption key directly in the URL fragment. When you create a secret, the generated link has the format /s/{id}#{base64url(key)}. Because browsers never send the fragment in HTTP requests, the encryption key never reaches Vaulted's server. The recipient's browser extracts the key from the fragment, fetches the encrypted data from the server, and performs decryption locally. This single architectural choice is what makes Vaulted truly zero-knowledge.