Why is this safer than email or Slack?

Email and Slack store your secret in plaintext on their servers, in message logs, in archives, and on every device that ever opened the conversation. Vaulted stores only encrypted ciphertext, deletes it after the view limit is hit, and the decryption key never reaches our server — so a server breach exposes nothing readable.

What happens if Vaulted gets hacked?

An attacker would only see encrypted blobs. The AES-256-GCM key never touches our servers — it lives in the URL fragment (the part after the # in the link), which browsers explicitly never send in HTTP requests. Without the key from the link, the ciphertext is useless.

Why is the key stored in the URL fragment?

The fragment (everything after #) is a client-only part of the URL defined in RFC 3986. Browsers never include it in HTTP requests, so the encryption key only lives on the sender’s machine and the recipient’s machine — never on a server, never in our access logs, never in CDN caches.

Is Vaulted open source? Can I verify the encryption myself?

Yes. The encryption code runs entirely in your browser and you can inspect it via DevTools, or follow our 5-minute verification guide to confirm no plaintext is sent over the wire. The CLI, GitHub Action, and MCP server are all open source on github.com/vaulted-fyi.

What if the recipient never opens the link?

The secret auto-expires after the time you set (up to 30 days), at which point it is deleted from Redis. View counts are also enforced atomically — once the limit is hit, the ciphertext is removed regardless of expiry.

How it works

End-to-end encryption in four steps, then a live demo of what our server actually sees. Toggle the diagram below for technical details.

Sender

Types a secret

Browser encrypts

AES-256-GCM

Server stores

Encrypted blob only

Recipient decrypts

Key from URL fragment

Encryption happens in your browser — the server never sees plaintext.

The key lives in the URL fragment (#). Fragments are never sent to the server.

Set a view limit and expiration. Once reached, the secret is permanently deleted.

See zero-knowledge encryption live

Type any text, encrypt it in your browser, then toggle the view to see what our server actually receives. Plaintext and keys never leave this page.

Plaintext (encrypted locally with AES-256-GCM)

What your browser sees

Plaintext

Encryption key (base64url)

Ciphertext (base64url)

Encryption runs in your browser via the Web Crypto API. Flip the toggle to see the redacted version our server actually receives.

Want the full step-by-step walkthrough?

Open the full encryption playground →

Want to learn more?

Read our visual guide to end-to-end encryption — with an interactive demo, comparison of encryption types, and FAQ.

Frequently asked questions

Create a secret →