Flashpaper: Securely Sharing Sensitive Secrets

01 Jun, 2026

This message will self-destruct in 5 seconds...

Flashpaper is a one-time secret-sharing tool I built for passing sensitive data, like passwords, API keys, WiFi codes, to family and friends without leaving a trail.

HOW IT WORKS

• Encryption happens in your browser
• Stored in ciphertext form on the server
• Retrieve with a single-use URL

Once the recipient opens the link, the secret is decrypted in their browser and deleted from the server.

I use this site to share secrets with my family and friends.

FEATURES

• Encryption with AES-256-GCM with PBKDF2 key derivation via Web Crypto API
• One-time URLs: Links work exactly once
• Copy-to-clipboard sharing
• Automatic expiration after 24h
• Hardened security headers: CSP, HSTS, X-Frame-Options deny, Referrer-Policy, Permissions-Policy

BUILT WITH

• Go
  • Sqids for opaque short IDs
• JavaScript for browser-side encryption
  • clipboardjs
  • notyf
• Concrete for CSS
• MySQL for storage
• Deployed as a single binary with Docker, HashiCorp Nomad and Consul

Launched in October 2024.