Security

How it works

clientkeys encrypts your secret in your browser before it ever leaves your device. The encryption key is placed in the URL fragment (the part after #), which browsers never send to servers. This means the server — and we, the operators — cannot read your secret.

What we protect

• Encryption in transit: All communication uses HTTPS (TLS). The secret is encrypted with AES-256-GCM before it leaves your browser.
• One-time access: Each secret is atomically deleted from our database the moment it is retrieved. It cannot be read twice.
• Zero server knowledge: We never see the plaintext or the encryption key. We see only encrypted ciphertext and metadata (creation time, view time).
• No tracking: This service contains no analytics, no tracking scripts, and no third-party code on pages that handle secrets.

What we do not protect

• Compromised endpoints: If your device or the recipient's device has malware (keyloggers, malicious browser extensions), the secret can be intercepted before encryption or after decryption.
• URL interception: After the recipient opens the link, the plaintext is displayed in their browser. They can screenshot, copy, or forward it. The URL itself (if intercepted in transit or from the recipient's browser history) can be used to retrieve the secret — once.
• Metadata: We can see that a secret was created, when, and when it was viewed. We do not log IP addresses, but our infrastructure provider may retain access logs briefly.
• Ongoing communication: clientkeys is a tool for one-shot credential handoffs. It is not a replacement for end-to-end encrypted messaging for ongoing conversations.

Technical details

• Encryption: AES-256-GCM via the browser Web Crypto API
• Key transport: URL fragment (never transmitted to server)
• Storage: Upstash Redis with automatic TTL expiration
• Hosting: Vercel with strict Content Security Policy
• No third-party scripts on secret-handling pages

Report a vulnerability

Email security@clientkeys.example.com. PGP key available on request.