๐ Zero-knowledge ยท AES-256-GCM ยท Burn after read
Documentation
SecretTunnel lets you share .env files and secrets as one-time, end-to-end encrypted links. The server never sees your plaintext โ ever.
// 01Quickstart
Step 01
Install (zero setup)
Use npx โ no global install needed. Works with npm, bun, or yarn.
bash
npx secrettnl push .env --ttl 24hStep 02
Share the link
You get a one-time URL with the decryption key in the hash fragment. The server is provably blind.
bash
https://secrettunnel.vercel.app/s/abc123#key=aB3dK9...Step 03
Recipient pulls the secret
The recipient runs pull โ the secret is fetched, decrypted locally, and permanently destroyed.
bash
npx secrettnl pull "https://secrettunnel.vercel.app/s/abc123#key=..." --output .env// 02Security model
๐
Client-side encryption
AES-256-GCM via the Web Crypto API. Your plaintext is encrypted before any network request is made.
๐
Key in URL fragment
The decryption key lives only in the URL hash (#key=โฆ). Fragments are never sent to the server.
๐ฅ
Burn after read
The Redis entry is deleted the moment the secret is retrieved. Running pull a second time will fail.