MicroBin

A self-contained, encrypted paste bin and file-sharing app in Rust with animal-name URLs, burn-after-read, and one-command Docker deployment.

4.4Kstars
307forks
BSD 3-Clause License
Rust

MicroBin is a self-hosted, feature-rich paste bin and file-sharing web application written in Rust. It lets you securely share text snippets, files, and URLs with built-in encryption, configurable expiry, and a postbox mode where recipients can upload without seeing what others sent. The entire application ships as a single compiled binary — no external database server, no Node runtime, no separate asset pipeline.

At its core, MicroBin offers five privacy tiers for every upload: public, unlisted, server-side encrypted (private), end-to-end client-side encrypted (secret), and read-only postbox. The encryption stack uses AES-256 via the magic-crypt crate, with the client-side path ensuring the server never holds plaintext. All uploads get human-readable identifiers derived from a set of 64 animal names, producing URLs like server.com/raw/sloth-ant-lion that are far easier to communicate verbally than random hashes.

Deployment is designed to be frictionless: a single bash <(curl -s https://microbin.eu/docker.sh) command launches a fully configured instance, and the binary can also be installed directly via Cargo. Every runtime parameter — port, admin credentials, file size limits, expiry defaults, TLS config, custom CSS — is controlled through environment variables or CLI flags, making it straightforward to parameterize via Docker Compose or Kubernetes secrets.

MicroBin targets developers, privacy-conscious individuals, and small teams who need a private alternative to Pastebin or WeTransfer without relying on third-party infrastructure. Its Rust foundation keeps memory usage in the low megabytes and eliminates entire categories of memory-safety vulnerabilities common in similar tools written in dynamic languages.

What You Get

  • Five Privacy Tiers - Choose from public, unlisted, server-encrypted private, client-side E2E secret, or read-only postbox modes for every upload, giving precise control over who can access content and how.
  • End-to-End Client Encryption - The secret privacy tier encrypts content in the browser before it ever reaches the server, meaning even a compromised server cannot read the plaintext of uploaded text or files.
  • Animal-Name Identifiers - Uploads receive URLs built from a curated vocabulary of 64 animals (e.g., sloth-ant-lion), making links pronounceable and memorable without sacrificing uniqueness.
  • File Uploads with Raw and Archive Serving - Share any file type via direct raw URLs for scripting and automation, or download multiple attachments as a ZIP archive in a single request.
  • Burn After Reads - Set an upload to self-destruct after 1, 10, 100, or 1000 views, enabling one-time-use secret sharing without relying on external services.
  • Configurable Expiry - Expiration ranges from 1 minute to 16 years or never, with per-instance defaults and maximums enforced server-side to prevent uncapped long-lived uploads.
  • QR Code Generation - Every upload generates an inline QR code for instant mobile sharing without manually copying URLs.
  • Postbox Mode - Deploy in read-only mode with an uploader password so recipients can submit files or text without seeing what others have uploaded, acting as a private drop-box.
  • Syntax Highlighting - Text uploads are automatically highlighted using the syntect library, supporting dozens of languages via Oniguruma or pure-Rust regex backends.
  • Zero C-Dependency Build - The no-c-deps Cargo feature replaces OpenSSL with rustls-rustcrypto and swaps the onig regex engine for a pure-Rust alternative, enabling cross-compilation to any Rust target without a C toolchain.

Common Use Cases

  • One-time secret sharing - A developer encrypts an API key or database password, sets burn-after-reads to 1, and shares the link; the credential disappears the moment the recipient views it.
  • Moving files between machines - A developer uploads a large build artifact or SSH key from a server console, generates a raw URL, and fetches it on a desktop machine without involving cloud storage.
  • Private client file submissions - A freelancer deploys MicroBin in postbox mode so clients can upload signed contracts or source files directly to the freelancer’s server without any client needing an account.
  • Serving test fixtures via raw URLs - A QA team uploads JSON fixtures or image assets to MicroBin and references their raw URLs in integration tests, avoiding checked-in binary test data.
  • Internal URL shortening - A team runs MicroBin behind their company domain to create short redirects for long internal wiki links or staging environment URLs shared in Slack.
  • Sending large files that exceed chat limits - A designer uploads a 500 MB video export to MicroBin and shares the raw link in Slack instead of fighting attachment size restrictions.

Under The Hood

Architecture MicroBin follows a flat, monolithic layout where HTTP endpoints, domain logic, and persistence coexist at the same directory level without enforced layering. The application bootstraps a single AppState holding a Mutex<Vec<Pasta>> that acts as the in-memory working set for all request handlers, shared via Actix’s web::Data. Configuration is resolved once at startup into a globally initialized static instance, bypassing dependency injection entirely and making individual handlers difficult to test in isolation. The database abstraction is a thin dispatcher — a single module that delegates to either a SQLite backend or a flat JSON file depending on a runtime flag — but consistency relies on lock-and-iterate patterns rather than transactions, leaving the door open for partial-write scenarios under concurrent load. Despite these structural trade-offs, the flat layout makes the codebase approachable: every endpoint lives in a predictable location and the data model is a single Pasta struct that is simple to reason about.

Tech Stack MicroBin is implemented in Rust using Actix Web 4 for async HTTP handling and Askama for compile-time verified server-side HTML templating. Persistence is dual-mode: SQLite via the bundled rusqlite crate (default) or flat JSON files for minimal-dependency deployments. Content and file encryption use AES-256 through the magic-crypt crate, while TLS is offered in two configurations — vendored OpenSSL or a fully pure-Rust path via rustls and rustcrypto — enabling cross-compilation without a C toolchain. Syntax highlighting is powered by syntect with a fast Oniguruma-backed default and a portable pure-Rust fallback. Static assets including CSS, JavaScript, and images are baked directly into the binary at compile time via rust-embed, making the final artifact entirely self-contained. GitHub Actions handles CI builds and container image publishing to Docker Hub on every release.

Code Quality Test coverage is intentionally minimal: inline unit tests exist for the bijective animal-name encoding and its inverse, covering edge cases like zero and multi-segment values, but no HTTP endpoint tests or integration tests are present. Error handling is predominantly Result-based with structured log::error! calls for recoverable failures, though some handler paths use expect() that would panic under unexpected inputs rather than returning a user-facing error. The project ships with a Clippy CI workflow using the SARIF format for GitHub code-scanning integration, providing automated lint feedback on every push and pull request. The SecretArg type with its file:// prefix support is a deliberate security pattern for injecting credentials from files without exposing them in process arguments or environment variable listings.

What Makes It Unique The animal-name identifier system is MicroBin’s most distinctive technical feature: a bijective base-64 encoding over a curated 64-animal vocabulary that maps any integer to a pronounceable multi-word slug, making upload URLs communicable over voice or chat without character confusion. The five-tier privacy model implemented as a single enum-driven field — from fully public through unlisted, server-encrypted, and client-E2E-encrypted all the way to write-only postbox — covers a wider range of trust scenarios than most comparable paste bin tools. The dual-backend compilation strategy, where the same binary can be built with zero C dependencies for use on constrained or cross-compiled targets, reflects a genuine operational concern rather than a cosmetic feature. The combination of burn-after-reads, view-count tracking, and garbage-collection based on last-access age gives administrators fine-grained control over data lifecycle without requiring a separate cron job or external scheduler.

Self-Hosting

MicroBin is released under the BSD 3-Clause License, a permissive open-source license with no copyleft implications. You can use it commercially, modify the source code, and redistribute it in binary form without any obligation to release your changes. The only requirements are preserving the copyright notice, the disclaimer, and not using the project name or contributors’ names for endorsement purposes. This makes it a safe choice for internal corporate tooling or commercial service offerings built on top of it.

Running MicroBin yourself means you own the full operational picture: provisioning the host, managing TLS termination (either via the built-in rustls or OpenSSL support, or via an external reverse proxy like Caddy or nginx), handling data backups of the SQLite database and the attachments directory, and applying updates by pulling a new Docker image or recompiling from source. The binary is deliberately low-resource — it runs comfortably on a single-core VPS with under 50 MB of RAM for typical workloads — but you are responsible for disk capacity management, especially if file upload size limits are generous. The built-in garbage collector removes uploads past their expiry or last-access threshold, but large orphaned files from interrupted uploads require occasional manual cleanup or reliance on the automatic orphan directory pruning added in recent releases.

The project offers a managed hosted tier at my.microbin.eu for users who prefer not to self-host. The hosted service handles uptime, TLS, backups, and version upgrades automatically. Self-hosters give up those conveniences in exchange for data sovereignty and the ability to customize every aspect of the deployment — custom CSS, custom footer HTML, domain-level URL shortening, and a private postbox behind a shared uploader password — none of which are configurable on the hosted tier. There is no enterprise licensing tier, no SLA, and no official support contract; community support is available via GitHub issues.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search