OnetimeSecret
Generate self-destructing single-use links to share passwords and sensitive data without leaving traces in inboxes or chat logs.
OnetimeSecret is a mature, self-hostable platform for sharing secrets securely. It generates unique one-time URLs that permanently delete their contents after being viewed once—ensuring sensitive data like passwords, API keys, or private notes never persist in email threads, chat histories, or log files.
The platform supports two authentication modes to match your operational needs: Simple mode uses Redis only for fast, lightweight deployments, while Full mode adds SQL-backed authentication with multi-factor authentication via TOTP, hardware security keys via WebAuthn, SSO via OpenID Connect, and organization management with role-based permissions. Both modes support anonymous secret sharing for situations where account creation would be a barrier.
Deployment is designed to be straightforward with official Docker images, Docker Compose configurations for both minimal and full-stack setups, and an install.sh script that handles environment generation and secret key derivation via HKDF. For teams running at scale, optional RabbitMQ integration enables asynchronous email delivery and scheduled maintenance jobs, while Caddy-based on-demand TLS supports custom branding domains per organization.
With over a decade of active development, nearly 3,000 stars, frequent releases tracking to v0.25, and support for 27 languages, OnetimeSecret represents one of the most comprehensive open-source implementations of ephemeral secret sharing available.
What You Get
- Self-Destructing Secret Links - Creates single-use URLs that permanently destroy the stored secret upon the first retrieval, ensuring no second access is possible even by the server operator.
- Dual Authentication Modes - Simple mode uses Redis-only for frictionless self-hosting; Full mode adds PostgreSQL or SQLite with Rodauth, TOTP, WebAuthn/FIDO2, OmniAuth SSO, and organization management.
- Custom Domain Branding - Organizations can serve their secret-sharing pages on their own domains with automatic TLS provisioning via Caddy on-demand certificates, maintaining brand identity.
- Configurable TTL and Passphrase Protection - Secrets can be given expiry windows from minutes to days and optionally protected with a passphrase that recipients must enter before viewing.
- Anonymous Guest Access - Allows sharing secrets without account creation, with dedicated API endpoints for guest/anonymous workflows alongside full authenticated API access.
- RabbitMQ-Backed Background Jobs - Asynchronous email delivery, dead-letter queue retry, and scheduled maintenance via Kicks worker framework with rufus-scheduler for cron-style operations.
- 27-Language Internationalization - Full i18n support across web UI and email templates covering 27 languages, with SHA256-tracked change detection and a Git merge driver for locale files.
- Comprehensive REST API - Full v1 and v2 API with guest endpoints, token authentication, and Swagger/OpenAPI documentation for integration into CI/CD pipelines and custom tooling.
Common Use Cases
- Credential handoff in DevOps pipelines - A platform engineer embeds OnetimeSecret API calls in provisioning scripts to deliver initial database passwords or SSH keys to new instances without storing them in pipeline logs.
- Secure employee onboarding - An IT admin uses OnetimeSecret to send new employees their initial account credentials via a self-destructing link, ensuring the credentials cannot be forwarded or retrieved after first login.
- Whistleblower and journalist source protection - A reporter shares investigation details or source contact information through one-time links that leave no persistent digital trail in email or messaging systems.
- Team secret rotation - A security team distributes emergency rotation credentials during an incident response by generating time-bounded links rather than typing passwords into group chats.
- API key distribution to clients - A SaaS provider shares freshly generated API keys with customers via one-time links embedded in welcome emails, preventing keys from being exposed in email archives.
- Internal tool credential sharing - A developer shares database connection strings for staging environments with teammates via one-time links in code review tools rather than committing credentials to config files.
Under The Hood
Architecture
OnetimeSecret is organized as a multi-application Rack stack managed by a central registry that mounts discrete Otto and Roda applications at URL prefixes, each with its own middleware chain. A shared base class provides universal middleware—sessions, CSRF protection, structured logging—while route-specific middleware handles concerns like entitlement checks and request setup. Domain logic lives in the Onetime:: namespace with clear separation between controllers, helpers, CLI commands, and background job workers. A Kubernetes-inspired boot state model with phase-aware initializers governs application startup, ensuring Redis connections, authentication strategies, and background job systems are registered in the correct order before serving requests.
Tech Stack
The Ruby 3.4+ backend uses Otto and Roda as dual routers—Otto for the legacy web and API applications, Roda for the modern auth service—with Rodauth providing authentication foundations and OmniAuth connectors for GitHub, Google, Microsoft Entra ID, and generic OIDC providers. Data persistence is handled by Familia (a Redis/Valkey ORM built for ephemeral data), Sequel for SQL-backed authentication records with SQLite or PostgreSQL, and Argon2 plus bcrypt for credential hashing. The Vue 3.5 TypeScript frontend uses Pinia for state, Zod for end-to-end schema validation, CodeMirror 6 for rich editing, and Vite 6 for builds with HMR. Background processing runs via Kicks workers over RabbitMQ with automatic dead-letter queue retry.
Code Quality
The test suite spans approximately 184 RSpec files covering unit tests, integration tests in both Simple and Full authentication modes, CLI command specs, and VCR-cassette-based billing tests. Frontend coverage uses Vitest for component logic and Playwright for end-to-end browser tests. TypeScript code is fully typed with Zod contracts serving as the authoritative schema between backend API responses and frontend state. RuboCop enforces Ruby style across the codebase with CI enforcement. Error handling uses typed domain exceptions routed through an explicit error resolver middleware, and structured logging via semantic_logger provides consistent observability.
What Makes It Unique
The combination of HKDF-derived cryptographic secrets from a single root key, entitlement-based route authorization middleware that enables plan-gated features without hard-coded conditionals, and true custom-domain multi-tenancy with on-demand TLS sets this implementation apart from simpler one-time secret tools. The dual-router migration path allows incremental modernization from the legacy Otto routing system to Roda without a full rewrite. Phase-aware initializers modeled on Kubernetes readiness states solve a genuine Ruby fork-safety problem in production deployments, and the 27-language email template system—sharing ERB templates between web and email contexts via i18n—eliminates the common problem of mismatched translations across delivery channels.
Self-Hosting
OnetimeSecret is released under the MIT License, which is one of the most permissive open-source licenses available. You are free to use, modify, distribute, and sell the software—including in commercial products—with no copyleft requirements. The only obligation is to preserve the copyright notice and license text in your distribution. This means there are no restrictions on commercial self-hosting, no requirement to open-source modifications, and no royalty or fee obligations of any kind.
Running OnetimeSecret yourself is achievable on modest infrastructure but scales in complexity with features enabled. A minimal deployment—Simple authentication mode—requires only a Docker host and a Redis or Valkey instance, and can be up in minutes using the included install.sh and Docker Compose files. Full mode adds a PostgreSQL or SQLite database and optionally RabbitMQ for asynchronous email delivery and background jobs. You are responsible for all operational concerns: TLS certificate management (manual or via Caddy for custom domains), database backups, Redis persistence configuration, monitoring, and upgrades. The v0.24 release notes document a significant configuration migration that required staging environment testing before production application, which is representative of the operational attention major version upgrades demand.
The hosted service at onetimesecret.com (now eu.onetimesecret.com and us.onetimesecret.com) offers managed infrastructure with no operational burden, regional data residency options, and support for organizational billing with Stripe-integrated subscription plans that gate features like custom domains and higher usage limits. Self-hosted installations get the full feature set without entitlement enforcement—all billing and plan-gating code is present but optional—making the open-source version genuinely full-featured rather than a limited community edition. The trade-off is the absence of SLAs, managed backups, or vendor-provided support channels, all of which you must arrange independently.
Related Apps
Caddy
Devops · Security
The only web server that obtains and renews TLS certificates automatically, with HTTP/1-2-3 support and zero dependency on external runtimes.
Caddy
Apache 2.0Traefik
Devops · Automation · Security
A cloud-native reverse proxy and load balancer that auto-configures itself from Docker, Kubernetes, and other orchestrators — zero manual routing required.
Traefik
MITVaultwarden
Password Manager · Security
Unofficial Bitwarden-compatible server in Rust — run the full Bitwarden ecosystem on a Raspberry Pi using every official client you already have, without the multi-container overhead.