OnetimeSecret is an open-source, self-hostable platform designed to eliminate the risks of sharing sensitive information like passwords through email or chat logs. By generating one-time URLs that self-destruct after being viewed once, it ensures sensitive data is never stored persistently on servers or devices. This tool is ideal for developers, DevOps teams, and security-conscious users who need to share credentials or confidential details without leaving traces. It supports both web-based and API-only deployments, with configurable authentication, rate limiting, and encryption options to meet varying security requirements.
What You Get
- Single-use secret links - Creates temporary URLs that automatically delete the content after one view, ensuring sensitive data like passwords cannot be accessed again.
- Self-hostable deployment - Fully containerized with Docker support, allowing private deployment behind firewalls or on-premises infrastructure.
- Configurable TTL options - Set expiration times for secrets (30m, 12h, 24h, 3d) via environment variables or config file to control data lifespan.
- Authentication support - Optional login requirement (AUTH_REQUIRED=true) to restrict secret creation to authenticated users.
- SMTP/Email integration - Configurable email notifications via SMTP or SendGrid to notify recipients of secret links.
- API-only mode - Disable the web UI (UI_ENABLED=false) to expose only the API for programmatic secret generation and integration.
- Secure key management - Requires a persistent, randomly generated SECRET key (via openssl rand -hex 32) to encrypt secrets at rest.
- Redis-backed storage - Uses Redis as the backend data store for fast, ephemeral secret storage with built-in TTL expiration.
- Rate limiting - Configurable usage limits to prevent abuse and ensure fair resource allocation in production environments.
Common Use Cases
- Building a secure password-sharing workflow - Developers sharing database credentials or API keys with teammates without pasting them into Slack, email, or ticket systems where they persist indefinitely.
- DevOps teams managing ephemeral secrets - Automating secret rotation and delivery in CI/CD pipelines using the OnetimeSecret API to pass temporary tokens to deployment scripts.
- Security audit compliance → Reduced exposure risk - Organizations needing to comply with data minimization policies use OnetimeSecret to ensure secrets are never stored in logs, emails, or chat histories.
- Team workflows with non-technical users - Support teams send temporary access codes to clients via SMS or phone calls using a simple web interface, reducing help desk overhead and security incidents.
Under The Hood
This project is a sophisticated, multi-tenant SaaS platform designed for managing one-time secrets, combining a Ruby backend with a modern TypeScript/Vue.js frontend. It follows a modular architecture that emphasizes domain-driven design and security-focused development practices.
Architecture
This system adopts a monolithic yet modular structure, with distinct apps encapsulating specific business domains while maintaining a unified deployment model. The architecture supports clear separation of concerns and enables scalable growth.
- Modular app structure that isolates domain logic into dedicated components
- Strong emphasis on layered design with middleware for security and access control
- Well-defined boundaries between backend services and frontend components
Tech Stack
The application leverages a hybrid Ruby and TypeScript ecosystem with Vue.js for the frontend, integrating modern tools for scalability and maintainability.
- Ruby on Rails-style backend with TypeScript/Vue.js frontend for a responsive UI
- Extensive use of Vue.js, Pinia, and Zod alongside Stripe and Sentry for robust functionality
- Vite, Tailwind CSS, ESLint, and Docker form a powerful development and deployment pipeline
- Comprehensive testing ecosystem including RSpec, Vitest, and Playwright across all modules
Code Quality
Code quality is consistently high with a strong focus on testing, linting, and maintainability across both backend and frontend.
- Abundant test coverage with unit and integration tests ensuring reliability
- Structured error handling and informative messaging for debugging and user feedback
- Strong adherence to coding standards and linting practices throughout the codebase
What Makes It Unique
This project introduces innovative approaches to multi-tenant SaaS development with a focus on security, compliance, and extensibility.
- Sophisticated entitlement-based middleware that dynamically validates organization permissions with detailed error responses
- Highly modular API design with distinct apps (account, colonel, domains) that encapsulate domain-specific logic
- Extensive system-level monitoring and logging through systemd integration with graceful shutdowns and resource limits
- Seamless combination of Ruby-based backend services with TypeScript/Vue frontend components for a cohesive architecture