OnetimeSecret is a self-hostable tool designed for developers, sysadmins, and security-conscious users who need to share passwords, API keys, or other sensitive data without risking exposure in email threads or chat histories. It creates one-time URLs that vanish after being viewed once, ensuring end-to-end secrecy.
Built with Ruby on Rails and Redis, it supports both simple Redis-based authentication and full SQL-based authentication with MFA and WebAuthn. The application can be deployed via Docker or manually, with full Docker Compose support and configurable SMTP, SES, or SendGrid email integration. Frontend development uses Vite with HMR for real-time editing.
What You Get
- Self-Destructing Links - Generates single-use URLs that automatically delete the secret after the first view, preventing persistent storage in inboxes or chat logs.
- Redis-Based Storage - Uses Redis as the default data store for ephemeral secrets, ensuring fast, in-memory operations and automatic cleanup after access.
- Full Authentication Mode - Supports SQL-backed authentication with MFA (TOTP), WebAuthn (FIDO2), and user management for enterprise-grade access control.
- SMTP/SendGrid/SES Email Integration - Configurable email delivery for sending one-time links via SMTP, Amazon SES, or SendGrid for reliable recipient delivery.
- Docker & Docker Compose Support - Official Docker images and preconfigured docker-compose.yml files for simple and full-stack deployments with Redis and optional PostgreSQL.
- Frontend HMR Development Mode - Enables hot module replacement via Vite when development mode is enabled in config.yaml for real-time UI iteration.
- Configurable UI and Branding - Customize the interface via config.yaml including logo, theme, and message templates to match organizational branding.
- Anonymous Sharing Mode - Allows users to share secrets without requiring account creation, ideal for one-off secure transmissions.
Common Use Cases
- Sharing database credentials - A DevOps engineer uses OnetimeSecret to send temporary database passwords to a colleague without storing them in Slack or email.
- Onboarding new team members - An IT admin generates a one-time link to share SSH keys or API tokens during employee onboarding, ensuring no copies remain after access.
- Secure password handoff between teams - A security team shares compromised password resets via encrypted one-time links to avoid exposing credentials in ticketing systems.
- Journalists sharing sensitive sources - A reporter uses OnetimeSecret to send encrypted tips or documents to editors without leaving digital traces in communication channels.
Under The Hood
Architecture
- Modular Ruby monolith organized with clear namespace isolation via the Onetime:: module hierarchy, separating core logic, background jobs, and refinements for maintainability
- REST and API layers built with Roda, using service objects following a command pattern to encapsulate secret operations, ensuring testability and loose coupling
- Event-driven background processing powered by Kicks and RabbitMQ, with Redis-backed sorted sets enabling efficient time-based queuing and deduplication
- Frontend is a Vue 3 TypeScript SPA with centralized schema validation via Zod, ensuring end-to-end type safety from API contracts to UI components
- Dependency injection achieved through runtime configuration and lazy loading, with explicit layer separation despite subtle global state coupling
Tech Stack
- Ruby 3.4+ backend leveraging Roda, Rodauth, and Otto for routing and authentication, with Sequel and Familia as primary ORMs
- Valkey (Redis-compatible) for ephemeral data and sessions, supported by Redis gem and uri-valkey for robust connection handling
- Vue 3.5 with Pinia, Vue Router, and VueUse for state and routing, enhanced by CodeMirror 6 and HeadlessUI for rich interactive components
- Vite with TypeScript and Tailwind CSS for modern frontend tooling, integrated with vue-tsc and ESLint for type safety and code quality
- Docker multi-stage builds with Bake and S6 init system for containerized deployment, paired with RabbitMQ and Kicks for scalable job processing
Code Quality
- Comprehensive test coverage spanning unit, integration, and end-to-end scenarios with clear separation of concerns across layers
- Strong type safety enforced through TypeScript and Zod schemas, with round-trip validation ensuring data integrity across serialization boundaries
- Consistent domain-driven naming and modular structure across Ruby and TypeScript codebases, with explicit boundaries between services, models, and UI
- Robust error handling with domain-specific exceptions and retryable flows, particularly in critical paths like authentication and billing
- Configuration-driven behavior and environment-aware initialization enable seamless deployment across diverse environments
What Makes It Unique
- Seamless integration of Otto router with fine-grained IP privacy controls and centralized auth strategy registration for consistent API behavior
- Dynamic secret TTL policies enforced via Familia refinements and runtime hooks, eliminating hard-coded thresholds
- End-to-end type safety pipeline from backend API contracts to frontend components via Zod and TypeScript
- Route-level validation guards and auto-reload mechanisms in Vue 3 prevent UI breakdowns after deployments
- Server-side email templating with shared i18n ERB templates that eliminate duplication between web and email contexts
- Graceful SIGINT handling using at_exit hooks to safely defer cleanup tasks, circumventing Ruby’s signal handling limitations