How burnote works
burnote is a free tool for sharing passwords, API keys, and other sensitive data through one-time encrypted links. Your secret is encrypted inside your browser before it ever leaves your device, and destroyed forever the moment it's viewed — even we can't read it.
How it works in 30 seconds
You paste your secret
Type or paste a password, API key, message, or attach a file. Optionally set a passphrase and an expiry between 5 minutes and 14 days.
Your browser encrypts it
burnote generates a fresh 256-bit encryption key in your browser and encrypts the payload with AES-GCM. Only the ciphertext is sent to our server — never your plaintext, never the key.
You get a one-time link
Share it via email, Slack, SMS, or any other channel. The decryption key sits in the URL fragment — the part after # — which your browser never sends to any server.
Your recipient opens the link and clicks "Reveal"
Their browser fetches the ciphertext, we delete the database row in the same transaction, and the secret is decrypted locally in their browser. From that point it exists only on their screen.
The crypto, in detail
For the security-conscious, here is what happens under the hood.
Encryption
- Every secret gets a fresh, random 256-bit AES-GCM key generated with
crypto.subtle.generateKeyin your browser. - Plaintext is encrypted with a unique 96-bit IV. GCM's authentication tag means any tampering with the ciphertext causes decryption to fail.
Key handling without a passphrase
- The encryption key is placed in the URL fragment (the part after
#). - Browsers never include the fragment in HTTP requests. Our server only ever sees the opaque ciphertext.
- If our database were breached tomorrow, every no-passphrase secret would be indistinguishable from random noise — we have no way to decrypt.
Key handling with a passphrase
- The data key is wrapped (encrypted again) using a second key derived from your passphrase with PBKDF2-SHA256, 600,000 iterations, and a per-secret random 16-byte salt.
- Only this wrapped key is stored alongside the ciphertext. Your passphrase is never sent to our server.
- The URL fragment stays empty — the passphrase is the only way to unlock the data key, so you can share the link and the passphrase through different channels for defence-in-depth.
One-time delivery
- When the recipient clicks Reveal, we read the ciphertext and delete the row in a single atomic transaction (
SELECT ... FOR UPDATEfollowed byDELETE). - If two people open the link at the exact same time, only one gets the ciphertext; the other sees "this secret no longer exists".
- Expired secrets are permanently purged by a cleanup job that runs every 15 minutes, so unread secrets don't linger past their TTL.
Why a "Reveal" button instead of auto-reveal
Modern messaging platforms (Slack, iMessage, Teams, email filters) silently fetch links to generate previews. If revealing happened on page load, these bots would consume the secret before your recipient even saw it.
burnote only destroys a secret when the recipient explicitly clicks Reveal, which sends a POST request to the server. Automatic previewers, prefetchers, and crawlers only make safe GET requests — so they cannot burn a one-time link.
What people use burnote for
- Sharing a password or API key with a teammate without leaving it in chat history
- Sending 2FA backup codes or recovery phrases to a colleague
- Handing off SSH keys or database credentials during an incident
- Giving a one-time recovery code to a customer
- Delivering a PDF or image that should not stick around in email
- Personal notes you want to be readable exactly once
When burnote is not the right tool
- Long-term storage. Secrets are meant to be viewed once and destroyed. For backup, use a password manager.
- Audit trails. By design we log nothing about who read what. If you need accountability, use a tool that records it.
- Payloads over 5 MB. Per-secret size cap keeps delivery fast and makes abuse less attractive.
- Running code. Executables, HTML, JavaScript, and SVG are blocked — the recipient's browser might run them.
Frequently asked questions
Is burnote free?
Yes. burnote is completely free. No accounts, no ads, no limits on how many secrets you can send.
Can burnote (or Osmicro) read my secret?
No. Secrets are encrypted in your browser with a 256-bit key we never see. For links without a passphrase, the key lives only in the URL fragment (after the #), which browsers do not transmit to servers.
For passphrase-protected secrets, only a passphrase-wrapped version of the key is stored on our server. Reading the ciphertext requires guessing the passphrase — and because we use 600,000 PBKDF2 iterations with a per-secret random salt, that's extremely expensive even for a weak passphrase.
What if my recipient never opens the link?
Every secret has an expiry between 5 minutes and 14 days. Once the expiry passes, a background cleanup job (every 15 minutes) permanently deletes the record from the database, even if nobody opened the link.
Can a link preview accidentally burn my secret?
No. burnote only destroys a secret when the recipient explicitly clicks the Reveal button, which sends a POST request. Slack unfurlers, iMessage previewers, email scanners, and search engine crawlers only make safe GET requests, so they cannot consume a one-time link.
What happens if my recipient types the wrong passphrase?
The secret is not destroyed. burnote validates the passphrase in the recipient's browser before asking the server to burn the record, so a wrong guess is harmless. Only a correct passphrase triggers destruction.
What file types can I attach?
PDF, JPG, PNG, GIF, WebP, HEIC, plain text, and CSV. You can attach multiple files per secret, up to 5 MB total. Executable content and active formats like HTML, JavaScript, and SVG are blocked because a recipient's browser might run them.
Can I revoke a link after I share it?
There is no admin revoke button, but the effect is the same if you open the link yourself — that destroys it. Your recipient will then see a "this secret no longer exists" page.
What does burnote log?
As little as possible. The server stores the encrypted ciphertext, an expiry timestamp, and a flag indicating whether the secret is passphrase-protected. We do not log IP addresses, user agents, request headers, or plaintext content.
Google Analytics is disabled entirely on secret-viewing pages, so decrypted content and secret IDs never reach any third party.
Is burnote suitable for long-term storage?
No. burnote is a transit tool — secrets are meant to be viewed once and destroyed. For backup or archival, use a password manager or an encrypted storage service instead.
Ready to share a secret?
Free, no signup, no tracking. Your first secret takes about ten seconds.
Create a secret now →