Self-Destructing Note
Share an encrypted note that's read once, then wiped.
Runs entirely in your browser — nothing you enter is uploaded, logged, or tracked.
Write a secret note, get a link, and the note self-destructs after the recipient opens it once. Encryption happens entirely in your browser with AES-256-GCM — the ciphertext (and the key, unless you set a password) travels only inside the link's # fragment, which your browser never sends to any server. Honest about its limits: there's no server here to remotely "burn" anything, so it's perfect for low-friction one-time sharing, not for stopping a determined screenshot.
No password? The decryption key is baked into the link's # fragment, so anyone with the link can read it once. Add a password and the key is derived from it instead — the link alone is useless without it.
Remember to send the password through a different channel than the link.
✓ Burned. This note has been wiped from the page and the link. Reloading this page will show nothing — the link no longer works.
Frequently asked questions
Where is the note actually stored?
Nowhere on a server. The note is encrypted in your browser and the ciphertext is packed into the part of the link after the # (the URL fragment). Browsers never transmit the fragment to a server, so the secret only ever exists inside the link itself and in the two browsers that create and open it.
What does "self-destructing" really mean here?
This tool is 100% client-side, so there is no server to enforce a true burn. When the recipient opens the link, the page shows the note once, then wipes the plaintext from the page and strips the secret out of their address bar so a reload reveals nothing on their machine. But the link you shared still exists wherever you sent it, and we can't stop someone from copying or screenshotting the text. For a server-enforced burn-after-read, that's a planned future tier.
Should I add a password?
It depends on your channel. Without a password, the decryption key is baked into the link, so anyone who gets the link can read it once — fine if the link itself is private. Add a password and the key is derived from it with PBKDF2 (200,000 iterations) instead, so the link alone is useless; just send the password through a different channel than the link.
What encryption does it use?
AES-256-GCM via the browser's Web Crypto API, with a 96-bit random nonce per note and GCM authentication that detects any tampering. Passwords are stretched with PBKDF2-HMAC-SHA-256 at 200,000 iterations. No crypto is hand-rolled and nothing is sent over the network.
Can the note be read more than once?
Not from the recipient's side. After the first reveal the page clears the secret from the URL, so reloading shows an empty link. However, because there's no server, the original link still technically decrypts if someone saved a full copy of it before it was opened — which is exactly why it's meant for one-time, low-stakes sharing and why a password adds real protection.