A one-time secret share, done properly

Vaulted is end-to-end encrypted. The server only ever sees ciphertext - the decryption key never reaches our infrastructure.

• Encrypted in your browser. AES-GCM-256 via the Web Crypto API. The server never sees the plaintext.
• Key in the URL fragment. The decryption key lives after the #, which browsers never send to servers.
• Destroyed on reveal. The recipient's first reveal triggers an atomic delete. There is no second reveal.
• Auto-expires. Unrevealed secrets self-destruct after one hour.
• No accounts. No login, no email capture, no tracking the secret. Fathom Analytics for page-level usage only.

We can see ciphertext (encrypted bytes) and an initialisation vector. We cannot see the secret itself - the key never reaches us.

We see your IP for rate-limiting, which is standard. We do not log secrets, do not store them after reveal, and do not back them up.

Vaulted is built and maintained by Marbl Codes - the AI-native digital agency by Richard Bland. We help small and medium businesses adopt AI safely, with humans staying in the loop. We're the human in your AI loop.

We made Vaulted because we needed it ourselves. It's free. If you find it useful, take a look at our other tools at marbl.codes or join our newsletter for what's coming next.

• Maximum secret length: 4,000 characters.
• One-time view per link - once revealed, gone.
• One-hour TTL on unrevealed secrets.
• Rate-limited per IP to keep the service free for everyone.
• This is a free tool offered as-is. For high-stakes secret-sharing in regulated environments, talk to us about a managed solution.

Vaulted runs on a single Cloudflare Worker with KV storage and native rate limiting. Everything sensitive happens in your browser. If you want to dig into the code, find us on GitHub.

Questions or feedback? hello@marbl.codes.