Frequently Asked Questions

Ephemeral is a secure secret-sharing service that allows you to share sensitive information (passwords, API keys, private messages) through encrypted, self-destructing links. Once a secret is viewed, it's permanently deleted and can never be accessed again.

Email and chat messages are stored indefinitely on servers you don't control. If those services are breached, your sensitive information is exposed. With Ephemeral:

• Secrets are encrypted and auto-delete after viewing
• There's no permanent record of your secret
• Even if our servers were breached, encrypted secrets cannot be read
• You can add password protection for extra security

Yes, Ephemeral is free for personal and business use. We believe everyone deserves access to secure communication tools.

No. Ephemeral is designed to work without accounts. Simply create a secret, get a link, and share it. No registration, no email, no personal information required.

Secrets are encrypted using industry-standard authenticated encryption algorithms:

• XSalsa20-Poly1305 (default) - A modern, high-performance cipher from the NaCl/Sodium library
• AES-256-GCM - FIPS 140-2 compliant encryption for regulated industries

Each secret gets a unique encryption key that is stored separately from the encrypted content and deleted when the secret is viewed.

No. Our zero-knowledge architecture means we cannot decrypt your secrets even if we wanted to. Encryption keys and encrypted content are stored in separate systems, and keys are deleted after use.

If someone intercepts and opens your link before the intended recipient:

• The secret will be deleted and the intended recipient will see "Secret not found"
• You'll know the secret was compromised because the recipient will tell you they couldn't access it
• To prevent this, use password protection and send the password through a different channel

We recommend password protection for highly sensitive secrets. Best practices:

• Use a strong, unique password (8+ characters)
• Send the password through a different channel than the link (e.g., link via email, password via SMS)
• This provides two-factor security: something they have (link) + something they know (password)

Our security practices are designed with compliance in mind:

• GDPR: Fully compliant. Privacy by design, data minimization, user rights supported.
• HIPAA: HIPAA-ready. AES-256-GCM encryption available. Contact us for a BAA.
• SOC2: Controls implemented. Audit pending.

See our Security Policy for details.

1. Go to the home page
2. Enter your secret content in the text area
3. (Optional) Check "Protect with password" and enter a password
4. Select an expiration time (1 hour to 30 days)
5. Click "Create Secret"
6. Copy and share the generated link

Secrets can be up to 100 KB in size. This is enough for most passwords, API keys, configuration files, and short documents.

No. This is by design. Secrets are permanently deleted after being viewed once. If you need to share the same information again, create a new secret.

You can choose from:

• 1 hour - For time-sensitive information
• 24 hours - Default, good for most use cases
• 7 days - When the recipient might need more time
• 30 days - Maximum allowed expiration

Remember: secrets are deleted when viewed OR when they expire, whichever comes first.

Currently, there's no way to manually delete a secret once created. However, secrets automatically expire based on the TTL you selected. For sensitive situations, choose a shorter expiration time.

We collect the absolute minimum:

• Hashed IP address - For rate limiting (we don't store your actual IP)
• Timestamps - When secrets are created/accessed
• Encrypted secret content - Deleted after viewing or expiration

We do NOT collect: emails, names, location, analytics, or tracking data.

See our Privacy Policy for complete details.

We only use essential session cookies required for the service to function (CSRF protection). We do not use analytics, advertising, or tracking cookies.

No. We never sell, rent, or share your data with third parties for marketing purposes. We only share data when required by law (court orders, etc.), and we cannot share encrypted secret content because we can't decrypt it.

A public API is planned for a future release. If you have specific API needs, please contact us.

Yes! Ephemeral is open source. You can find the source code and deployment instructions on our GitHub repository. Self-hosting gives you complete control over your data.

• Backend: PHP 8.3, Symfony 7
• Encryption: Sodium (libsodium), OpenSSL
• Key Storage: Redis (volatile)
• Secret Storage: S3-compatible object storage
• Web Server: FrankenPHP with Caddy
• Frontend: Bootstrap 5, Twig, Live Components

This message appears when:

• The secret was already viewed by someone
• The secret expired (reached its TTL)
• The link is incorrect or incomplete

If you expected to see a secret, contact the sender and ask them to create a new one.

We have rate limits to prevent abuse. If you're creating many secrets or making many password attempts, you may be temporarily blocked. Wait a few minutes and try again.

Rate limits:

• 10 secret creations per hour
• 20 secret views per hour
• 5 password attempts per 15 minutes

If the password isn't working:

• Check for typos (passwords are case-sensitive)
• Make sure you're not copying extra spaces
• Confirm with the sender that you have the correct password
• Note: After 5 failed attempts, you'll be temporarily blocked

For bugs or issues, please open an issue on our GitHub repository. For security vulnerabilities, please email security@ephemeral.example.com instead of posting publicly.