Frequently asked questions

• About Ones
  • What is the idea?
  • How long is my secret kept?
  • How is my secret secured?
  • Can a secret which has been burned be recovered?
  • Which data is stored about me?
  • Which browsers are supported?
  
  
  
  • What is the idea? Consider this an alternative to sending passwords and other secrets over mail or instant messaging where they will typically be saved for a longer time.
    
    With this service, the secret gets deleted once the receiver reads it and all there is left in the chat / email is just a link that no longer works.
  • How is my secret secured? Your secret is protected by multiple layers of encryption:
    
    Client-Side Encryption (in your browser): Before your secret ever leaves your device, it is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode). The encryption key is randomly generated in your browser and never sent to our servers. This key becomes part of the URL fragment (the part after #), which browsers never transmit to servers.
    
    In Transit: The already-encrypted secret is transmitted to our server over HTTPS (HTTP over TLS), providing a second layer of encryption during transmission.
    
    Server-Side Encryption (at rest): Once received, the already-encrypted secret is encrypted again on our server using AES-256-GCM with a different key. This means your secret is double-encrypted when stored in our database.
    
    When Viewing: When someone visits the secret URL, our server decrypts the outer layer and sends the still-encrypted data back to the browser. The browser then uses the encryption key from the URL fragment (the part after #k=) to decrypt and display the secret. Only someone with the complete URL can decrypt the secret.
    
    Zero-Knowledge Architecture: Because the encryption key never leaves your browser and is never sent to our servers, we have zero knowledge of your secret's contents. Even if our database were compromised, the secrets would remain encrypted and unreadable without the URL fragments, which we never see or store.
    
    
    To put it simple:
    
    

    1

    Client-Side Encryption (Your Browser)

    AES-256-GCM encryption • Key generated locally • Key stored only in URL fragment (#k=) • We never see the encryption key

    2

    In Transit (HTTPS/TLS)

    Already encrypted secret sent securely • Second layer of encryption during transmission

    3

    Server-Side Encryption (At Rest)

    AES-256-GCM encryption (different key) • Double-encrypted in database • Protected even if database is compromised

    4

    Viewing the Secret

    Server decrypts outer layer only • Browser decrypts with key from URL • Secret displayed to recipient

    Zero-Knowledge Architecture

    The encryption key is stored in the URL fragment (after #k=), which is never sent to our servers. We have zero knowledge of your secret's contents—we literally cannot read it, even if legally compelled to do so.

  • How long is my secret kept? Per default a secret is kept for 7 days, unless someone reads it by using the secret link of course.
  • Can a secret which has been burned be recovered? No, we have no means to recover secrets.
  • Which data is stored about me? When you visit this website, your IP-address is kept in our logfiles.
    
    The site does not embed any 3rd party tracking or 3rd party cookies.
  • Which browsers are supported?

    Browser Compatibility

    This service requires modern browsers with Web Crypto API support for secure client-side encryption.

    ✅ Supported Browsers

    Google Chrome

    v37+

    July 2014 or newer

    Mozilla Firefox

    v34+

    December 2014 or newer

    Apple Safari

    v11+

    September 2017 or newer

    Microsoft Edge

    v79+

    January 2020 or newer (Chromium-based)

    Opera

    v24+

    September 2014 or newer

    All Modern Mobile Browsers

    Chrome Mobile • Safari iOS • Samsung Internet • Firefox Mobile

    ❌ Unsupported Browsers

    Internet Explorer (All Versions)

    Web Crypto API is not supported in any version of IE

    Older Browser Versions

    Chrome <37 • Firefox <34 • Safari <11 • Edge Legacy • Opera <24

    Browser Coverage: ~97%

    Approximately 97% of global internet users have a browser that supports this service. If you see a warning when creating or viewing a secret, please upgrade to a modern browser.

    Why These Requirements?

    This service uses the Web Crypto API to perform AES-256-GCM encryption directly in your browser before transmitting data to our servers.

    This ensures zero-knowledge encryption - we never see your unencrypted secrets. Older browsers lack this critical security feature.