Secret Sharing API
Store sensitive strings as one-time secrets. Each secret can be read exactly once — then it is permanently destroyed.
Get your API token
Create an account and subscribe ($9/month) to start using the API.
How It Works
- You POST a secret string along with your API token and a TTL (expiry).
- The API returns a one-time link containing a unique 64-character hex token.
- Share that link with the recipient. When they GET it, the secret is returned and immediately marked as viewed.
- Any subsequent request for the same token returns
404— the secret is gone forever.
Secrets also expire automatically after the chosen TTL even if never viewed.
Endpoints
| Method | Route | Auth | Description |
|---|---|---|---|
| POST | /api/secret |
Token required | Store a new secret, get back a one-time link |
| GET | /api/secret/{token} |
None | Reveal a secret once — subsequent calls return 404 |
POST /api/secret
Store a secret. Requires an active subscription token.
Request body (JSON or form-data)
| Field | Type | Required | Description |
|---|---|---|---|
secret | string | Yes | The sensitive string to store. Max 50 000 chars. |
ttl | integer | No | Time-to-live in seconds. Defaults to 86400 (24 h). Allowed values below. |
token | string | Yes* | Your API token. Can also be passed as Authorization: Bearer … header. |
Allowed TTL values
| Seconds | Label |
|---|---|
3600 | 1 hour |
21600 | 6 hours |
86400 | 24 hours (default) |
259200 | 3 days |
604800 | 7 days |
2592000 | 30 days (max) |
Success response 200
{
"success": true,
"data": {
"token": "a3f9…64 hex chars…",
"link": "https://abesttools.com/api/secret/a3f9…",
"expires_at": "2025-04-21 14:00:00",
"ttl": 86400
}
}Example (curl)
curl -X POST https://abesttools.com/api/secret \
-H "Content-Type: application/json" \
-d '{"secret":"my password is hunter2","ttl":3600,"token":"YOUR_TOKEN"}'GET /api/secret/{token}
Reveal the secret. No authentication required — anyone with the link can read it once.
Success response 200
{
"success": true,
"secret": "my password is hunter2",
"created_at": "2025-04-20 13:00:00",
"expires_at": "2025-04-20 14:00:00"
}Error responses
| Status | Message | Reason |
|---|---|---|
404 | Secret not found, already viewed, or expired. | Token unknown, already read, or past TTL |
404 | Invalid secret token. | Token format is wrong |
Example (curl)
curl https://abesttools.com/api/secret/a3f9...Live Tester
What Is One-Time Secret Sharing?
One-time secret sharing is a technique for transmitting sensitive data — passwords, API keys, private tokens, confidential messages — through insecure channels (email, Slack, tickets) without leaving a permanent copy. The secret is stored encrypted on the server and destroyed the moment the recipient reads it.
Why Not Just Send Passwords in Email?
Email is stored indefinitely in inboxes, backups, and forwarded chains. A one-time link expires after being read or after the chosen TTL — whichever comes first — so there is no persistent copy for an attacker to find later.
Security Model
- Tokens are 32 bytes (64 hex chars) generated with
random_bytes()— cryptographically secure and not guessable. - A secret is marked viewed the instant it is retrieved. Any subsequent GET returns 404.
- Expired secrets are purged automatically — they cannot be retrieved even if never read.