Safe secret exchange
Safex is a security‑first secret sharing service that keeps sensitive data with zero server trust. It’s run for real on Koyeb, so you can try it right now. You can also run your own Docker image from GHCR, or build it yourself because the entire project is open source.
- Secrets are encrypted and decrypted locally in the browser with WebAssembly (WASM) before they ever touch the server, so backend compromises never expose cleartext data.
- The recipient must prove knowledge of the PIN via the OPAQUE protocol before any download, blocking offline brute-force attacks and network PIN transmission.
- Expiration policies and view limits ensure every shared secret has a defined lifetime and data will be destroyed automatically after reading or expiry.
- Secrets are encrypted and decrypted locally in the browser with WebAssembly (WASM).
- Secrets are stored encrypted on the server, which has no access to plaintext data.
- Safex does not receive PINs at any point, thanks to the OPAQUE protocol.
- No sensitive information is written to any logs.
- Messages are permanently deleted as soon as they are read or expire.
- An attacker needs both the unique link and the PIN to intercept a message.
- The code is open source and can be audited by anyone.
A full walkthrough is available on the Docs page.
Redis and S3 backends not tested yet!!!
- Create a new secret with text or file, set expiration and choose a PIN.
- Share the generated link and PIN with the recipient via separate channels.
- The recipient opens the link, enters the PIN, and retrieves the secret.
- Read/download/copy the secret before it self-destructs.
