Single-use · Self-destructing · Zero-knowledge
One-time links.
Opens once, then gone.
Generate a link that works exactly once. The recipient opens it, reads the secret, and the link immediately stops working — permanently.
No account required to start.
What actually makes a link single-use
Most "expiring links" aren't truly single-use — they expire after a time window, or require manual revocation. A genuine one-time link self-destructs on first access, regardless of time. Here's how VoidNote enforces it:
// Link structure
https://voidnote.net/note/a1b2c3…#e5f6…
// a1b2c3… = tokenId → sent to server (lookup key only)
// e5f6… = secret → in URL fragment, never sent to server
// On first open:
server.delete(tokenId) // record gone — link is dead
browser.decrypt(ciphertext, secret) // content revealed locally
The server deletes the record atomically on the first fetch. A second request for the same tokenId returns 404. Because the decryption key only ever existed in the URL fragment — never on the server — there is nothing left to recover.
Where one-time links matter
Credential handoff
Onboard a new team member or contractor. Send database passwords, VPN credentials, and API keys via one-time links — no plaintext in email threads.
AI agent provisioning
Paste a one-time link into an AI coding agent's context. The agent fetches the secret once, uses it, and the link self-destructs. No keys in conversation history.
CI / CD secrets
Bootstrap a pipeline that doesn't yet have a secrets manager. Deliver the initial credentials via one-time link — read once by the runner, then gone.
Client credential delivery
Send access credentials to a client without them sitting in a support ticket or email chain indefinitely.
Recovery codes
Share 2FA backup codes with a trusted contact for safekeeping. One-time — once they've stored them, the link is dead.
Sensitive documents
Share a draft contract, salary figure, or personal information that should only be opened once. Link expires automatically.
Need more than one view?
You can set the view limit to any number (1–100). A five-view link works for a small team — each person gets one read. Once all views are consumed, the note permanently self-destructs. The 24-hour expiry applies regardless: unused views don't carry over.
Compared to other link-sharing tools
| Tool | Truly single-use | Client-side encryption | Auto-expires |
|---|---|---|---|
| Google Drive share link | No | No | Manual only |
| Dropbox / OneDrive link | No | No | Manual only |
| One-Time Secret | Yes (server-side) | No — server reads it | Yes |
| Privnote | Yes (server-side) | No — server reads it | Yes |
| VoidNote | Yes | Yes — AES-256-GCM | Yes — 24h max |
Questions
What happens if I send the link to the wrong person?
If you realise before they open it, there's no way to revoke the link — but it will self-destruct after 24 hours (or sooner, depending on your expiry setting). For sensitive secrets, add a second-factor password that you share via phone — the link alone is useless without it.
Can I tell if the link has been opened?
No. Once a note self-destructs, there's no record that it ever existed — by design. If your recipient says they haven't opened it but the link is dead, the link was either intercepted or opened by a link preview bot. Use the extra password option to guard against previews.
How is this different from One-Time Secret?
One-Time Secret stores your note in plaintext on their server and deletes the record after reading. The service can read every note before it's opened. VoidNote encrypts the note in your browser before it ever leaves your device — the server holds ciphertext it cannot decrypt. The difference is zero-knowledge encryption versus server-side deletion.
Can I create one-time links programmatically?
Yes — via the REST API, CLI, or any of the official SDKs (TypeScript, Python, Go, Rust, Zig, Java). Use the CLI to pipe secrets from scripts: echo 'my-secret' | voidnote create --views 1 --quiet
Create your first one-time link
Takes 10 seconds. No account needed. Works once, then permanently gone.