Send secret messages
Send a message that disappears after reading.
Cinderpass lets you send sensitive information as an encrypted, self-destructing message. The content is encrypted in your browser before it is stored. The recipient opens the link once, reads the message, and it is gone — permanently and irreversibly.
Send a secret message — no account needed →Messages are encrypted with AES-256-GCM in your browser. The server stores only ciphertext. Without the decryption key — which never leaves your browser — the message is unreadable to anyone, including us.
The message is permanently destroyed the moment the recipient opens it. There is no second read, no copy in sent items, no trace in any inbox.
Send a secret message in seconds without creating an account. Nothing is tied to your email address or identity.
Add a passphrase so only the intended recipient can decrypt the message. Send the link one way and the passphrase another — even if the link is intercepted, the message cannot be read.
Need someone to send you something sensitive? Create a secure request page and share the link. They submit through an encrypted form — no message content passes through email or chat.
Set the message to expire after 1 hour, 24 hours, or 7 days if it is not opened. Expired messages are permanently inaccessible.
Common questions
How is this different from sending a message over Signal or WhatsApp?
Signal and WhatsApp protect messages in transit but both parties retain copies. Cinderpass is for one-time delivery — the message exists exactly once. The moment the recipient reads it, it is destroyed server-side and cannot be recovered by either party.
Can the recipient save or screenshot the message?
Yes — once decrypted, the content is visible in the recipient's browser and they can copy or screenshot it. Cinderpass controls what the server stores, not what happens in someone's browser or device. For highly sensitive content, use a passphrase and communicate out of band.
Is the message truly gone after reading?
The server permanently marks the record as destroyed and the decryption key was never stored, so the ciphertext is unreadable. There is no mechanism to recover the plaintext after the link is opened.
What if the recipient never opens the message?
The message expires after the TTL you selected (1 hour, 24 hours, or 7 days) and is permanently inaccessible after that.
Can I send a message to multiple people?
No — each link burns on first open. If you need multiple people to read the same content, create a separate link for each recipient.
Is there a character limit?
Messages are capped at 48 KB of plaintext — roughly 48,000 characters. This is sufficient for any note, token, key, or block of text.
Ready to stop sharing passwords over Slack?
Send a secret message — no account needed →