PrivNote
Send a one-time secret message that self-destructs the moment it is read. End-to-end encrypted in your browser — the key never reaches our server.
End-to-End Encryption
Your message is encrypted in your browser with AES-256-GCM before being sent to the server. The decryption key is stored only in the link fragment (#key) — it's never transmitted to or stored on our server. Even we cannot read your message.
How PrivNote Works
End-to-end encryption in three simple steps.
Write Your Secret
Type or paste your message. It is encrypted in your browser using AES-256-GCM before anything is sent.
Get a One-Time Link
A unique link is generated. The decryption key is embedded in the URL fragment — it never reaches our server.
Share & Self-Destruct
Send the link to the recipient. When they open it and reveal the message, the note is permanently deleted from our database.
How the Encryption Works
When you write a message and click "Create Note", your browser generates a cryptographically random 256-bit AES-GCM key and encrypts the message locally. Only the encrypted ciphertext is sent to our server — which stores it temporarily linked to a unique ID.
The decryption key is embedded in the URL fragment — the part of the URL after the # symbol (e.g., toolsnest.io/privnote/abc123#key). By HTTP specification, URL fragments are never sent to the server — they exist only in the browser. This is the zero-knowledge architecture: our server stores only the ciphertext, and only someone with the full URL can decrypt it.
When the recipient opens the link and clicks "Reveal Message", the note is deleted from our database first, then the browser decrypts the ciphertext using the key from the URL fragment. The decrypted message is displayed and then gone — from our servers and from the URL.
AES-256
Encryption standard
0
Times the key touches our server
1×
Reads before permanent deletion
Frequently Asked Questions
Everything about PrivNote's security model and how to use it.
How does PrivNote keep my message secure?
AES-256-GCM encryption happens in your browser. The key is in the URL fragment (after #) which is never sent to our server. Only someone with the complete link can decrypt the message.
What does 'self-destructing' mean?
When the recipient clicks 'Reveal Message', the note is permanently deleted from our database before decryption happens. The next person to visit the link sees 'Note not found'.
Can I see my message after sending it?
No. Once you close the page, the plaintext is gone. Save a copy before creating the PrivNote if you need a record.
What if someone intercepts the link?
If they open it first, the message is revealed and destroyed. The intended recipient will see 'Note not found'. Share the link through a secure channel for sensitive communications.
How is PrivNote different from Signal or WhatsApp?
Signal/WhatsApp store message history on devices. PrivNote is truly one-time — unrecoverable from any device or server after reading. Also useful when the recipient doesn't have a specific app.
Is there a character limit?
Messages up to several thousand characters are supported. For very long documents, use a secure file-sharing service instead.