Ownware

Secreta

Self-hosted, zero-knowledge one-time secret links — your server can't read what it stores.

Secreta preview banner

The problem it solves

Every team shares secrets: a database password, a Stripe key, a server login. It ends up pasted into Slack, email, or a ticket — where it sits forever, searchable, in a dozen inboxes and backups. The quick share becomes a permanent liability.

Hosted one-time secret tools help, but most still put your plaintext on somebody else's server and ask you to trust them. For credentials, that trust is the whole problem.

What you get

Browser-side encryption

AES-256-GCM encryption happens in the browser with a key generated locally that never reaches the server.

Burn after reading

Destroy a secret after one view, or set a custom view limit.

Configurable expiry

Expire links anywhere from 1 hour to 30 days, or never.

Optional passphrase

Add a second factor (PBKDF2-SHA-256, 150k iterations) the recipient must also know.

Team accounts and audit log

Require sign-in to create secrets, then review who made and viewed what — metadata only, never contents.

Self-hosted, one-time purchase

Runs on PHP 8+ with MySQL or SQLite on standard shared hosting, with no subscription or per-secret fees.

Pricing — one-time, yours forever

single license
$39.00
Version 1.0.0 · instant download · license key included
Available soon

Available soon — get notified

Checkout isn't open yet. Leave your email and we'll send one note the moment Secreta can be purchased — nothing else.

Screenshots

Honest limitations

  • Text secrets only — no file sharing
  • HTTPS is required in production (browser Web Crypto needs a secure context)
  • One admin account at install; more team members are added directly in the database
  • Opening a link spends a view even if a passphrase attempt is wrong (the server can't tell whether decryption succeeded — recipients are warned before revealing)
  • A lost passphrase cannot be recovered

Two-minute web installer; PHP 8+ with pdo and openssl, MySQL or SQLite, standard shared-hosting compatible; HTTPS required in production.

Frequently asked questions

Is zero-knowledge just a marketing word here?

No — the random encryption key is generated in the browser and placed in the URL fragment after the #, which browsers never send in HTTP requests. The server receives only ciphertext and an IV, so it has no key to decrypt with.

What does the server actually store?

Ciphertext (encrypted a second time at rest), an IV, and metadata: expiry, view count, a passphrase-protected flag, and a salted one-way hash of the creator's IP. Never plaintext, never the key, never a passphrase.

Do I need HTTPS?

Yes — HTTPS is required in production because browser Web Crypto needs a secure context.

Can I share files instead of text?

No — Secreta shares text secrets such as passwords, keys, and notes; it does not share files.

Can a lost passphrase be recovered?

No — and that's the point. Once a secret is viewed or expired, it's destroyed, and the server never had the key. Create a new one.

See it running before you buy

The live demo is being prepared — check back shortly.

Demo — coming soon

More from this store

Ownware Business tools you own.
Catalog · Your purchases Powered by Deliora (self-hosted)