Frequently Asked Questions


Imagine you want to send someone a password over messenger. Years later someone could go back in your message history and reveal the password! But if you put it in a secret note and send the link, it will not be recoverable.

Imagine you want to send something private to your friend, but he has the feeling that his parents/girlfriend/boss occasionally read his mails (which they of course disclaim). If you put your messages in a secret note, the intruder cannot use the link and read the message without revealing that he's sniffing. If your friend wants uses the secret link and it has already been invalidated, it's obvious that it was sniffed.

Do I know when the note has been read?

After creating a note you'll get an admin link. With this link you can check if your note has been read. Optionally, you can receive a read notification via Telegram from our SecretNote Bot.

How are notes protected?

Your notes are protected using state-of-the-art end-to-end encryption (AES-GCM-128 with authentication). The communication to the server is again encrypted using TLS. Your encryption keys are never send over network.

Why is Javascript required?

Without scripting it is not possible to keep your message secret, because someone else would have to carry out encryption for you. Your note should be secret to you and the recipient, right? Your note is secret as long as only you and your recipient have its encryption key. And here we need Javascript: Browser-side scripting is the only way to keep the encryption key in your browser - without scripting, the server would have to carry out encryption (and therefore need the encryption key). But if the server would get the encryption key, he could (in theory) decrypt and read your secret note, and you wouldn't even notice. But with javascript, your note is safe even from rogue servers, because your encryption key is never sent.

How is the encryption key transmitted to the recipient?

The key is encoded in the fragment part of your secret url. This part of the url is kept local to your browser and never transmitted over network.

Can I check if the javascript is trustworthy?

The source code of this service is available on Github (, anyone can read and check it. To ensure this service uses unaltered javascript code, you can check the integrity hashes of the three javascript files. You find the hashes of this service when viewing the source code of this page. You find the hashes of the open source code when inspecting the current release. These releases are built by Github Actions, so not even the service operators could interfere with the build process.

Are there alternative clients?

We provide a command line client to store and retrieve messages. It can be downloaded from our Github Repository.