Oncebin is a secure pastebin where secrets self-destruct after one view. Share passwords, API keys, and other sensitive data through one-time-secret links that never reach our servers unencrypted.
- End-to-end encrypted — content is encrypted in the browser using AES-256-GCM before being sent to the server. The encryption key lives in the URL fragment (
#key) which is never transmitted to the server. - One-time viewing — each paste can only be read once. After viewing, the encrypted content is permanently burned.
- Zero knowledge — the server never sees plaintext content. Even if the database is compromised, the data is useless without the encryption key.
- Auto-expiry — all secrets are deleted after 30 days.
- You paste a secret and click "Create Secret Link"
- Your browser encrypts the content with a random AES-256-GCM key
- Only the encrypted blob is sent to the server — the key stays in the URL fragment (
#...) - The recipient clicks "Reveal Secret" which fetches and atomically burns the paste
- Their browser decrypts the content using the key from the URL fragment
- The paste is permanently destroyed on the server — subsequent attempts get a 410 Gone
- Your recent secrets are tracked in localStorage so you can see if they've been read or are still pending.
- Hono — web framework with JSX/TSX server-side rendering
- HTMX — declarative interactivity (status polling, fragments)
- Tailwind CSS v4 — utility-first styling
- Cloudflare Workers — serverless runtime
- Cloudflare D1 — SQLite database
- Web Crypto API — client-side AES-256-GCM encryption
- Node.js 18+
- Cloudflare account (free tier)
npm installnpx wrangler d1 create oncebin-dbCopy the database_id from the output into wrangler.jsonc.
# Start the worker dev server
make dev
# Start Tailwind CSS watcher (in a separate terminal)
make cssRuns local tests, builds CSS, migrates the database, and deploys to Workers:
make deploymake test # run tests against production
make test-local # run tests against local dev server
make migrate-local # apply D1 migrations locally
make migrate-prod # apply D1 migrations to production
make css-build # one-off Tailwind build (minified)
bin/stats # query D1 for usage statscurl -sO https://oncebin.com/oncebin.sh && chmod +x oncebin.sh
echo "my secret" | ./oncebin.sh # create a secret
./oncebin.sh get <url> # retrieve a secretSee SKILL.md for the full API documentation.
| Limit | Value |
|---|---|
| Max paste size | 50 KB |
| Secret expiry | 30 days |