Help & Documentation

Everything you need to know about OpenSherpa.

What is OpenSherpa?

OpenSherpa is a service for securely sharing passwords and other sensitive information — exactly once. You create a link, the recipient opens it and sees the secret one time only, then it is irrevocably deleted. This avoids sharing passwords via email, chat, or sticky notes.

Sharing a Password (Sender)

Sign in — Create an account or log in.
Create a new share — On the dashboard, enter a description (e.g. "AWS credentials") and the password, then click Create share link.
Copy the link — The generated link contains the decryption key in the URL fragment (#…). Copy the full link including the # part.
Send the link — Deliver it securely to the recipient, e.g. via an encrypted messenger.
Track status — The dashboard shows whether the password has been retrieved and when.

Note: The link can only be used once. When the recipient opens the link and clicks Reveal secret, the password is permanently deleted. No further retrieval is possible.

Receiving a Password (Recipient)

Open the link — Click the link you received. No account is needed.
Check the description — The page shows the description of the shared secret (e.g. "AWS credentials").
Confirm — Read the notice and click Reveal secret. The password is shown this one time only.
Save the password — Copy it into your password manager immediately. Once you leave the page, it cannot be retrieved again.

Use Case: Sending Secrets via Email

Email is inherently insecure — messages are often stored indefinitely on mail servers, in sent folders, and in backups. Even if both sender and recipient delete the email, copies may persist for years. Never paste a password directly into an email body.

With OpenSherpa you can share credentials safely even when email is the only available channel:

Create the share in OpenSherpa and copy the one-time link.
Paste only the link into the email — not the password itself.
Send the email as usual.
The recipient clicks the link and sees the secret exactly once.
After that reveal, the secret is irrevocably deleted — even if the email is forwarded, intercepted, or read from a backup years later, the link leads only to a "secret already retrieved" page.

Tip: Check the dashboard afterwards. If the share was opened, you know the recipient received the secret. If the link was never opened but the recipient claims they got the password, something is off — the secret was not retrieved through your link.

Anonymous Sharing (No Account Required)

You can create a one-time share without registering an account. Click Try anonymously on the home page or go directly to /anonymous.html.

Limitation: Anonymous shares cannot be tracked. Once you leave the page you have no way to check whether the recipient has opened the link. If you need delivery confirmation, create a free account.

The secret is encrypted entirely in your browser (AES-256-GCM) before being sent — the server never sees the plaintext.
No email address or account data is stored.
Anonymous share creation is limited to 50 links per hour per IP address to prevent abuse.
The share link is displayed only once — copy it before leaving the page.

How Encryption Works

OpenSherpa offers two encryption modes. The key difference: who can see the plaintext secret.

Mode	Where encrypted	Server sees plaintext?	Use when
Browser (dashboard & anonymous)	In your browser — AES-256-GCM	Never	Creating shares via the web interface
API / Automation	On the server — Fernet	At reveal (decrypted server-side)	Scripts, CI/CD pipelines, automation

Browser encryption — AES-256-GCM (zero-knowledge)

Used by the dashboard and the anonymous page. The secret is encrypted entirely inside your browser before any data leaves your machine. A random 256-bit key is generated locally, used to encrypt the secret, and embedded in the share link as a URL fragment (#…).

The server receives only the ciphertext — the key is never transmitted to or stored by the server. At reveal time, the recipient's browser reads the key from the fragment and decrypts the ciphertext locally. The server has no way to read the secret at any point.

API / Automation — Fernet (server-side encryption)

Used by the POST /api/shares/ REST endpoint. You send the plaintext secret to the server, which encrypts it using Fernet with a unique per-share key. The key is returned once in the share_url fragment and never stored in the database.

At reveal time, the browser sends the key in the POST body so the server can decrypt and return the secret. The server handles both encryption and decryption — this path is suitable for automated scripts and CI/CD pipelines where running browser-side crypto is not practical.

Recommendation: Always use the browser interface (dashboard or anonymous page) for the strongest privacy guarantee. Only use the API path (POST /api/shares/) when you need to create shares from scripts or pipelines where browser-side encryption is not available.

API Tokens (for Developers)

API tokens let you use OpenSherpa directly via the REST API without signing in through a browser. This is useful for scripts, CI/CD pipelines, and other integrations.

Open the dashboard and scroll to the API tokens section.
Enter a name (e.g. "GitHub Actions") and click Generate.
Copy the token immediately — it is shown only once.
Use the token as a Bearer token in the HTTP header: Authorization: Bearer osp_…

If you have more than 20 tokens or shares, the list is paginated — use the ← Previous / Next → controls at the bottom to browse pages.

curl -X POST https://your-server/api/shares/ \
  -H "Authorization: Bearer osp_YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{"description":"DB password","secret":"secret123"}'

A complete API reference is available at /docs (Swagger UI).

Forgot Your Password?

Click Forgot password? on the login page.
Enter your email address and click Send reset link.
Open the link received by email (or shown directly on the page if no mail server is configured).
Enter your new password. The link is valid for 1 hour and can only be used once.

Security Notes

✓

Key never reaches the server: The decryption key lives only in the URL fragment (#…). Browsers never send this to the server, and it does not appear in server logs.

✓

One-time decryption: After retrieval, the ciphertext in the database is overwritten. The password is permanently gone.

✓

No tracking: No tracking cookies or external analytics services are used.

Secure channel: The share link itself is the secret. Send it via a secure channel (e.g. encrypted messenger, not plain email).

HTTPS: Make sure your server is accessible via HTTPS so the URL (including the fragment) cannot be intercepted in transit.

Frequently Asked Questions

Can the server read the password?

No. The decryption key is only in the URL fragment, which the browser never sends to the server. The server stores only the encrypted ciphertext. At reveal time, the browser sends the key in the POST body — it is used only for the one-time decryption and never persisted.

What happens if the recipient never opens the link?

Unopened shares are automatically deleted after the configured expiry period (default: 30 days). You can also set a custom expiry when creating a share, or delete any share manually from the dashboard at any time.

Can a share be opened more than once?

No. The link can only be used once to reveal the secret. Afterwards the page shows that the secret has already been retrieved.

What is the difference between a regular share and an anonymous share?

Both use the same client-side AES-256-GCM encryption and are deleted after one reveal. The difference is tracking: a regular share (requires login) appears in your dashboard so you can see if and when it was opened. An anonymous share has no owner — once you leave the page the link is gone and there is no way to check its status.

How do I delete my account?

Open the dashboard and scroll to the Danger zone section. Click Delete my account, confirm with your current password, and your account along with all shares and API tokens will be permanently deleted immediately.