A plain-language guide to the zero-knowledge model behind zipz.space — how a secret is encrypted in your browser, why our servers can never read it, and how each message self-destructs after it's read.
You write a secret. Your browser seals it with a fresh AES-256 key before anything leaves the page, and hands you a one-time link. Share the link. The recipient opens it and the message decrypts on their device. After a set number of reads, the payload is destroyed for good.
The key lives only in the part of the link after the # — the #fragment. Browsers never send the fragment over the network. So the key never reaches our server, our logs, or our database. We store only opaque ciphertext, which is useless without the key. We can'tread your message — not won't, can't.
You choose how many times a drop can be opened (1–5) and when it expires (10 minutes to 7 days). Each open spends one read. A read is spent only when the recipient explicitly clicks Reveal— never on page load — so link previews in Slack or iMessage can't burn it. The final read deletes the ciphertext permanently.
The link is the key. Anyone who sees the whole link can read the message once. Send it over a channel only your recipient controls, and let it self-destruct.
Your plaintext. Your key. We never log request bodies or links. The Referrer-Policy is no-referrer, so the fragment can't leak that way either.
Yes. Your secret is encrypted in your browser with AES-256-GCM before anything is sent. The decryption key lives only in the link's #fragment, which browsers never transmit to a server — so we only ever receive and store ciphertext we can't read.
No — we can't, not just won't. The key never reaches our servers, logs, or database; only opaque ciphertext does, and it's useless without the key. If at any point we could decrypt your message, the design would be broken.
You choose how many times it can be opened (1 to 5) and when it expires (10 minutes to 7 days). Each open spends one read. After the final read the ciphertext is destroyed for good, and expired secrets are swept automatically.
No. A read is only spent when the recipient explicitly clicks Reveal — never on page load — so link unfurlers and previews can't consume it.
No. zipz.space is free and requires no sign-up, no app, and no personal details.
Receipts tell the sender when a secret was opened and how many of N reads remain — never who opened it, and never the contents. The server records timing only, not identity or plaintext.
AES-256-GCM via the browser's built-in WebCrypto, with a random 256-bit key and a fresh 96-bit IV per message. The GCM authentication tag detects any tampering with the link or ciphertext.