API Documentation

Base URL

https://sharepwd.io/v1

Authentication

All endpoints are public and do not require authentication. Rate limited to 30 requests/minute per IP.

Endpoints

POST/v1/secrets

Create a new encrypted secret.

Request Body

{
  "encrypted_data": "base64_ciphertext",
  "iv": "base64_iv",
  "salt": "base64_salt_or_null",
  "max_views": 3,
  "expires_in": "24h",
  "burn_after_read": false,
  "content_type": "text"
}

Response (201)

{
  "access_token": "abc123...",
  "creator_token": "def456...",
  "expires_at": "2025-01-01T00:00:00Z"
}

GET/v1/secrets/:token

Get secret metadata (without decrypted content). Returns a challenge nonce for reveal.

POST/v1/secrets/:token/reveal

Reveal the encrypted secret. Consumes a view. Requires a valid challenge nonce.

Request Body

{
  "challenge_nonce": "nonce_from_metadata"
}

DELETE/v1/secrets/:token

Delete a secret. Requires the creator token.

Request Body

{
  "creator_token": "your_creator_token"
}

GET/v1/health

Health check endpoint.

Rate Limits

All endpoints are rate limited to 30 requests per minute per IP address.

When the limit is exceeded, the API returns 429 Too Many Requests.

Encryption

SharePwd uses zero-knowledge encryption. The server never sees your plaintext data.

Algorithm: AES-256-GCM (256-bit key, 96-bit IV, 128-bit auth tag)
Key derivation (passphrase): PBKDF2 with SHA-256, 600,000 iterations
Without passphrase: random key embedded in URL fragment (#)
The URL fragment is never sent to the server (per HTTP spec)