create note
idle
got a link already?
paste a full shared URL here to open it with this copy, even if you run the frontend locally.
paste a full shared URL here to open it with this copy, even if you run the frontend locally.
by sending you accept our
type whatever you want to share — a password, a private link, a secret note. no account, no sign-up.
your browser scrambles the text locally and gives you a unique link to copy. the server never sees your original message, and it never receives the secret part after #.
send the full link however you like — chat, email, SMS. without everything after #, nobody can decrypt it. the privacy promise is the same basic idea as secure messengers like Signal: only the device with the key can unlock the message.
the moment they open it, the note is deleted from the server forever. it can never be read a second time — not even by us.
browser-side encryption via the native WebCrypto API. every note gets a fresh 256-bit AES key. that is a 256-bit classical key space and roughly a 128-bit brute-force margin even against known quantum search attacks. authenticated encryption prevents tampering.
the decryption key lives in the URL #fragment — browsers never include the fragment in HTTP requests. the server receives only the encrypted blob and a note ID, so it is technically incapable of reading the plaintext. this is the same end-to-end idea Signal uses, although this app is a one-time-link design rather than a chat protocol.
the secret or “password” part after # is a random 256-bit key. the shared URL also carries a separate 128-bit note ID in ?p=. together the full URL contains 384 bits of identifiers, but only the 256-bit fragment is confidential and required for decryption.
blobs are stored in process memory. no database writes, no disk persistence. a server restart silently drops all notes, by design.
each create request requires a SHA-256 proof-of-work computed in the browser. the target difficulty is set by the server and prevents bulk note creation without increasing latency for honest users.
the server atomically fetches and removes the blob in a single operation — no TOCTOU window. a 404 on fetch is authoritative proof the note is gone.
the frontend is a single static HTML file. if you host it on the same domain as the backend, it uses that API automatically. use ?api=https://your-host only for a local copy or a separate frontend host.
download the frontend zip and open it in any browser.
point it at your own server with ?api=https://your-host.
the encryption key never leaves your device.
reading this note will permanently destroy it.
it can only be read once. as soon as you open it, the server deletes it immediately and it cannot be recovered.
this note has been destroyed on the server. it lives only on this page until you close it.
this note was already read and destroyed. each note can only be opened once — after that it's gone from the server forever.
where notes are stored. use your own self-hosted instance, or the public one.
this page works fully offline — open the .html locally and point it at any compatible server.
Last updated: May 2026 · Effective immediately upon use
These Terms of Service and Privacy Policy ("Agreement") govern your access to and use of SecNote ("Service"), a web application hosted at https://notes.pwn-all.com/ and operated by pwn-all.net ("Operator", "we", "us", "our"). By using the Service you agree to this Agreement in full. If you do not agree, do not use the Service.
By accessing or using the Service in any way — including browsing the site, creating a note, or reading a note via a shared link — you confirm that you are at least 16 years old (or the applicable age of digital consent in your jurisdiction), that you have read and understood this Agreement, and that you agree to be bound by it.
SecNote provides a zero-knowledge, end-to-end encrypted, one-time message relay hosted at https://notes.pwn-all.com/. Notes are encrypted client-side in your browser using AES-256-GCM before being transmitted. The decryption key exists only in the URL fragment (#) and is never sent to our servers. Notes are stored exclusively in server RAM and are permanently deleted after the first read or when the TTL expires. The Service is provided free of charge with no guarantee of uptime or availability.
The Service additionally supports cross-instance retrieval: the frontend may be used to retrieve and decrypt notes whose encrypted ciphertext is stored on a third-party SecNote-compatible server (any server other than notes.pwn-all.com). In such cases, your browser connects to that server to create or retrieve the note, and its availability, retention behavior, and configuration depend on that server's operator.
You control the content you create, transmit, receive, or share through the Service. The Operator cannot read, monitor, or moderate note content because of the zero-knowledge architecture. By using the Service, you confirm that:
Because notes are encrypted end-to-end and unreadable to the Operator, the Service does not perform content review or moderation.
You agree not to use the Service for any of the following:
The Operator reserves the right to block access from IPs or networks engaged in prohibited use, and to cooperate with law enforcement as required by applicable law.
The Service is provided free of charge and may be unavailable or interrupted from time to time. Notes are stored only in RAM and may be permanently lost on server restart, crash, or network failure without prior notice. Do not use this Service as your only copy of important information.
When you connect the frontend to a third-party SecNote-compatible server, note creation and retrieval occur between your browser and that server. The privacy practices, retention settings, availability, and security posture of that server depend on its operator and deployment. Review the instance you choose before using it for sensitive information.
The Operator may apply rate limits, temporary blocks, or other technical measures to protect the Service from spam, automated abuse, or other prohibited use. Where required by applicable law, we may also respond to lawful requests from public authorities.
The Operator reserves the right to modify, suspend, or discontinue the Service (or any part thereof) at any time, with or without notice. We may update this Agreement at any time. Continued use of the Service after any change constitutes your acceptance of the new terms. We encourage you to review this page periodically.
This Agreement shall be governed by and construed in accordance with applicable law. Any dispute arising under this Agreement shall be resolved exclusively through binding arbitration or in the competent courts of the Operator's jurisdiction. If any provision of this Agreement is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect.
This Agreement constitutes the entire agreement between you and the Operator with respect to the Service and supersedes all prior agreements, representations, and understandings.
All notes are encrypted client-side with AES-256-GCM using the browser's native WebCrypto API before any data is sent to our servers. The encryption key is generated locally and exists only in the URL #fragment — browsers never include the fragment in HTTP requests, so the key is never transmitted to the server. The server stores only: an opaque note ID, the encrypted ciphertext, and a creation timestamp. We are technically incapable of reading note content.
We are committed to minimal data collection:
If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, you have the following rights under the General Data Protection Regulation (GDPR) and equivalent legislation:
Our legal basis for processing server access logs is legitimate interest (security, abuse prevention). Because note content is zero-knowledge encrypted, we cannot access or process it — there is no personal data in note content from our perspective. To exercise your rights, contact us at the address below.
Notes are held in RAM only and are permanently deleted upon first read or TTL expiry, whichever comes first. A server restart deletes all notes immediately. Server access logs are retained for up to 7 days. Anti-spam hashes are transient and never persisted. We do not retain any other personal data.
The default public instance is hosted at https://notes.pwn-all.com/ and operated by pwn-all.net. No third-party analytics, advertising, or social tracking services are used on this instance. The Service is open-source and self-hostable. If you operate your own instance, publish a privacy notice that matches your deployment.
When you configure the frontend to connect to a third-party API endpoint (via the settings panel or ?api= URL parameter), all data exchange for note creation and retrieval occurs directly between your browser and that third-party server. The Operator does not proxy, log, or have visibility into those requests through the default public instance.
The Service is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect information from children. If you believe a child has used the Service in violation of this policy, please contact us.
For any questions, concerns, legal requests (including GDPR data subject requests), abuse reports, or security disclosures regarding this Service, please contact:
SecNote / pwn-all.net
Email: legal@pwn-all.net
We aim to respond to all legitimate inquiries within 30 days.