Projects → PrivPaste

Privacy Tool

PrivPaste

Zero accounts, zero knowledge, zero compromise.

Privacy

Zero knowledge by design

Your content is encrypted before it leaves your browser. We can't read it. No one can.

AES-256-GCM Encryption

Every paste is encrypted in-browser using the Web Crypto API (AES-256-GCM) before any data leaves your device. The server receives only ciphertext — it is mathematically impossible to read your content.

Key Lives in the URL

The encryption key is embedded exclusively in the URL fragment (#key=…). URL fragments are never sent to the server by browsers — not in requests, not in logs. Your key is yours alone.

No Accounts Required

PrivPaste is fully anonymous. No sign-up, no email, no cookies, no fingerprinting. Create a paste and share the link — that is the entire flow.

Burn After Read

Pastes can be set to self-destruct on first view or after a configurable TTL. Once the server deletes the ciphertext, recovery is impossible — not even for us. Auto-cleanup runs server-side on a scheduled basis.

Browser [plaintext paste] ↓ Web Crypto API [ciphertext] key never included Server stores ciphertext POST URL: /p/{id} #key=abc123 ↑ fragment — never sent to server

Privacy Model

How your key stays private

When you create a paste, PrivPaste generates a random 256-bit AES key entirely in your browser. The paste content is encrypted with that key before any network request is made.

The encrypted ciphertext is sent to the server. The key is never included.

The key is appended to the share URL as a fragment identifier (#key=…). Browsers intentionally omit URL fragments from HTTP requests — it is a browser standard, not a PrivPaste promise. Even if the server were compromised, an attacker would only obtain ciphertext.

When a recipient opens the link, their browser extracts the key from the fragment, fetches the ciphertext, and decrypts it locally — entirely in their browser.

Technology

Built for speed and privacy

A minimal, opinionated stack chosen for performance, simplicity, and security.

Svelte 5

Paste creation UI built with Svelte 5 runes — live character count, syntax highlighting, expiry picker, and one-click copy of the share URL. Compiles to vanilla JS with zero runtime overhead.

Go

Backend API in Go with JWT authentication, composable middleware, and per-IP rate limiting. Handles paste storage, retrieval, and scheduled burn-after-read cleanup with sub-millisecond latency.

SQLite

Single-file database encrypted at rest with SQLCipher. Automated backup scripts ship with the project — point-in-time recovery on any Linux host.

Caddy + Deploy

Reverse proxy with automatic HTTPS via Let's Encrypt. Deployment documentation included: Caddy config, systemd unit, and backup schedule — production-ready in one afternoon.

Privacy + Payments

Connect. Pay. Done.

PrivPaste is free for basic use. To unlock longer retention, larger paste sizes, and custom expiry windows, connect your EVM wallet and send a USDC microtransaction on Base L2. The frontend detects confirmation on-chain and activates your premium session instantly — no account required, no email, no billing dashboard.

  • Connect any EVM wallet — MetaMask, Coinbase Wallet, or any WalletConnect-compatible app
  • Pay with USDC on Base L2 — gas fees under $0.01
  • Instant activation: on-chain confirmation unlocks premium features automatically
  • No wallet-to-account linkage, no credit card, no KYC — pseudonymous by design

Your pastes. Your key. Always.

PrivPaste is built for people who take privacy seriously. Try it — no sign-up required.

Open PrivPaste Get in touch