One-Time Secret

One-Time Secret: Share Sensitive Information with Limited Access

A one-time secret is a practical way to transfer sensitive information without leaving the readable value inside a permanent message. It is designed for information that the recipient needs briefly—such as a password, PIN, recovery code, private note or access token.

CyberRiskEvaluator combines encrypted storage, a protected access token, a separate decryption passkey and browser-side decryption. Limited access and expiration reduce unnecessary persistence while the underlying encryption protects the content itself.

Create a temporary encrypted secret

Use a limited-access link for information that should not remain permanently visible in email or chat.

Create a Secure Secret

What makes a secret “one-time”?

The defining idea is limited retrieval. A normal message can be reopened indefinitely; a one-time or tightly limited secret is intended to become unavailable after the permitted access or after a short expiration period.

Technical implementations differ. Some systems destroy the record immediately after the first successful retrieval. Others invalidate the link after access, after a fixed time or after both conditions. The security objective is the same: reduce the period during which the secret can be obtained.

Best uses for a one-time secret

  • Initial passwords that the recipient must change after login.
  • Account recovery codes and emergency access values.
  • Temporary PINs, door codes or support credentials.
  • API tokens created for a single onboarding task.
  • Confidential notes that should not remain in a ticket or chat history.

A one-time secret is less suitable for information that several recipients must repeatedly retrieve. In that case, use an approved vault with access control, audit logs and credential lifecycle management.

One-time access and encryption solve different problems

One-time access controls availability; encryption protects confidentiality. A record that is deleted after opening can still be exposed if it was stored or transmitted in plaintext before deletion.

CyberRiskEvaluator encrypts the secret with AES-256-GCM. The encryption key is derived from the passkey using PBKDF2-HMAC-SHA-256 and a random salt. The recipient enters the passkey in the browser, which performs the decryption locally.

This layered model protects the content before access and limits access afterward.

How to send a one-time secret safely

  1. Confirm that the information is appropriate for temporary sharing.
  2. Use a strong passkey that is not reused elsewhere.
  3. Select the shortest practical validity period.
  4. Send the encrypted link through the normal business channel.
  5. Communicate the passkey separately.
  6. Tell the recipient that access may be limited and should be completed promptly.
  7. Rotate or revoke the underlying credential when the task is finished.

Common mistakes that weaken one-time secrets

Sending the passkey in the same email as the link defeats the separation of channels. Choosing a weak passkey makes encrypted records more vulnerable to guessing. Setting an unnecessarily long expiration recreates the persistence problem the one-time link was meant to reduce.

Another mistake is treating link destruction as proof that the recipient did not copy the value. Once revealed on an endpoint, the recipient can copy, photograph or store it. Use one-time secrets only with authorized recipients and apply least privilege to the underlying credential.

One-time secret versus password manager

A password manager or enterprise vault stores and governs credentials over time. A one-time secret transfers a value from sender to recipient. The two controls complement each other: transfer the initial credential securely, then store it in the approved vault.

For high-risk accounts, combine the transfer with multifactor authentication, forced password change, short-lived privileges and monitoring of the first login.

Frequently Asked Questions

Can a one-time secret be opened more than once?

That depends on the implementation and policy. The safest model invalidates access after the permitted retrieval or when the expiration time is reached.

Is a one-time link automatically encrypted?

No. Limited access and encryption are separate controls. A secure implementation should encrypt the content before storage and transport it only over HTTPS.

What should I share through a one-time secret?

Passwords, recovery codes, temporary tokens, PINs and confidential text are common examples, provided the recipient is authorized.

How long should a one-time secret remain valid?

Use the shortest period that fits the business process. A few hours is often preferable to several days for urgent credential transfer.

Can the recipient copy the secret?

Yes. One-time access limits retrieval from the service, but it cannot prevent an authorized recipient from copying information after decryption.

Use Secure Secret Share

Protect passwords, files and confidential text with encrypted links, a separate passkey and browser-side decryption.

Start Secure Sharing

Related Secure Sharing Guides

Content reviewed on 14 July 2026. Security requirements should be adapted to your organization’s risk, policy and regulatory obligations.