Skip to main content
Secret Sharing lets you send sensitive information—like API keys, passwords, or credentials—to another person through a one-time-use encrypted link. Once the recipient opens the link and views the secret, it is permanently deleted. No one, including you, can view it again.
Secret Sharing is a Tools feature. Tools features are experimental and may change or be removed in future releases.

How to share a secret

1

Open Secret Sharing

Navigate to Tools > Secrets Sharing in the platform navigation.
2

Enter your secret

Type or paste your secret into the input field.
3

Share the secret

Click Share. A unique retrieval URL is automatically copied to your clipboard.
4

Send the link

Send the retrieval URL to your recipient through whatever channel you prefer (Slack, email, etc.).
Do not open the retrieval link yourself. The secret is destroyed the moment anyone views it—including you.

How to retrieve a secret

1

Open the retrieval link

Open the retrieval URL you received from the sender.
2

Copy the secret

Your secret is displayed in a read-only field. Click Copy to copy it to your clipboard.
3

Store it safely

Save the secret somewhere secure. You will not be able to access this link again.
If the link has already been used, the secret will no longer be available. Ask the sender to create a new link.

How it works

When you share a secret, the following happens behind the scenes:
  1. Your secret is sent to the server over HTTPS
  2. The server encrypts your secret using AES-256-GCM with a key that only the server knows
  3. Each secret is encrypted with its own unique random salt and initialization vector
  4. The encrypted secret is stored in a database—the plaintext is never saved
  5. A unique ID is generated and returned to you as part of the retrieval URL
When someone opens the retrieval link:
  1. The server looks up the encrypted secret by its unique ID
  2. The secret is immediately deleted from the database
  3. The server decrypts the secret and returns it to the recipient
  4. The secret no longer exists anywhere on the server

Why is this secure?

  • Encrypted at rest — Your secret is encrypted before it is stored. Even if someone accessed the database directly, they would only see unreadable ciphertext.
  • One-time access — The secret is permanently deleted from the database the instant it is viewed. There is no way to retrieve it a second time.
  • Unique per secret — Each secret is encrypted with its own random salt and initialization vector, so even identical secrets produce completely different ciphertext.
  • Server-side encryption — Encryption and decryption happen on the server. The encryption key never leaves the server environment and is not exposed to the browser.
  • No accounts required — Anyone with the link can retrieve the secret. No login is needed, which means you can share secrets with people who don’t have a Narrative account.

Limitations

Keep these limitations in mind when using Secret Sharing:
  • No expiration — If a secret is never retrieved, it remains stored indefinitely. Share links only with people you expect to use them.
  • No access log — There is no way to confirm who retrieved the secret or when. You only know that once the link stops working, someone has viewed it.
  • Single viewer — Only one person can ever view the secret. If you need to share the same secret with multiple people, create a separate link for each recipient.
  • Designed for short secrets — The feature is intended for keys and passwords, not large documents.

Common use cases

  • Sharing API keys or tokens with a teammate
  • Sending a database password to a contractor
  • Passing credentials to a support engineer during troubleshooting
  • Any time you need to send sensitive text and don’t want it sitting in a chat history or email thread

Related content

Security Model

How Narrative protects your data

API Keys

Create and manage API keys for the Narrative API