Disappearing messages are only as good as the architecture behind them. Many apps offer a 'disappearing' toggle — but the messages pass through servers unencrypted before they're 'deleted.' CipherOnce's approach is fundamentally different.
Most disappearing message features work like this: the message is sent to a server, delivered to the recipient, and then the server deletes the record after the set time. The problem? That message existed in plaintext on the server. Deletion is administrative — not cryptographic.
True self-destruction means the content was never accessible to the platform in the first place. When CipherOnce "deletes" a secret, we're removing encrypted ciphertext that we could never decrypt anyway. The meaningful deletion happened conceptually when the key was embedded in the URL instead of stored on our server.
"Deleting" a message we could read is a favor. Deleting a message we never could read is a guarantee.
Encrypted before transmission: Your message is locked in your browser using AES-256-GCM. The server receives ciphertext — data that looks like random noise without the key.
Key never stored: The decryption key is only in the URL fragment. It's in your recipient's browser when they open the link. It has never been on our server.
Burned on access: The moment the view limit is reached, the encrypted record is permanently deleted from our database with no soft-delete, no archive, and no recovery.
Time-bound expiry: Even if the link is never opened, the secret expires on schedule. No secret persists indefinitely.
Configurable destruction: You control whether destruction triggers after 1 view, 5 views, 1 hour, or 30 days. The destruction logic is deterministic and enforced server-side.
Legal & compliance teams
Share privileged information that must not persist in email archives or discovery processes.
Temporary access codes
Share 2FA backup codes, one-time PINs, or session tokens that should expire immediately after use.
Sensitive HR communications
Share performance feedback, compensation details, or personal information without creating a paper trail in chat apps.
Security incident response
Coordinate incident response credentials and access information with a guaranteed expiry, limiting exposure windows.
We believe in honest security. Self-destructing messages cannot prevent a recipient from copying text or taking a screenshot before the view window closes. What we can do — and do — is minimize the exposure window dramatically, ensure the content never persists on our infrastructure, and make the link useless the moment the view limit is reached.
The goal is to reduce your attack surface. You cannot control what a recipient does with information they have received — but you can ensure the information doesn't linger in systems you don't control after delivery is complete.
