2868 | once.REST's guaranteed exactly-once microsharing

once.REST Screenshot


Not so often, but there are situations when you want to share certain information or a file only once, guaranteed. For example, you may need to share a password or a unique link to a specific resource.

Perhaps you want to share the seed phrase of a cryptocurrency wallet. In such cases, it is not desirable to transmit such information openly through any (even secure) communication channel. Especially copying your seed phrase to some web service.

once.REST was designed as a service that fully implements the privacy-by-design concept. The information entered by the user is always encrypted on the client-side, and the token used to access the data is hashed. So, none of the service shards have access to the shared information itself, nor even the token used to make the request.

Additionally, once.REST fully supports secure browsers (like Tor), enabling anonymous usage. At the moment, the service does not even use CAPTCHA. The only limitation in the current version is that the size of the data should not exceed 32MB in unencrypted form.


create microshare

open microshare


How does it work?

The once.REST microsharing service consists of two main components: the client-side (web application) and the shard database in the cloud. The client-side has no knowledge of the server-side details, and the server-side cannot access the data operated by the client-side, including the original request tokens. This ensures both user information and the service itself remain protected, as there is no way to know what is stored on the servers.

The client-side operates with three main parameters: the request token, encryption password, and user data (text or arbitrary file).

The request token can be any string with a length of at least 16 bytes. In automatic mode, a pseudorandom sequence of 21 bytes will be used as the token. The original request token is never transmitted to the server in plain text; it undergoes cascading hash functions.

The encryption password can be of arbitrary length (the longer and more complex, the better). In automatic mode, the password will be computed from the original token using the Determino scheme, where the original token serves as the master password. The encryption password never leaves the user's device.

Before encryption, the user data undergoes special preparation, including padding and mixing with a pseudorandom initialization vector, to avoid data homogeneity when using identical encryption passwords. Finally, the data is encrypted with a key derived from the original password, in a separate web worker on the client-side.

Optionally, the user can choose to save the creation time of the microsharing record (this parameter will also be encrypted along with the main data).

Optionally, a self-destruct timer for the record can be set in seconds.

The once.REST service also supports additional protection measures in public places, such as hiding the original token and the entered or displayed text data.

Upon successful and complete loading of data into the shard database, the user sees a link containing the original token. The data associated with this token can be retrieved exactly once using the once.REST web client. The data is completely and irreversibly deleted from all copies of the shard at the moment of the request. If any failure occurs during the data retrieval process or on the client-side, all data associated with that microsharing will be lost.

Options & Hints

once.REST Options on Screenshot
once.REST Options on Screenshot