Absolute Privacy
Unencrypted plaintext never leaves your device. We fundamentally cannot read, scan, or monetize your private data.
E2EE Systems Operational
Share Secrets.
Leave No Trace.
ZeroKey is a zero-knowledge payload delivery system. Send encrypted text and files that self-destruct upon reading. We don't hold your keys, and we can't read your data.
5 Reasons to Use Client-Side Encryption
Burn After Reading
Data is completely eradicated from our PostgreSQL database the millisecond it is decrypted by the recipient.
Biometric Security
Integrates with WebAuthn to require physical human presence (TouchID/FaceID), blocking chat-bots from prematurely burning links.
Geofencing
Restrict payload decryption to a specific 50-meter GPS radius. If they aren't at the location, the data self-destructs.
Open Architecture
Read our transparent technical breakdown to understand exactly how the cryptographic engine works.
Architecture
How Zero-Knowledge Works
Visualizing the flow of data from your device, across the network, and to the recipient. Your decryption key never touches our servers.
1. Your Browser
Data encrypted locally via AES-GCM.
2. ZeroKey Database
Ciphertext stored. Mathematically blind to contents.
3. Recipient Device
Decrypted locally. Database record burned.
Built For Engineers
Free Developer Security Tools
We extracted the cryptographic primitives powering ZeroKey and open-sourced them into free, client-side tools for developers.
Secure JWT Decoder
Decode JSON Web Tokens entirely offline without sending session data to external servers.
RSA Key Generator
Generate 2048/4096-bit public and private key pairs instantly using your browser's entropy.
AES-GCM Encryptor
Test AES-256-GCM authenticated encryption and decryption logic directly in your browser.
HMAC Generator
Calculate Hash-based Message Authentication Codes to securely verify webhooks and APIs.
Open Source Architecture
ZeroKey Engineering Blog
Dive deep into client-side cryptography, browser security, and how we built a truly zero-knowledge payload delivery system.
The URL Fragment Exploit
How we use the URL hash to securely pass decryption keys without the server ever seeing them.
Read Article
Why XSS Defeats Encryption
Military-grade AES encryption is useless if an attacker can run JavaScript on your page.
Read Article
Preventing UI Freezing
Offload heavy Web Crypto API operations to background threads using Web Workers.
Read Article
Frequently Asked Questions
Can ZeroKey or law enforcement read my messages?
No. Because of our zero-knowledge architecture, we only store encrypted ciphertext. The decryption key is generated locally and sent in the URL fragment (after the #), which browsers do not transmit over the network. Without the URL, the data is mathematically unreadable.
What happens to my uploaded images?
Images are converted to ArrayBuffers and encrypted on your device. We store the scrambled blob in a secure Supabase bucket. Once the recipient views the image, a `DELETE` command is triggered, and the blob is permanently destroyed. Read our Privacy Policy for more data retention details.
Why do I need to scan my fingerprint to read a message?
When you share a link on apps like iMessage, WhatsApp, or Slack, automated bots scan the link to generate a preview image. Without WebAuthn (Biometric Gatekeeping), these bots would accidentally "read" the message and trigger the self-destruct sequence before the actual human clicked it.