| mboxly.app

Send sensitive data securely.

Stop sending passwords in email or chat. Zero-knowledge encrypted messages, self-destructing notes, and secure file sharing.

Zero-knowledge End-to-end encrypted No logs

Secure

Message

Encrypt text and attachments end-to-end, then share a protected link.

  • Encryption happens in your browser
  • The key is never sent to our server
  • Messages disappear automatically
  • No account required

What do you want to send?

Send sensitive data that disappears.

Share passwords, files, and private notes using encrypted links that expire automatically.

Secure Message

  • Encrypted before sending
  • Optional password protection
  • Expiration control
Send Secure Message

One-Time Note

  • Read once only
  • Auto delete after reading
  • No recovery
Create Note

Secure File Sharing

  • Files encrypted in your browser
  • Share via secure link
  • Auto expiration
Send Files

Generate & Send Password

  • Generated locally
  • High entropy
  • Secure sharing
Generate Password

Your data, your keys. Discover real Zero-Knowledge security.

Secure transfer of sensitive data without compromise

mboxly.app is a modern tool created for secure sharing of sensitive information in a digital world. Whether you are sending a banking password, an API token, or a confidential company document, mboxly.app guarantees that no one - including us - can read your message.

The key to our system is client-side encryption. This means your data is secured directly in your browser before it even reaches the network. It is the simplest, fastest, and safest way to transfer data, without creating an account or installing software.

Illustration and technology

Below is a visual summary of the Zero-Knowledge model and the encryption process before data is sent.

Illustration of the Zero-Knowledge security model in mboxly.app

How do we work?

mboxly.app bases its security on the Zero-Knowledge model. In practice, this means the mboxly.app server is only a "blind courier". It receives an encrypted data package but never has the key required to open it. This key is generated locally by the sender and becomes part of a unique link (the fragment after #), which is never sent to our systems.

Encryption itself uses the banking-grade AES-256-GCM standard. This modern cryptographic algorithm guarantees confidentiality (no one can view the content) and integrity (no one can modify the message in transit). If anyone attempts to alter the encrypted payload, the recipient will not be able to decrypt it.

An additional layer of protection is the self-destruct rule. You can set the message to be permanently removed from the server according to selected rules.

This ensures that confidential information does not stay online a second longer than necessary, eliminating the risk of a later leak.

  • After first read (Burn after reading) Perfect for one-time password or token sharing. The recipient opens the link once and the message disappears.
  • After a specified time (e.g. 1h, 24h, 7 days) Useful for documents or access codes that should expire after a defined period.

Key benefits

Full privacy

With client-side encryption, your secret never reaches the server in readable form.

Speed and simplicity

Generate a secure link with one click. No registration and no email required.

Self-destruct policy

Full control over data lifetime. Data disappears permanently.

AES-256-GCM

Banking-grade encryption standards protect your message from tampering.

No ads, no tracking

mboxly.app is a security tool. We do not profile users and we do not track activity.

From the Blog

Practical notes on privacy, secure sharing, and zero-knowledge

A small reading block for people who want to understand how the product works in real scenarios before using it.

Browse all articles
GDPR, Zero-Knowledge Encryption, and the Breach Notification Problem

2026-04-22

Zero-Knowledge

GDPR, Zero-Knowledge Encryption, and the Breach Notification Problem

GDPR requires breach notification within 72 hours. Zero-knowledge encryption changes the calculus — because a breach of ciphertext may not be a breach of personal data.

Read more
Encrypted Dead Man's Switch: What It Is and When It Makes Sense

2026-04-18

Future Delivery

Encrypted Dead Man's Switch: What It Is and When It Makes Sense

A dead man's switch is not only for spy fiction or catastrophic scenarios. In encrypted form, it becomes a practical tool for continuity, succession, and last-resort disclosure.

Read more
Send a Letter to Your Future Self — Encrypted, Private, and Time-Locked

2026-04-14

Future Delivery

Send a Letter to Your Future Self — Encrypted, Private, and Time-Locked

A letter to your future self is only meaningful if it stays unread, unchanged, and private until the date you intended. Encryption is what makes that credible.

Read more

Questions

Frequently Asked Questions

Short answers to the questions people usually ask before trusting a secure-link workflow.

Why is Zero-Knowledge encryption safer than traditional methods?

Zero-Knowledge encryption means the decryption key never leaves your browser. The server stores only encrypted data and has no physical ability to read it. Unlike classic solutions where an admin may access content, here even the server owner cannot learn the message content.

Can I safely send passwords via WhatsApp?

WhatsApp offers end-to-end encryption, but messages remain in chat history on both devices. Anyone with phone access can read them later. mboxly.app allows expiration after one read or time limit, eliminating future leak risk.

Why not send passwords via email?

Most email servers do not encrypt messages end-to-end. Email can be stored on intermediate servers, in sender and recipient mailboxes, and in backups. Mail admins, hosting providers, or people with account access can read contents. mboxly.app encrypts data locally before sending and deletes it after reading.

Can the mboxly.app administrator read my message?

No. The decryption key is only in the link (URL fragment after #), which is never sent to the server. The server stores only an encrypted data package that cannot be decrypted without the key.

How does mboxly.app differ from sending files via Google Drive or Dropbox?

Google Drive and Dropbox do not encrypt data in Zero-Knowledge mode by default - the provider has key access. Files remain in the cloud long-term and require an account. mboxly.app encrypts data locally, requires no registration, and messages expire automatically after reading or time limit.

What does "burn after reading" mean?

The "1 view" option causes the message to be permanently deleted from the server immediately after first read. The recipient cannot open it again and the link stops working. It's ideal for sending passwords or one-time tokens.

How can I trust that the server really has no key access?

The decryption key is placed in the URL hash fragment (after #). Browsers never send this part of the address to the server. You can verify this in browser dev tools (Network tab) - no HTTP request contains the key.

Why not share passwords via Slack, Microsoft Teams, or other corporate messengers?

Corporate messengers store message history on servers accessed by organization admins and the platform provider. Messages can be archived, indexed, and retained for compliance. mboxly.app stores no metadata about content and deletes data after the selected time.

How does the AES-GCM algorithm used by mboxly.app work?

AES-GCM (Galois/Counter Mode) is a modern cryptographic standard combining encryption (AES) with authentication (GCM). It not only hides content but also detects any tampering attempts. If someone tries to modify the encrypted message, decryption fails with an error.

Is mboxly.app better than password generators with sharing features?

Password managers have varying encryption quality and don't always offer burn-after-reading or short expiration times. mboxly.app is an independent tool you can use to share any data (not just passwords), without installing apps or creating accounts.

Does mboxly.app store logs with my data?

We store only minimal technical logs necessary to prevent attacks (e.g., IP, request time). However, we do not log the contents of your messages or decryption keys, because we cannot see them. Technical logs are regularly purged.

What happens if I lose the message link?

Due to Zero-Knowledge architecture, we have no way to recover your message or key. If the link is lost, the content will remain encrypted on the server until expiration time, after which it will be permanently deleted.

Are files sent through mboxly.app also encrypted?

Yes. Every attachment is encrypted in your browser before sending with the same key as the text message. The recipient downloads the encrypted file, which is decoded locally on their device.

Is mboxly.app GDPR compliant?

Yes. The mboxly.app project implements 'Privacy by Design' and 'Privacy by Default' principles. We minimize data collection, and thanks to end-to-end encryption, we are not the administrator of your message content because we have no access to it.

Why mbox

Send sensitive data without leaving traces

Encrypt data directly in your browser and share it using secure links that expire automatically.

Send secure message Try one time message

Security

Zero-knowledge

Only you and the recipient can read the message. We never have access.

Technology

Client-side encryption

Data is encrypted before it leaves your device.

Privacy

No tracking

No analytics, no profiling, no data collection beyond what is required.