Password protection
Adds password-based access control — the URL alone cannot decrypt.
Safety & security
Protection levels
Pick the right level for what you share
Standard link
Zero-knowledge by default
The decryption key lives only in your link, never on the server. Anyone with the URL can read; anyone without it cannot.
Best for
- · Code snippets and logs
- · Quick notes shared in chat
- · Public configs or examples
In a data breach, stored data cannot be decrypted without the key in the URL.
Password protected
Link-theft protection
The password stays in your browser. The key is wrapped with a password-derived key so the URL alone is not enough to decrypt.
Best for
- · API keys and credentials
- · Recovery codes or seed phrases
- · Private docs or sensitive notes
Even if the link leaks, pastes are not readable without the password.
Report abuse
How we handle harmful content
textdrop.sh is built for sharing text, code, notes, and temporary secrets. It is not a place to host abuse, malware, phishing material, or content that harms people.
Not allowed
- Malware, ransomware, or phishing content
- Credential dumps or stolen secrets
- CSAM or content that exploits minors
- Harassment, doxxing, threats, or illegal content
Actions we may take
- Disable access to reported pastes
- Remove content that violates our guidelines
- Rate limit or block abusive traffic
- Preserve and share logs when legally required
See something that violates our guidelines?
Open the paste and use the Report button in the paste toolbar. Reports can also be sent to abuse@textdrop.sh.
Your controls
Your controls
Burn after read
Deletes the paste after the first successful open.
Automatic expiry
Removes old pastes automatically after the TTL you choose.
No account required
No profiles, signups, or account passwords to manage.
Security FAQ
Are standard pastes zero-knowledge?+
Yes. The decryption key is embedded in the URL fragment (the part after #), which browsers never send to the server. textdrop.sh stores only encrypted ciphertext and cannot read your paste.
What happens if stored data leaks?+
For new pastes, nothing readable — the server never holds the decryption key. All new stored content is AES-256-GCM ciphertext that cannot be decrypted without the key in the URL. Older pastes from the previous model may be readable if their data key is stored server-side.
What does password protection change?+
It protects against someone who has your link but not the password. The key is wrapped client-side with a PBKDF2-derived password key before the URL is generated, so the URL alone is not enough to decrypt.
How does burn after read work?+
Burn-after-read pastes are deleted as part of the first successful access, so the paste cannot be fetched once and then remain available for another reader.
What precautions does textdrop.sh take?+
The service uses Web Crypto AES-256-GCM, URL-fragment key delivery (never sent to server), PBKDF2 key wrapping for password pastes, CSP nonces, security headers, rate limits, random IDs, and automatic expiry.
Which mode should I use for sensitive content?+
Standard pastes are already zero-knowledge. Add password protection when you want to guard against link theft, and enable burn after read with a short expiry for one-time sharing.
Responsible disclosure
Found a security issue?
Please do not disclose it publicly. Send reproduction steps, impact, and any suggested mitigation to our security inbox.