GUIDE

A Calmer Way to Share API Keys, Passwords, and Other Secrets

Stop pasting credentials into Slack. A short guide to using a real-time, password-protected, auto-expiring channel for one-off secret handoffs.

2026-05-13 · EN/KO

At some point on every team there is a moment that goes like this: someone DMs you in Slack with a 64-character access token and the sentence "Please don't paste this anywhere." You delete the message. They keep theirs. Slack keeps both. Three months later the org rotates credentials anyway, because nobody remembers who saw the original.

Sharing secrets between humans is one of those everyday engineering tasks that's deceptively easy to do badly. The defaults are wrong. Email, Slack, KakaoTalk, Notion comments — all of them keep history forever, in places that aren't designed for secrets. This guide is about a calmer pattern: a live, password- protected, auto-expiring channel for one-off handoffs.

What "safe enough" looks like

For one-time secret handoffs between two coworkers — an API key, a deploy password, a recovery code — the practical threat model is small and specific:

The secret should NOT be readable in a chat log six months later.
The secret should NOT be sitting in someone's mailbox if their laptop is stolen.
The recipient should not have to install anything weird to receive it.
If the link leaks before the recipient receives it, the secret should be unusable to whoever finds it.

A real-time relay with a short expiry and a one-time password covers all four. Notably, it does NOT cover the "the recipient's device is malware-infected" case, and there's no protocol that does. Pick your battles.

The 30-second pattern

Open File Tunnel and switch to the Text tab.
Paste the secret into the textarea. Anything from an API key to a multi-line .env snippet. Up to 16 KB.
Set expiry to 10 minutes. The whole point is that the channel closes itself before anyone can pivot off it.
Toggle Password protection (Pro Pass required). Pick a phrase that's not in your shared chat history — "Friday coffee" is fine if you didn't talk about Friday coffee earlier.
Click Open the tunnel. Share the short code in your team chat. Share the passphrase over a different channel — text message, phone, in-person.
The recipient opens the link, enters the passphrase, sees the secret rendered inline, copies it, and you're done.

Why a different channel for the passphrase matters

If the URL and the password both live in the same chat thread, you've gained nothing — anyone with access to that thread has both pieces. The trick is sending them through channels that don't share an audit trail. Common pairings:

URL in Slack DM, passphrase via SMS.
URL in email, passphrase spoken on the phone call you're already on.
URL on screen during a Zoom, passphrase typed on a sticky note held up to the camera (silly, but works).

Why the short expiry matters more than the password

If you remember nothing else: set a short TTL. The password helps in the "someone steals the link" case, but a 10-minute window helps in the "someone forgets to revoke access" case, which is more common. Most leaks aren't targeted attacks — they're old credentials still working three jobs later.

What about server logs?

File Tunnel relays the bytes through server memory; nothing about the text content lands on disk. The metadata the relay does see (filename, size, IP for rate limiting) is auto-deleted when the session expires. The relay can't hand over your secret to anyone afterwards because it doesn't have it.

For threat models that exclude trusting the relay operator at all — for example, sharing a private signing key with a third-party contractor whose interests partially diverge from yours — encrypt the secret yourself before sending. Tools like age, gpg, or even a password-protected 7-Zip archive let you wrap the secret in a layer that the relay provably cannot peek into. Then ship the encrypted blob through the same Text tunnel and share the encryption key separately.

Honest tradeoffs

Compared to dedicated secret-sharing tools (e.g. 1Password Send, Bitwarden Send, internal SecretHub):

File Tunnel: zero setup, no account, live channel, included for free in everyday workflow.
Dedicated tools: better audit logs, recipient identity verification, integration with your password manager.

For ad-hoc one-offs to a single coworker, File Tunnel is the path of least friction. For automated secret distribution across a team or a vendor relationship, use a dedicated tool. They're complementary, not competing.

One last thing

After the secret is delivered, rotate it anyway when the engagement ends. Channel-based safety helps with the moment of transit, but the only real defense against long-tail credential leaks is a key that doesn't work anymore.

Frequently asked questions

What if the recipient is on mobile?+

Same flow. The receive link opens on any browser; the text is rendered inline in a copyable code block. They tap "Copy text" and paste into whatever needs the secret.

Can I see whether the recipient actually read it?+

You can see when a receiver connects to the tunnel. You cannot see exactly what they did after that. If you need proof-of-delivery semantics, a dedicated secret-sharing tool with audit logs is a better fit.

How long can the secret be?+

The Text mode caps inline payloads at 16 KB. For anything bigger, use File mode — the same password and expiry options apply.

Is the textarea content sent in plaintext?+

It is encoded as UTF-8 bytes and streamed over TLS to our relay, then to the recipient. The relay sees the bytes in memory while forwarding. Nothing is written to disk. For threat models that exclude trusting the relay, encrypt client-side before pasting.

What's the cheapest way to do this if I don't have Pro Pass?+

Free File Tunnel users can still send text — just without the password and without the 7-day expiry. For most non-secret short notes, the 24-hour expiry is enough.

Try it now

Open File Tunnel and send a real file. It's free up to 10 GB.