Stop Pasting Credentials in Slack

Name: Stop Pasting Credentials in Slack
Availability: InStock
Author: ankurbhugra

by ankurbhugra·Feb 21, 2026·3 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidSolve My ProblemSlick

AES-256-GCM with key in URL fragment—clever crypto choice, but Teleport and 1Password Vaults already exist.

Strengths

•Encryption key never touches server (URL fragment design prevents transmission)
•Atomic race-condition prevention on view limits using database-level enforcement
•No signup required; email OTP + passcode options balance UX and security

Weaknesses

•Solves temporary credential sharing; password managers (1Password, Teleport) already handle this
•No guarantee recipient doesn't screenshot or leak after decryption—inherent to the problem

Post Description

I built VaultLink to solve a recurring problem: how do you securely share an API key or password with someone when you don’t use the same password manager (or don’t use one at all)?

VaultLink encrypts secrets client-side using the Web Crypto API (AES-256-GCM). The encryption key is delivered via a URL fragment (#key=...), which is never sent to the server. The server stores only ciphertext, IV, and salt. Decryption happens entirely in the browser.

Access requires email OTP, and view limits are enforced atomically at the database level to prevent race conditions.

It’s not trying to replace password managers or prevent a recipient from copying a secret. The goal is to reduce accidental exposure and long-lived credential leaks in chat.