How It Works

Zero-Knowledge

Your message is encrypted in your browser before being sent. The server only receives encrypted data and therefore cannot read your message. AES-GCM-256 encryption via Web Crypto API. Encryption happens client-side, plaintext never leaves device.

                            
                            
                            
                        
crypto.jsJavaScript

async function encryptMessage(plaintext) {
  // Generate 256-bit key
  const key = await crypto.subtle.generateKey(
    { name: 'AES-GCM', length: 256 }, true, ['encrypt', 'decrypt']
  );
  // Random IV + encrypt (plaintext never leaves device)
  const iv = crypto.getRandomValues(new Uint8Array(12));
  const encrypted = await crypto.subtle.encrypt(
    { name: 'AES-GCM', iv }, key, new TextEncoder().encode(plaintext)
  );
  return { encrypted, key };
}
                    

Key in URL

The decryption key is in the URL (after #). It's not sent to the server, which means the server cannot read your message. 256-bit AES-GCM key in URL fragment. Fragments are not sent in HTTP requests (RFC 3986).

                            
app.jsJavaScript

// Encrypt locally, send only encrypted blob to server
const { encrypted, key } = await encryptMessage(message);
const { id } = await fetch('/api/store', {
  method: 'POST', body: JSON.stringify({ encrypted })
}).then(r => r.json());

// Key in URL fragment - never sent to server (RFC 3986)
const link = `https://bixby.nl/read#${id}__${key}`;

One-Time Access

After reading, the message is immediately deleted. Each link works only once. Atomic delete: file_get_contents() + unlink() in one operation. Prevents race conditions.

                            
api/read.phpPHP

$id = preg_replace('/[^a-f0-9]/', '', $_POST['id']);
$path = "/messages/{$id}.json";
$data = json_decode(file_get_contents($path), true);

// Delete immediately after reading (burn-on-read)
unlink($path);

echo json_encode(['encrypted' => $data['encrypted']]);

Technology

Encryption

Native browser encryption. No external libraries needed. AES-GCM-256, Web Crypto API. IV: 96-bit random. Authenticated encryption.

Backend

Simple PHP API. No database needed. PHP 8.3. File-based storage. TTL: 24 hours. Atomic delete operations.

Server

Fast, secure web server. Nginx 1.24 + PHP-FPM 8.3. SSL/TLS via Let's Encrypt. Security headers: CSP, HSTS.

Storage

Temporary files, automatically cleaned up after 24 hours. Encrypted blobs in /messages/. Cron cleanup. Direct access blocked (403).

Security

Encryption happens in your browser before data leaves your device
AES-GCM-256, Web Crypto API. Plaintext never leaves device.
The server never sees your message
Zero-knowledge: only encrypted blobs, no plaintext possible.
The key stays in the recipient's possession
Key in URL fragment, not sent in HTTP requests.
The message is deleted immediately after reading
Burn-on-read: atomic delete, no repeated access.
Automatic cleanup after 24 hours
TTL: unread messages expire automatically.
No tracking or logging
No tracking cookies, analytics, or content logging.

Transparency

All client-side code is inspectable. No minified JavaScript, no obfuscation. View the key files via the link below.

View source code

Privacy

No tracking, analytics or logging. No tracking cookies. No third-party scripts.

Hosted in the Netherlands 🇳🇱

Bixby is hosted on servers in the Netherlands. Your data stays within the EU and falls under Dutch privacy laws. Dutch datacenter, EU data residency, GDPR compliant.