One-Time Share Links
One-time share links let you securely share a single credential with anyone -- even people who do not have a SyVault account. The link is end-to-end encrypted, time-limited, view-limited, and optionally device-locked.
How It Works
When you create a one-time share link, the following happens:
-
Share Key Generation -- A random 256-bit Share Key is generated in your browser.
-
Re-Encryption -- The record's plaintext fields are re-encrypted with the Share Key using AES-256-GCM. This creates an independent ciphertext that has no cryptographic relationship to your vault keys.
-
Server Storage -- The re-encrypted payload is uploaded to the server along with the share metadata (expiry, view limit, device-lock setting).
-
Link Construction -- SyVault generates a URL in the form:
https://vault.syvault.com/share/abc123#ShareKeyInBase64UrlThe Share Key is placed in the URL fragment (after the
#). URL fragments are never sent to the server by browsers -- the key stays entirely client-side. -
Recipient Access -- When the recipient opens the link, their browser extracts the Share Key from the fragment, fetches the encrypted payload from the server, decrypts it locally, and displays the credential.
Because the Share Key is in the URL fragment, SyVault's server never sees the decryption key. Even if the server were compromised, the attacker would only obtain ciphertext.
Creating a One-Time Share
- Open any record in the web vault, desktop app, or mobile app.
- Click the Share icon (or select Share > One-Time Link from the record menu).
- Configure the share parameters:
| Parameter | Options | Default |
|---|---|---|
| Expires after | 1 hour, 6 hours, 1 day, 7 days, 30 days | 1 day |
| Maximum views | 1, 3, 5, 10 | 1 |
| Device lock | On / Off | Off |
- Click Create Link. The link is copied to your clipboard.
- Send the link to the recipient via any channel (email, Slack, SMS, etc.).
Security Features
Time Expiry
The share link becomes invalid after the specified duration, regardless of whether it has been viewed. The server deletes the encrypted payload upon expiry.
View Limit
Each time the recipient opens the link and successfully decrypts the content, the server decrements the view counter. When the counter reaches zero, the payload is deleted and subsequent requests return a "Share expired" message.
Device Lock
When device lock is enabled, the first device that opens the link is bound to the share via a browser fingerprint (derived from User-Agent, screen resolution, timezone, and a random token stored in sessionStorage). Subsequent access attempts from a different device are rejected. This prevents the link from being forwarded.
5-Minute Viewing Window
Once a recipient opens the link and decrypts the content, the credential is displayed for a maximum of 5 minutes. After 5 minutes, the page automatically clears the plaintext and shows an expiration notice. This limits the exposure window if the recipient leaves the page open.
Managing Active Shares
View and revoke active share links under Settings > Sharing > Active One-Time Links. Each entry shows the record name, creation date, expiry, remaining views, and a Revoke button that immediately deletes the server-side payload.
Once a link has been viewed and the recipient has seen the credential, revoking the link prevents further views but cannot un-reveal the information already displayed. Share only with trusted recipients.
Limitations
- One-time share links share a snapshot of the record at creation time. If you update the record after creating the link, the link still shows the original values.
- Binary attachments (file attachments on records) are not included in one-time shares. Only structured fields are shared.
- One-time share links do not require the recipient to have a SyVault account.