About securetext.io

securetext.io lets you send a text message to someone with end-to-end encryption — no accounts, no storage, no history. A relay server hosted by Zyno Consulting connects the two browsers, but it only ever sees encrypted ciphertext and HMAC signatures. It never has access to the shared secret, the plaintext, or the encryption keys.

How it works: The share link contains a random shared secret in the URL fragment, which browsers never send to the server. The receiver's browser generates an RSA key pair and sends the public key — along with an HMAC-SHA-256 proof — through the relay. The sender verifies the HMAC using the shared secret before trusting the key.

The sender then encrypts the message with a random AES-GCM key, wraps that key with the receiver's RSA public key, and signs the entire payload with the shared secret. Only the resulting ciphertext and signatures pass through the relay. The receiver verifies the signature, decrypts the AES key with their private RSA key, and recovers the message.

The connection is cryptographically verified via the shared secret, but three magic numbers derived from the public key are also displayed so both sides can visually confirm the connection if desired.

Need to send files or binary streams? Check out sp2p.io.

securetext.io is open source. View the code on GitHub.