FyVault

Secret Sharing

Share a secret via a one-time link that self-destructs after it's viewed or when the TTL expires.

How it works

When you create a shared secret, FyVault generates a unique URL at fyvault.com/share/:token. The recipient opens the link once, views the secret, and the link is permanently invalidated. No FyVault account required to view.

CLI

# Share a secret with a 24-hour TTL
fyvault share create \
  --secret DATABASE_URL \
  --environment production \
  --ttl 24h

# Output: https://fyvault.com/share/shr_abc123...

# Share an arbitrary value (not stored in FyVault)
fyvault share create --value "my-api-key-123" --ttl 1h

# List active shares
fyvault share list

# Revoke a share before it's viewed
fyvault share revoke shr_abc123

Node.js

import { FyVault } from "@fyvault/sdk";

const fv = new FyVault({ accessToken: "fv_live_...", orgId: "org_acme" });

const share = await fv.sharing.create({
  secretName: "DATABASE_URL",
  environment: "production",
  ttlSeconds: 86400, // 24 hours
});

console.log(share.url); // https://fyvault.com/share/shr_...

// Revoke early
await fv.sharing.revoke(share.id);

Python

from fyvault import FyVault

fv = FyVault(access_token="fv_live_...", org_id="org_acme")

share = fv.sharing.create(
    secret_name="DATABASE_URL",
    environment="production",
    ttl_seconds=86400,
)
print(share.url)

fv.sharing.revoke(share.id)

Security properties

One-time view

The link is invalidated immediately after the first view.

TTL expiry

Unviewed shares expire and are deleted after the TTL.

End-to-end encryption

The secret is encrypted; the decryption key is in the URL fragment (never sent to the server).

Audit logged

Share creation, view, and revocation are all recorded in the audit trail.

See also: Encryption Modes, Security Architecture