One-Time Text Message

Send a text message that can only be read once. It disappears forever after opening.

Why secure one-time text message matters

A one-time text is the small string that has to land in someone's eyes and then evaporate. The verification code your aunt reads aloud while a fraud-line agent waits on hold. The brief 'spare key is taped under the planter, not the mat' you fire from a taxi to a friend feeding the cat. A confirmation number a relative repeats to a pharmacy. Three to thirty characters, seconds of relevance.

The native channel for messages this size is SMS, and that is where the headline failure mode lives. iOS and Pixel devices ship with notification previews enabled by default, so the body of an incoming text renders inside the lock-screen banner before face or fingerprint unlocks the phone. A six-digit code is legible at arm's length on a desk, a car dock, a paired watch face, or the kitchen smart display.

PasteOnce keeps the payload off that surface. You paste the digits, send a link through whichever messenger the recipient uses, and the bystander sees only a pasteonce.link URL with no readable contents. They tap, the ciphertext is destroyed during the same request, and the value sits on screen for the few seconds it has to. Re-reading is impossible — the point of a string that loses meaning the moment it is used.

What goes wrong when one-time text message is shared insecurely

Notification previews on by default. iOS Show Previews defaults to Always; Android's per-channel Sensitive content toggle ships on for most messengers. The full text of an incoming code renders on the locked screen, readable to anyone in glance range without any unlock action.
Watch and dashboard mirroring. Apple Watch, Wear OS, CarPlay, Android Auto, and Echo Show paired devices automatically mirror new SMS bodies. A spouse's wrist or a car speaker reading a confirmation number aloud has already broadcast it to whoever sits in the room.
Quote-reply turning ephemeral permanent. iMessage and WhatsApp let any participant tap-and-hold a short message and pin it as a quote-reply on a later thread. A four-digit code embedded that way persists indefinitely, indexed by Spotlight or Google Search on the device.
Wrong-recipient autocomplete. Recipient pickers fat-finger under time pressure, especially when contacts share initials or a group chat sits one tap above the intended thread. A misrouted plaintext code is already exposed; a misrouted link is harmless until opened.

One-Time Text Message

Client-side encrypted. We can't see your data.

Press Ctrl/⌘ + Enter to send0 characters

Expires in:

End-to-End Encrypted

Your data is encrypted in your browser before it leaves your device.

Self-Destructing

Messages are automatically deleted after being read once.

Zero Knowledge

We never see your data. Only encrypted blobs pass through our servers.

One-Time View

Links work exactly once. Refresh the page and it's gone forever.

How does one-time text message work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for one-time text message

Coach the recipient on preview settings once

Walk them through Settings then Notifications then Show Previews then When Unlocked on iOS, or Notifications then Lock screen then Hide sensitive content on Android. A five-minute fix covers every short message after.

Choose the one-hour expiration

Verification codes from banks and 2FA providers already expire in 30 to 600 seconds at the source. Pick the shortest TTL so the encrypted blob dies before the underlying code itself would.

Strip identifying nouns from the payload

Send '8842' or 'south gate, blue door' rather than the bank-branded SMS or full property address. A glanced-at payload with no nouns names neither institution nor location, so an accidental reader cannot match value to target.

Read aloud when the call is open

If you are on a voice line and the round-trip will not fit in the verification window, speak the digits. A second link doubles lock-screen exposure on their device for no gain in privacy or speed.

Related Secure Sharing Tools

Send Password Securely Share Password Securely Share WiFi Password Create Secret Message Link Self-Destructing Note Share 2FA Backup Codes Share Login Credentials Send Confidential Message

Real situations this is built for

Relaying a fraud-hotline code mid-call

Your father is on the phone with his bank's fraud line and they have SMSed him a six-digit code he cannot read through the kitchen-window glare. He calls you over speakerphone, you PasteOnce the digits to your sister at his house, and she reads them to the rep before the call ends.

Late instruction during a house visit

A friend is on the way to feed your cat and the spare key got moved. You paste 'taped under the rosemary planter, not the mat' into PasteOnce and fire the link over iMessage; they read it on your porch, not in a thread your roommate scrolls.

Pharmacy confirmation read-back

Your partner is on hold with the pharmacy and needs a confirmation string from an email open on your laptop. A link gets it onto their phone without leaving the value in iMessage history that syncs to the iPad the kids use on flights.

Frequently Asked Questions

How do I stop my iPhone from showing text codes on the lock screen?

Open Settings then Notifications then Show Previews and pick When Unlocked or Never. The first holds the body until Face ID confirms you; the second hides it even when unlocked. Android offers the same control under Notifications on lock screen.

Can I relay an SMS verification code I already received?

You can, but the code already lit up your own device and any paired watch, car, or tablet on the way in. The biggest privacy win is when the value originates with you — a PIN, a confirmation read off a desktop — and the surface you protect is the recipient's lock screen.

Is this faster than calling and reading the digits?

For a single four-digit number on a quiet line, a call wins. The link wins when digits run longer than seven characters, when accents make 'five' and 'nine' confusable, or when both parties want no call-log entry afterwards.

Will the link itself appear on the recipient's lock screen?

The URL preview appears in whichever messenger you used, like any other link. It contains only an opaque note ID and a fragment with the decryption key — no readable content. A bystander sees a pasteonce.link domain, not the digits inside.

Why secure one-time text message matters

What goes wrong when one-time text message is shared insecurely

Notification previews on by default. iOS Show Previews defaults to Always; Android's per-channel Sensitive content toggle ships on for most messengers. The full text of an incoming code renders on the locked screen, readable to anyone in glance range without any unlock action.

Watch and dashboard mirroring. Apple Watch, Wear OS, CarPlay, Android Auto, and Echo Show paired devices automatically mirror new SMS bodies. A spouse's wrist or a car speaker reading a confirmation number aloud has already broadcast it to whoever sits in the room.

Quote-reply turning ephemeral permanent. iMessage and WhatsApp let any participant tap-and-hold a short message and pin it as a quote-reply on a later thread. A four-digit code embedded that way persists indefinitely, indexed by Spotlight or Google Search on the device.

Wrong-recipient autocomplete. Recipient pickers fat-finger under time pressure, especially when contacts share initials or a group chat sits one tap above the intended thread. A misrouted plaintext code is already exposed; a misrouted link is harmless until opened.

How does one-time text message work on PasteOnce?

Client-Side Encryption

Your sensitive data is encrypted in your browser using AES-256-GCM. The encryption key is generated randomly and never sent to our servers.

Secure Storage

Only the encrypted blob is stored in our database, with an automatic expiration time. We literally cannot read your data.

One-Time Read

When your recipient opens the link, the encrypted data is fetched and immediately deleted from our servers using an atomic Redis GETDEL. The key in the URL hash decrypts the message in their browser.

Best practices for one-time text message

Coach the recipient on preview settings once

Choose the one-hour expiration

Verification codes from banks and 2FA providers already expire in 30 to 600 seconds at the source. Pick the shortest TTL so the encrypted blob dies before the underlying code itself would.

Strip identifying nouns from the payload

Read aloud when the call is open

If you are on a voice line and the round-trip will not fit in the verification window, speak the digits. A second link doubles lock-screen exposure on their device for no gain in privacy or speed.

Real situations this is built for

Relaying a fraud-hotline code mid-call

Late instruction during a house visit

Pharmacy confirmation read-back

Frequently Asked Questions

How do I stop my iPhone from showing text codes on the lock screen?

Can I relay an SMS verification code I already received?

Is this faster than calling and reading the digits?

Will the link itself appear on the recipient's lock screen?