@1time/cli
v0.5.0
Published
Command-line client for end-to-end encrypted one-time secret sharing on 1time.io
Maintainers
Readme
1time CLI
1time is a command-line client for 1time.io, an end-to-end encrypted one-time secret sharing service.
Use it to share passwords, API keys, tokens, private notes, and other sensitive text as self-destructing links from your terminal. It can also share encrypted files with one-time download links.
Why Use 1time CLI
- End-to-end encrypted: the secret is encrypted locally before it is sent to the server.
- One-time links: once the recipient opens the link, the stored payload is deleted.
- Simple terminal workflow: pipe a secret in, get a secure link out.
- Good for developer secrets: API keys, access tokens, SSH snippets, passwords, and incident-response notes.
Quick Start
Install from npm:
npm install -g @1time/cliCreate a one-time link from stdin:
printf 'my-api-key' | 1time sendRead a one-time link:
1time read 'https://1time.io/v/#...'Create a one-time file link:
1time send-file ./backup-codes.txtDownload a one-time file:
1time read-file 'https://1time.io/f/#...'How It Works
- You send a secret from your terminal.
- The CLI encrypts it locally using the same protocol as the web app.
- The backend stores only ciphertext plus an authentication token.
- The recipient opens the one-time link and decrypts the payload with the key material stored in the URL fragment.
The server does not receive the plaintext secret.
Install
From npm:
npm install -g @1time/cliFrom this repository:
cd cli
npm install -g .Requires Node.js 20+.
Commands
1time send
Create an encrypted one-time link.
Input precedence:
- piped
stdin 1TIME_SECRET- positional secret argument
Examples:
printf 'postgres://user:pass@host/db' | 1time send1TIME_SECRET='sk_live_123' 1time send1time send 'temporary-password-123'Use a custom host:
printf 'hello' | 1time send --host 1time.io
printf 'hello' | 1time send --host https://1time.io
printf 'hello' | 1time send --host http://127.0.0.1:8080Set a custom expiry:
printf 'hello' | 1time send --expires-in 23h
printf 'hello' | 1time send --expires-in 2d
printf 'hello' | 1time send --expires-in 2d23h1time read <link>
Fetch and decrypt a one-time link.
Examples:
1time read 'https://1time.io/v/#...'1time read --host http://127.0.0.1:8080 'http://127.0.0.1:8080/v/#...'1time send-file <path>
Create an encrypted one-time file link.
Examples:
1time send-file ./secret.pdf1TIME_PASSPHRASE='extra-passphrase' 1time send-file ./backup-codes.txt1time send-file --host http://127.0.0.1:8080 --passphrase 'extra-passphrase' ./report.zip1time send-file --expires-in 2d23h ./report.zip1time read-file <link>
Fetch, decrypt, and save a one-time file link.
By default, the file is written to the current directory using the original filename.
Examples:
1time read-file 'https://1time.io/f/#...'1TIME_PASSPHRASE='extra-passphrase' 1time read-file 'https://1time.io/f/#...'1time read-file --out ./downloads/secret.pdf 'https://1time.io/f/#...'Command Reference
--host <host-or-origin>--expires-in <duration>forsendandsend-file; supportshandd, for example23h,2d, or2d23h; default is1d; maximum is30d--passphrase <passphrase>forsend-fileandread-file--out <path>forread-file-h,--help
Host Rules
- default host is
1time.io - bare hosts like
1time.ioare normalized tohttps://1time.io https://...is acceptedhttp://...is rejected except for loopback hosts such as127.0.0.1
Security Notes
- Prefer
stdinforsend. 1time send 'secret'is supported for convenience, but it is insecure because command-line arguments can leak through shell history and process listings.1time read <link>also places the full secret link in command history and process listings. In this protocol, the URL fragment contains the decryption material.send-fileandread-filesupport optional passphrases via--passphraseor1TIME_PASSPHRASE.--expires-inis validated locally before the CLI sends the secret or file.
Current Limitations
readcurrently accepts the link as a command argument only
Local Development
Run directly from the repository root:
node cli/index.mjs --help
printf 'hello' | node cli/index.mjs send
node cli/index.mjs read 'https://1time.io/v/#...'Run tests:
cd cli
npm testRelease
Publish from cli/ so npm uses this README for the package page:
cd cli
npm login
npm pack --dry-run
npm publish --access publicThe package syncs the shared protocol before npm test, npm pack, and npm publish, so the published CLI includes the current encryption logic.
