Skip to main content

How it works

Secret sharing is designed so that ConductorOne never has access to your secrets. Encryption happens in your browser, before anything leaves your device. Here’s how a secret moves from creation to delivery:
  1. Create — choose who can access the secret, add your content, and decide how long it should stay available and how many times it can be viewed.
  2. Encrypt — your browser encrypts the content before upload. ConductorOne stores only the encrypted result and never sees your plaintext.
  3. Share — copy the generated link and send it to recipients through whatever channel you choose: email, Slack, a ticket, or anything else.
  4. Access — recipients click the link and authenticate (SSO for internal users, a one-time email magic link for external contacts), then view or download the content.

Create a secret

1
In ConductorOne, navigate to Secrets in the left sidebar, then click Share a secret.
2
Choose your audience.
AudienceDescription
Team membersShare with ConductorOne users in your organization. Recipients authenticate via SSO.
External recipientsShare with anyone via email address. Recipients verify their identity with a one-time magic link.
3
Add recipients.
  • Internal: Search and select up to 128 users from your organization
  • External: Enter up to 64 email addresses (comma- or newline-separated)
4
Choose a content format.
FormatDescription
FileAny file up to 1 GB — documents, certificates, credential files, SSH keys.
TextPasswords, API keys, tokens, or any sensitive plaintext (up to 64 KB).
JSONService account credentials or config objects, with syntax validation.
YAMLKubernetes secrets, Helm values, or CI/CD configs.
EnvEnvironment variables in KEY=Value format — supports paste from .env files.
5
Optional. To help recipients understand the secret’s purpose, add an explanatory label that will be visible to recipients.
6
Set access limits.
  • Expiration: 1 hour to 30 days. Encrypted content is permanently deleted on expiry.
  • View limit: Unlimited, or 1–1,000 views. When the limit is reached, the content is permanently and irreversibly deleted.
7
Click Share secret.Copy the generated share URL and send it to recipients via email, Slack, Teams, or another preferred channel.
ConductorOne does not notify recipients. The share URL is the only way to access the secret, and you must distribute it yourself.

View a secret

1
Click the share URL.
2
Authenticate with your organization’s SSO if you’re not already signed in.
3
Click Reveal content or Download file.

Manage secrets

You can view and manage secrets you’ve created from the Secrets page. Administrators can manage all secrets across the tenant on the Shared secrets page.

As the secret creator

All users with the Basic user role can create secrets, view their own secrets, and revoke their own secrets.
1
Navigate to Secrets in the left sidebar.
2
View all secrets you’ve created with their status, view count, and expiration.Use the filters to switch between Active secrets and All secrets (which includes expired, burned, and revoked secrets).
3
Click any secret to see its details, share URL, and activity.
Need to block access to a secret? Click Revoke to immediately and permanently delete the encrypted content of a secret and block further access.

As an administrator

Requires the Super admin role. Super admins can view metadata (not content) for all secrets in the tenant and revoke any secret.
1
Navigate to Settings > Shared secrets.
2
On the Secrets tab, you can view, search, and filter all secrets created across your tenant.
3
Use the Audit Log tab to view all secret-related activity. Filter by actor email or IP address.Click View on any secret to view the JSON metadata for the secret.
4
Need to block access to a secret? Click Revoke to immediately and permanently delete the encrypted content of a secret and block further access.

Secret-sharing security

Content is encrypted in your browser before it’s uploaded. ConductorOne stores only encrypted blobs and never sees your plaintext. When a recipient accesses a secret, an isolated vault service decrypts and delivers the content to that specific recipient. Plaintext is never stored, logged, or persisted.
ControlDetail
Browser-side encryptionContent is encrypted before upload; plaintext never touches ConductorOne servers or logs.
Isolated decryptionA dedicated vault service handles decryption, with access controlled by AWS KMS with hardware security modules.
View limits and expirationContent is permanently deleted after the view limit is reached or the expiration time passes.
Magic link protectionMagic link tokens are single-use and expire after 15 minutes.
Audit loggingAll create, view, revoke, and access-denied events are logged.

Frequently asked questions about secret sharing

Absolutely not. ConductorOne stores only encrypted blobs. Decryption occurs in an isolated vault service and plaintext is never stored or logged.
Encrypted content is permanently deleted. Metadata (creator, creation date, recipients) is retained for audit purposes with a status of “Expired” or “Burned.”
No. If you need a secret to be available for longer, create a new one with the desired expiration and share the new link with recipients.
Encrypted content is permanently deleted and all future access attempts return a “Revoked” status.
Creators can see the current view count. Administrators can access detailed audit logs with per-viewer, per-event timestamps and client IP addresses.
Internal recipients: up to 128 users. External recipients: up to 64 email addresses. These limits apply per secret.
Files: up to 1 GB. Text content (Text, JSON, YAML, Key-value): up to 64 KB.
Via a single-use magic link sent to their email address. Magic links expire after 15 minutes.

Secret sharing events in system logs

All secret-sharing activity is recorded in the ConductorOne system log. Events use the paper_secret_ prefix. For details on accessing, exporting, and querying log data, see System logs.

Event types

EventActivity nameDescription
Secret createdpaper_secret_createdNew secret created.
Opened (internal)paper_secret_opened_internalInternal user viewed content.
Opened (external)paper_secret_openedExternal user viewed content.
Revokedpaper_secret_revokedCreator revoked a secret.
Revoked (admin)paper_secret_revoked_adminAdmin revoked a secret.
Magic link createdpaper_secret_magic_link_createdMagic link sent to external recipient.
Access deniedpaper_secret_access_deniedUnauthorized access attempt.
File downloadedpaper_secret_file_downloadedFile secret downloaded.

Event payload

Each event includes:
  • Secret ID and share code (format: XXXX-XXXX-XXXX)
  • Sharing mode: internal or external
  • Secret type: text or file
  • Actor: user or email address
  • Client IP and timestamp

Filter examples

Use these filters in Settings > System Log. All secret sharing activity: 
activity_name starts with "paper_secret_"
Views only: 
activity_name in ("paper_secret_opened", "paper_secret_opened_internal")
Access denied: 
activity_name = "paper_secret_access_denied"
Activity by a specific user: 
activity_name starts with "paper_secret_" AND actor.user.email = "user@example.com"
External activity only: 
activity_name in ("paper_secret_opened", "paper_secret_magic_link_created")