Onetimesecret MCP

A privacy - first secret sharing application based on the Model Context Protocol, supporting client - side encryption and self - destruct after reading functions, and providing server - side storage through Cloudflare Workers.

Security Developer tools #Secret Sharing #Self - Destruct After Reading #Client - Side Encryption #MCP Integration .TypeScript

rating : 2 points

downloads : 3.6K

update time : 2026-03-12

Open Site

What is OneTime Secret?

OneTime Secret is a secure and privacy - first secret sharing tool. It allows you to create encrypted messages (such as passwords, sensitive information, temporary access codes, etc.) and generate a shareable link. After the recipient opens the link and enters the password, they can view the secret content, and then the secret will automatically self - destruct or have its viewing times limited according to the settings. The server will never see your plain - text secret or password, and all encryption and decryption are done on the client side.

How to use OneTime Secret?

You can use it in two ways: 1) Use it directly as an MCP application in Claude Desktop, creating and sharing secrets through conversations; 2) Non - Claude users can access the independent web interface through the generated link to view secrets. The basic process is: create a secret → set a password and expiration date → share the link → the recipient views the secret → the secret automatically self - destructs.

Use cases

Suitable for sharing temporary passwords, sensitive configuration information, one - time access tokens, private notes, confidential messages, etc. It is especially suitable for situations where you need to ensure that information is not stored for a long time or viewed multiple times.

Main Features

Zero - Knowledge Encryption

All secrets are encrypted on your device using AES - 256 - GCM. The server only stores the encrypted data and will never see your plain - text secret or password.

Automatic Self - Destruction

Secrets can be set to self - destruct after a single view or automatically expire after a certain period (up to 7 days), ensuring that information is not permanently retained.

MCP Integration

Seamlessly integrated into Claude Desktop, allowing you to create and manage secrets directly through conversations without leaving the chat interface.

Independent Interface

Provides a simple web interface for users without Claude. They can view secrets by simply opening the link and entering the password.

Cloudflare Backend

Uses the Cloudflare Workers global edge network for storage, ensuring fast access and high availability. Data is automatically expired and cleaned up.

Flexible Sharing Methods

Supports multiple sharing methods: sharing the link and password separately, single - link sharing, etc., to meet different security requirements.

Advantages

Extremely high privacy protection: The server cannot access your plain - text data

Easy to use: No need to register an account, directly create and share

Automatic cleaning: Secrets are automatically deleted after expiration, leaving no traces

Multiple usage methods: Supports MCP integration and independent web access

Globally available: Based on the Cloudflare edge network, with fast access

Open - source and transparent: The code is open - source, and the security mechanism can be verified

Limitations

Single or limited views: Not suitable for scenarios that require multiple accesses

Time limit: The maximum storage time is 7 days, not suitable for long - term storage

File size limit: Maximum support for 1MB of encrypted data

Dependent on password memory: You need to remember or securely transfer the password

Network dependency: Requires an Internet connection to create and view secrets

How to Use

Installation and Configuration

First, you need to install the MCP server and configure it in Claude Desktop. If you are only viewing secrets shared by others, you can skip this step.

Create a Secret

Request to create a secret directly in Claude, providing the message to be encrypted and the password. You can also set the expiration date and viewing times limit.

Share the Link

Claude will generate a shareable link. Send this link to the recipient. For higher security, send the password through other channels (such as SMS, encrypted messages).

View the Secret (Recipient)

The recipient opens the link, enters the password on the web page, and can view the secret content. After viewing, the secret may be destroyed according to the settings.

Usage Examples

Share Temporary Login Credentials

You need to temporarily give a colleague access to a system but don't want to send the plain - text password through an insecure channel.

Send Sensitive Configuration Information

The development team needs to share API keys or database connection strings without leaving traces in version control or chat records.

Pass Private Messages

You need to send a message containing personal information, ensuring that only the specific recipient can view it and that no record is left on the server.

Frequently Asked Questions

If I forget the password, can I retrieve the secret?

How long can a secret be stored at most?

Can I share files?

How to ensure the security of the shareable link?

Can I use it without Claude Desktop?

If the server is attacked, will my secret be leaked?

Related Resources

GitHub Repository

Complete source code, issue tracking, and contribution guidelines

Deployment Guide

Detailed self - deployment and configuration instructions

Model Context Protocol Official Website

Learn about the MCP protocol and technical details

Cloudflare Workers Documentation

Documentation for the serverless platform used in the backend

🚀 Amp CLI Bridge - File-Based Communication System

The Amp CLI Bridge is a file-based message queue system. It allows Claude Code to utilize Amp CLI capabilities without using Claude Code credits. This system enables sending research requests, code analysis tasks, and other prompts to Amp CLI from Claude Code, with results returned asynchronously through a file-based queue.

🚀 Quick Start

1. Start the Watcher

In a separate terminal, run:

./scripts/amp/start-amp-watcher.sh

This initiates the background watcher process that monitors prompts/pending/ for new files.

2. Use from Claude Code

In your Claude Code session:

You: "Use @agent-amp-bridge to research TypeScript 5.0 features"

The agent will:

Create a prompt file in prompts/pending/
Wait for the watcher to process it
Read the response from responses/ready/
Present the results to you

3. Stop the Watcher

When finished:

./scripts/amp/stop-amp-watcher.sh

✨ Features

Zero Claude Code Credits: All Amp API calls are made from a separate authenticated session.
Async Processing: Claude Code doesn't block while waiting for responses.
Fault Tolerant: The file-based queue can survive crashes and restarts.
Audit Trail: All prompts and responses are saved for debugging and review.
Reusable: Prompts can be replayed, and past responses can be reviewed.

📦 Installation

Setup (One-Time)

If this directory doesn't exist or is incomplete, create it:

# From project root
mkdir -p .claude/amp/prompts/pending
mkdir -p .claude/amp/responses/{ready,consumed}

Note: This directory is gitignored (user-specific working space). The structure is created locally as needed.

💻 Usage Examples

Using the Amp CLI Bridge in Claude Code:

You: "Use @agent-amp-bridge to research TypeScript 5.0 features"

📚 Documentation

Overview

The Amp CLI Bridge enables you to send various prompts to Amp CLI from Claude Code, and the results are returned asynchronously via a file-based queue.

Architecture

Claude Code (@agent-amp-bridge)
    ↓
    writes prompt to → prompts/pending/{uuid}.json
                              ↓
                    amp-watcher.js (separate process)
                              ↓
                    executes → amp -x "prompt"
                              ↓
                    writes → responses/ready/{uuid}.json
                              ↓
    Claude Code reads ← response

Directory Structure

.claude/amp/
├── prompts/
│   ├── pending/        # Queue for new prompts (watched by amp-watcher.js)
│   └── processed/      # Archive of completed prompts
├── responses/
│   ├── ready/          # Responses from Amp (read by Claude Code)
│   └── consumed/       # Archive of consumed responses
├── amp-watcher.js      # Node.js file watcher that processes prompts
├── config.json         # Configuration file
├── amp-watcher.log     # Watcher logs
└── README.md           # This file

Configuration

Edit .claude/amp/config.json:

{
  "pollInterval": 1000,      // Check for new prompts every 1s
  "timeout": 300000,          // 5 minute timeout per prompt
  "debug": false,             // Enable debug logging
  "ampCommand": "amp"         // Amp CLI command path
}

Message Format

Prompt File

Location: prompts/pending/{uuid}.json

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "timestamp": "2025-11-04T20:00:00.000Z",
  "prompt": "Your research question or task here",
  "context": {
    "project": "mcp-memory-service",
    "cwd": "/path/to/project",
    "tags": ["research", "typescript"]
  },
  "options": {
    "timeout": 300000,
    "format": "markdown"
  }
}

Response File

Location: responses/ready/{uuid}.json

{
  "id": "550e8400-e29b-41d4-a716-446655440000",
  "timestamp": "2025-11-04T20:05:00.000Z",
  "success": true,
  "output": "Amp CLI response content here...",
  "error": null,
  "duration": 300000,
  "originalPrompt": { /* echo of prompt for reference */ }
}

Helper Scripts

Located in scripts/amp/:

start-amp-watcher.sh - Start the watcher in the background
stop-amp-watcher.sh - Stop the watcher gracefully
test-amp-bridge.sh - Integration test (creates a test prompt, waits for a response)

Use Cases

Web Research: "Research latest React 18 features and concurrent rendering"
Code Analysis: "Analyze the storage backend architecture in src/storage/"
Documentation: "Generate comprehensive API docs for MCP tools"
Code Generation: "Create TypeScript type definitions for the API"
Best Practices: "Find OAuth 2.1 security recommendations and implementation patterns"

Limitations

Latency: File polling adds approximately 1s of overhead per request.
Amp Credits: The system still consumes Amp API credits (free tier limits apply).
Manual Start: The watcher must be started manually in a separate terminal.
Best for Research: It is optimized for async research tasks, not real-time interaction.

🔧 Technical Details

Watcher Implementation

The amp-watcher.js script:

Polls prompts/pending/ every 1 second (configurable).
For each .json file found:
- Reads the prompt.
- Executes amp -x "{prompt}".
- Captures stdout/stderr.
- Writes the response to responses/ready/.
- Moves the prompt to prompts/processed/.
Handles errors gracefully (writes error responses).
Supports graceful shutdown (SIGTERM/SIGINT).

Agent Implementation

The @agent-amp-bridge Claude Code agent:

Generates a UUID for request tracking.
Writes the prompt JSON to prompts/pending/.
Polls responses/ready/ for a matching UUID.
Reads and parses the response when available.
Moves the response to responses/consumed/.
Presents the formatted output to the user.

File Cleanup

Archives are kept for debugging:

prompts/processed/ - Completed prompts
responses/consumed/ - Consumed responses

Manual cleanup (optional):

# Remove archives older than 7 days
find .claude/amp/prompts/processed -name "*.json" -mtime +7 -delete
find .claude/amp/responses/consumed -name "*.json" -mtime +7 -delete

For Developers

Extending the System

Custom timeout per request:

{
  "prompt": "Complex analysis task",
  "options": {
    "timeout": 600000  // 10 minutes
  }
}

Debug mode:

node .claude/amp/amp-watcher.js --debug

Custom poll interval:

node .claude/amp/amp-watcher.js --interval 500  // 500ms

Testing Changes

Make changes to amp-watcher.js or the agent.
Restart the watcher: ./scripts/amp/stop-amp-watcher.sh && ./scripts/amp/start-amp-watcher.sh
Run the integration test: ./scripts/amp/test-amp-bridge.sh