API Documentation - SecureNote.link

Overview

Welcome to the SecureNote.link API documentation. This API allows you to create, retrieve, and manage secure, one-time notes with optional password protection and expiration. All endpoints are HTTPS only and require Content-Type: application/json for requests with a body. If using the API, you must encrypt your note first. See the examples below for encryption patterns.

🌐 Base URL: https://securenote.link 🛡️ Version: v1

Authentication & Rate Limiting

No authentication required for standard endpoints.
General API: 100 requests / 15 min
Password verification: 10 requests / 15 min
All requests must use HTTPS

Description

Create a new encrypted secret with optional password protection and expiration.

Request Body

Request Body	`{ "encryptedData": "string (required)", "iv": "string (required)", "password": "string (optional)", "expiresIn": "number (optional, hours: 1, 24, 72, 168)" }`
Response	`{ "id": "string", "passwordProtected": true, "expiresIn": 24 }`
Rate Limit	100 requests per 15 minutes

{
  "encryptedData": "string (required)",
  "iv": "string (required)",
  "password": "string (optional)",
  "expiresIn": "number (optional, hours: 1, 24, 72, 168)"
}

Response

{
  "id": "string",
  "passwordProtected": true,
  "expiresIn": 24
}

Rate Limit 100 requests per 15 minutes

Code Examples

// JavaScript fetch example
fetch('/api/v1/secrets', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    encryptedData: '...',
    iv: '...',
    password: 'optional',
    expiresIn: 24
  })
})

# Curl example
curl -X POST https://your-domain.com/api/v1/secrets \
  -H "Content-Type: application/json" \
  -d '{"encryptedData":"...","iv":"..."}'

Description

Retrieve a secret (marks it as accessed). Secret is deleted after retrieval if no password.

Parameters	ID (32-character hex string)
Response	`{ "content": { "encryptedData": "string", "iv": "string" }, "passwordProtected": false }`
Notes	Secret is deleted after retrieval if no password

Code Examples

// JavaScript fetch example
fetch('/api/v1/secrets/your-secret-id')
  .then(res => res.json())
  .then(data => console.log(data));

# Curl example
curl https://your-domain.com/api/v1/secrets/your-secret-id

Description

Verify the password for a secret without revealing it.

Request Body	`{ "password": "string (required)" }`
Response	`{ "valid": true }`
Rate Limit	10 requests per 15 minutes

Code Examples

// JavaScript fetch example
fetch('/api/v1/secrets/your-secret-id/verify', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({ password: 'yourpassword' })
}).then(res => res.json()).then(data => console.log(data));

# Curl example
curl -X POST https://your-domain.com/api/v1/secrets/your-secret-id/verify \
  -H "Content-Type: application/json" \
  -d '{"password":"yourpassword"}'

Description

Check the API service health status.

Response	{"status":"ok"}

Code Examples

// JavaScript fetch example
fetch('/api/v1/health')
  .then(res => res.json())
  .then(data => console.log(data));

# Curl example
curl https://your-domain.com/api/v1/health

Overview

These examples show AES-GCM encrypt/decrypt patterns used by the SecureNote client and server. They are intentionally simple and focused on interoperability: generate a 256-bit key, use a 96-bit (12 byte) IV, and store/send the ciphertext, IV, and key using base64 when needed. AES-GCM also produces an authentication tag (usually appended to or transmitted with the ciphertext).

// Browser Web Crypto - AES-GCM
async function encrypt(plaintext) {
  const enc = new TextEncoder();
  const key = await crypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt','decrypt']);
  const iv = crypto.getRandomValues(new Uint8Array(12)); // 96-bit
  const ct = await crypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, enc.encode(plaintext));

  const exportedKey = await crypto.subtle.exportKey('raw', key);
  return {
    ciphertext: btoa(String.fromCharCode(...new Uint8Array(ct))),
    iv: btoa(String.fromCharCode(...iv)),
    key: btoa(String.fromCharCode(...new Uint8Array(exportedKey)))
  };
}

async function decrypt(ciphertextB64, ivB64, keyB64) {
  const dec = new TextDecoder();
  const ct = Uint8Array.from(atob(ciphertextB64), c => c.charCodeAt(0));
  const iv = Uint8Array.from(atob(ivB64), c => c.charCodeAt(0));
  const rawKey = Uint8Array.from(atob(keyB64), c => c.charCodeAt(0));
  const key = await crypto.subtle.importKey('raw', rawKey, 'AES-GCM', true, ['decrypt']);
  const plain = await crypto.subtle.decrypt({ name: 'AES-GCM', iv }, key, ct);
  return dec.decode(plain);
}

// Node.js (built-in crypto) - AES-256-GCM
const crypto = require('crypto');

function encrypt(plaintext) {
  const key = crypto.randomBytes(32); // 256-bit
  const iv = crypto.randomBytes(12);  // 96-bit
  const cipher = crypto.createCipheriv('aes-256-gcm', key, iv);
  const ct = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
  const tag = cipher.getAuthTag();
  return {
    ciphertext: Buffer.concat([ct, tag]).toString('base64'),
    iv: iv.toString('base64'),
    key: key.toString('base64')
  };
}

function decrypt(ciphertextB64, ivB64, keyB64) {
  const data = Buffer.from(ciphertextB64, 'base64');
  const key = Buffer.from(keyB64, 'base64');
  const iv = Buffer.from(ivB64, 'base64');
  const tag = data.slice(data.length - 16);
  const ct = data.slice(0, data.length - 16);
  const decipher = crypto.createDecipheriv('aes-256-gcm', key, iv);
  decipher.setAuthTag(tag);
  const plain = Buffer.concat([decipher.update(ct), decipher.final()]);
  return plain.toString('utf8');
}

// Node.js WebCrypto (experimental) - AES-GCM via crypto.webcrypto.subtle
const { webcrypto } = require('crypto');

async function encrypt(plaintext) {
  const enc = new TextEncoder();
  const key = await webcrypto.subtle.generateKey({ name: 'AES-GCM', length: 256 }, true, ['encrypt','decrypt']);
  const iv = webcrypto.getRandomValues(new Uint8Array(12));
  const ct = await webcrypto.subtle.encrypt({ name: 'AES-GCM', iv }, key, enc.encode(plaintext));
  const raw = await webcrypto.subtle.exportKey('raw', key);
  return { ciphertext: Buffer.from(ct).toString('base64'), iv: Buffer.from(iv).toString('base64'), key: Buffer.from(raw).toString('base64') };
}

# Python (cryptography + requests) - AESGCM + API calls
from cryptography.hazmat.primitives.ciphers.aead import AESGCM
import os, base64
import requests

BASE_URL = "https://securenote.link" 

def encrypt(plaintext: str):
  key = AESGCM.generate_key(bit_length=256)
  aesgcm = AESGCM(key)
  iv = os.urandom(12)
  ct = aesgcm.encrypt(iv, plaintext.encode('utf-8'), None)
  return {
    'ciphertext': base64.b64encode(ct).decode('utf-8'),
    'iv': base64.b64encode(iv).decode('utf-8'),
    'key': base64.b64encode(key).decode('utf-8')
  }

def decrypt(ciphertext_b64: str, iv_b64: str, key_b64: str):
  ct = base64.b64decode(ciphertext_b64)
  iv = base64.b64decode(iv_b64)
  key = base64.b64decode(key_b64)
  aesgcm = AESGCM(key)
  return aesgcm.decrypt(iv, ct, None).decode('utf-8')


def create_secret_api(plaintext, password=None, expires_in=24):
  # Encrypt locally
  enc = encrypt(plaintext)

  payload = {
    'encryptedData': enc['ciphertext'],
    'iv': enc['iv'],
    'password': password or None,
    'expiresIn': expires_in
  }

  resp = requests.post(f"{BASE_URL}/api/v1/secrets", json=payload)
  resp.raise_for_status()
  data = resp.json()

  # Build shareable URL: id in query, key in fragment
  secret_id = data.get('id')
  share_url = f"{BASE_URL}?id={secret_id}#{enc['key']}"
  return { 'url': share_url, 'id': secret_id, 'key': enc['key'], 'meta': data }


def retrieve_and_decrypt(secret_id, key_b64):
  # GET the secret from API (this will mark it accessed if no password)
  resp = requests.get(f"{BASE_URL}/api/v1/secrets/{secret_id}")
  resp.raise_for_status()
  data = resp.json()

  if data.get('passwordProtected'):
    raise ValueError('Secret is password protected — call verify endpoint with the password')

  content = data.get('content')
  if not content:
    raise ValueError('No content returned')

  plaintext = decrypt(content['encryptedData'], content['iv'], key_b64)
  return plaintext


def verify_password_and_get(secret_id, password, key_b64):
  # For password-protected secrets, POST to verify endpoint to receive the encrypted content
  resp = requests.post(f"{BASE_URL}/api/v1/secrets/{secret_id}/verify", json={'password': password})
  resp.raise_for_status()
  data = resp.json()
  if not data.get('content'):
    raise ValueError('Password incorrect or no content returned')
  return decrypt(data['content']['encryptedData'], data['content']['iv'], key_b64)


if __name__ == '__main__':
  # Example usage: create a secret and then retrieve it using the returned id/key
  neat = create_secret_api('This is a very secret note', password=None, expires_in=24)
  print('Share URL:', neat['url'])

  # Simulate someone opening the URL: parse id and key from the URL
  # (In a browser the key is in window.location.hash)
  secret_id = neat['id']
  key_b64 = neat['key']

  # Retrieve and decrypt
  try:
    plaintext = retrieve_and_decrypt(secret_id, key_b64)
    print('Decrypted:', plaintext)
  except ValueError as e:
    print('Error retrieving secret:', e)

// .NET (C#) - AesGcm (netcore / net5+)
using System;
using System.Security.Cryptography;
using System.Text;

static (string ciphertextB64, string ivB64, string keyB64) Encrypt(string plaintext) {
    byte[] key = new byte[32];
    RandomNumberGenerator.Fill(key);
    byte[] iv = new byte[12];
    RandomNumberGenerator.Fill(iv);
    byte[] plaintextBytes = Encoding.UTF8.GetBytes(plaintext);
    byte[] ciphertext = new byte[plaintextBytes.Length];
    byte[] tag = new byte[16];

    using (var aesgcm = new AesGcm(key)) {
        aesgcm.Encrypt(iv, plaintextBytes, ciphertext, tag, null);
    }

    // store ciphertext + tag or send separately
    var combined = new byte[ciphertext.Length + tag.Length];
    Buffer.BlockCopy(ciphertext, 0, combined, 0, ciphertext.Length);
    Buffer.BlockCopy(tag, 0, combined, ciphertext.Length, tag.Length);
    return (Convert.ToBase64String(combined), Convert.ToBase64String(iv), Convert.ToBase64String(key));
}

static string Decrypt(string ciphertextB64, string ivB64, string keyB64) {
    var combined = Convert.FromBase64String(ciphertextB64);
    var iv = Convert.FromBase64String(ivB64);
    var key = Convert.FromBase64String(keyB64);
    var tag = new byte[16];
    var ciphertext = new byte[combined.Length - tag.Length];
    Buffer.BlockCopy(combined, combined.Length - tag.Length, tag, 0, tag.Length);
    Buffer.BlockCopy(combined, 0, ciphertext, 0, ciphertext.Length);

    var plaintext = new byte[ciphertext.Length];
    using (var aesgcm = new AesGcm(key)) {
        aesgcm.Decrypt(iv, ciphertext, tag, plaintext, null);
    }
    return Encoding.UTF8.GetString(plaintext);
}

// Java - AES/GCM/NoPadding
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.GCMParameterSpec;
import java.security.SecureRandom;

KeyGenerator kg = KeyGenerator.getInstance("AES");
kg.init(256);
SecretKey key = kg.generateKey();
byte[] iv = new byte[12]; new SecureRandom().nextBytes(iv);
Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");
GCMParameterSpec spec = new GCMParameterSpec(128, iv);
cipher.init(Cipher.ENCRYPT_MODE, key, spec);
byte[] ct = cipher.doFinal("secret message".getBytes(java.nio.charset.StandardCharsets.UTF_8));
// store ct and iv; decode with the same key and GCMParameterSpec

// Go - crypto/aes + cipher.NewGCM
package main

import (
  "crypto/aes"
  "crypto/cipher"
  "crypto/rand"
  "encoding/base64"
  "io"
)

func encrypt(plaintext string) (ciphertextB64, ivB64, keyB64 string, err error) {
  key := make([]byte, 32)
  if _, err = io.ReadFull(rand.Reader, key); err != nil { return }
  block, err := aes.NewCipher(key)
  if err != nil { return }
  gcm, err := cipher.NewGCM(block)
  if err != nil { return }
  iv := make([]byte, gcm.NonceSize())
  if _, err = io.ReadFull(rand.Reader, iv); err != nil { return }
  ct := gcm.Seal(nil, iv, []byte(plaintext), nil)
  ciphertextB64 = base64.StdEncoding.EncodeToString(ct)
  ivB64 = base64.StdEncoding.EncodeToString(iv)
  keyB64 = base64.StdEncoding.EncodeToString(key)
  return
}

# Ruby - OpenSSL AES-256-GCM
require 'openssl'
require 'base64'

def encrypt(plaintext)
  cipher = OpenSSL::Cipher.new('aes-256-gcm')
  cipher.encrypt
  key = cipher.random_key
  iv = cipher.random_iv
  cipher.auth_data = ''
  ct = cipher.update(plaintext) + cipher.final
  tag = cipher.auth_tag
  return { ciphertext: Base64.strict_encode64(ct + tag), iv: Base64.strict_encode64(iv), key: Base64.strict_encode64(key) }
end

// PHP - openssl (AES-256-GCM)
$key = random_bytes(32);
$iv = random_bytes(12);
$plaintext = 'secret message';
$tag = '';
$ciphertext = openssl_encrypt($plaintext, 'aes-256-gcm', $key, OPENSSL_RAW_DATA, $iv, $tag);
// send base64_encode($ciphertext . $tag), base64_encode($iv), base64_encode($key)

// C++ (libsodium) - Secretbox is not AES-GCM, but example for authenticated encryption
#include <sodium.h>
// libsodium's crypto_aead_xchacha20poly1305_ietf_* can be used for AEAD in place of AES-GCM

Note: examples show how to encrypt/decrypt locally and how to represent binary fields (ciphertext, iv, key) as base64 strings for transmission/storage. In production, never transmit the raw key; the key should remain in the client URL fragment (like SecureNote) or a secure KMS. Use HTTPS and enforce proper key handling policies.

Error Codes

400: Bad Request - Invalid parameters
401: Unauthorized - Authentication failed
403: Forbidden - Access denied
404: Not Found - Secret not found
410: Gone - Secret expired
429: Too Many Requests - Rate limit exceeded
500: Internal Server Error - Server error

Security Features

Encrypted data stored securely.
One-time access for secrets without passwords.
Optional password protection with verification.
Automatic expiration of secrets.
HTTPS enforced for all API calls.