# onetap onetap is a one-time sharing product for sensitive information. You paste text or attach an image, create a link, and the recipient can open it only once. After that first read, the content is destroyed. It is also available as an HTTP API and as an MCP server, so AI agents and developer tools can create and consume one-time links programmatically. ## Product Promise - Share private content without long-lived chat history - Reduce accidental re-sharing and screenshot loops - Keep the experience fast: create link, send, done - No account required for the public web app - Account + API key required for the API / MCP surface - First-class MCP support so AI tools can mint and read links ## Who It Is For - People sharing temporary credentials - Teams handing off short-lived notes - Founders/operators sending private links quickly - Anyone who wants less digital residue - AI agents and developer tools that need to share secrets one-time ## Core User Experience 1. Write text and/or upload an image 2. (If needed) the image is compressed automatically before sending 3. Generate a unique link 4. Recipient opens the link once 5. Content is immediately deleted and cannot be opened again ## Account & API Surface - Sign up with email + password (Google SSO is coming) - Sign in / forgot-password flow with one-hour reset tokens - Each account exposes a single active API key (`ot_live_…`) - The plaintext is shown exactly once on creation - Stored as a bcrypt hash; only prefix + last four are kept readable - Revoking or regenerating retires the previous key immediately - Dashboard surfaces: - The current key (masked), with copy / regenerate / revoke - MCP setup snippets for Claude Desktop, Cursor, and raw clients - Activity stats (last 24h, last 7 days, all-time, 14-day sparkline) ## MCP Server - Streamable HTTP MCP endpoint at `/api/mcp` - Auth: `Authorization: Bearer ot_live_…` - Tools exposed to clients: - `onetap.create_link({ content, image? })` → `{ url, expiresAt }` - `onetap.reveal_link({ url })` → `{ content }` (one-shot, atomic) - Every call is recorded against the calling API key for the activity panel - Designed to be configured by pasting a JSON snippet from the dashboard into the host client's MCP config (Claude Desktop, Cursor, etc.) ## Product Rules - One-time read only - Automatic expiration after 7 days if unopened - Image support with a size cap (up to 5MB after processing) - Attempting to reopen a consumed link shows an expired state - API / MCP calls are subject to the same retention guarantees as the web app ## Privacy Positioning onetap is designed to minimize data lifetime: - content is stored ephemerally - one-time retrieval is atomic - consumed content is not retrievable - accounts hold metadata only (email, API key hash, usage counters) - raw API key plaintext is never persisted - no account wall for the public web app This product is for practical privacy and reduced persistence, not for bypassing legal/compliance obligations. ## Trust & Safety Notes - Input is validated before storage - Passwords hashed with bcrypt - Sessions issued as signed JWT cookies (HttpOnly, Secure, SameSite=Lax) - API keys hashed at rest and matched on lookup - Login and password-reset return generic responses to prevent enumeration - Admin operations are protected behind secret path + token - Sensitive actions use timing-safe comparisons ## Brand Tone - Minimal - Calm - Utility-first - Privacy by default ## Current Surface - Main composer (text + image) — no account needed - One-time reveal page - Auth pages: sign up, sign in, forgot password - Authenticated dashboard with API key management, MCP config, activity - HTTP API and MCP server gated by `Authorization: Bearer ot_live_…` - Protected admin flush tool - Public product/context file (`llms.txt`) ## Suggested Near-Term Product Roadmap - Google SSO sign-in - Reset-password email delivery (token plumbing already exists) - Multiple named API keys per account - Optional passphrase per link - Per-link custom expiry windows - Burn-after-time-view countdown - Link revocation before first open - Lightweight activity receipts (without retaining content) - Per-key usage quotas and rate limits - Webhooks on link consumption ## Short Description onetap helps you share something private once — from a browser or from an AI agent — and leave no reusable copy behind.