[ 'iv' => [12, 83, 144, 221], 'data' => [167, 44, 222, 1], ], 'expiresIn' => 86400, 'burnAfterRead' => false, 'hasPassword' => false, ]; $ch = curl_init('{{BASE_URL}}/api/pastes'); curl_setopt_array($ch, [ CURLOPT_POST => true, CURLOPT_RETURNTRANSFER => true, CURLOPT_HTTPHEADER => ['Content-Type: application/json'], CURLOPT_POSTFIELDS => json_encode($payload), ]); $response = curl_exec($ch); curl_close($ch); echo $response; PHP2; $phpExample = str_replace('{{BASE_URL}}', $baseUrl, $phpTemplate); ?> Secure Pastebin API Docs

Secure Pastebin API

Zero-Knowledge API for encrypted notes, subjects, and Markdown payloads

POST /api/pastes POST /api/pastes/{id} GET /api/pastes/{id} GET /api/pastes/{id}/meta GET /api/options GET /api/health
ℹ️
Important
Subject, Markdown text, and any password-derived key handling must stay on the client side. The API should receive only encrypted bytes and metadata like expiration and burn-after-read flags.

Base URL

Supported capabilities

create custom id retrieve metadata custom expiration burn after read password flag byte arrays base64url payloads

Endpoint overview

Method Endpoint What it does
POST /api/pastes Create a new encrypted paste. The server generates a short id unless you pass one in the body.
POST /api/pastes/{id} Create a new encrypted paste with a custom short id in the URL path.
GET /api/pastes/{id} Fetch the encrypted payload plus metadata. Burn-after-read pastes are deleted after the first successful read.
GET /api/pastes/{id}/meta Read metadata only without consuming the encrypted payload.
GET /api/options Return limits, presets, supported formats, and the endpoint map.
GET /api/health Simple health check for uptime monitoring.

Legacy routes /api/create and /api/get/{id} still work for backward compatibility.

Create request body

Create field notes

  • encryptedData.iv and encryptedData.data can be sent as byte arrays.
  • You can also send iv/data at the top level instead of nesting under encryptedData.
  • You can send ivBase64/dataBase64 or encryptedData.ivBase64/encryptedData.dataBase64 instead of byte arrays.
  • customExpiresAt is a Unix timestamp in seconds and overrides expiresIn.
  • hasPassword is a client hint only. Never send the password itself to the API.
  • Subject and Markdown stay inside the encrypted payload so the API remains zero-knowledge.

Create example

Create with custom path ID

Create response

Read response

Options response

Behavior notes

  • url is the clean short-link base without the key fragment.
  • retrieveUrl is the API endpoint for programmatic reads.
  • metaUrl gives metadata without consuming the ciphertext.
  • Reading a burn-after-read paste from /api/pastes/{id} removes it after the first successful response.
  • Byte arrays and base64url are both returned on reads for easier client integration.

JavaScript example

PHP example

Typical integration flow

  1. Generate the AES key in the browser or in your app.
  2. Optionally derive the key from a password locally.
  3. Encrypt a JSON payload that contains subject and Markdown content.
  4. Send the encrypted bytes plus expiration settings to /api/pastes or /api/pastes/{id}.
  5. Share result.url#keyFragment with the recipient.
  6. The recipient calls /api/pastes/{id}, then decrypts locally.

Quick links

Main app This docs page /api/options /api/health