Qopy is a military-grade secure text sharing service that allows you to share text content temporarily without requiring registration. Your content is encrypted client-side with AES-256-GCM and automatically deleted after a specified time period, ensuring ultimate privacy and security.

Key features:

• 🔐 Client-side encryption - Content encrypted in your browser before transmission
• 🛡️ Zero-knowledge architecture - We literally cannot read your content
• ⚡ Quick Share mode - 4-character codes for ultra-fast sharing
• 🔒 Enhanced security mode - 10-character codes with URL secrets
• 📱 Mobile-optimized - QR codes and responsive design
• 🚫 No registration - Instant sharing, completely anonymous

Military-grade secure! We implement the most advanced security measures available:

• 🔐 Client-side encryption - Content encrypted in your browser with AES-256-GCM before transmission
• 🛡️ Zero-knowledge architecture - We literally cannot read your content, even if we wanted to
• 🔑 Hybrid security system - URL secrets + passwords for defense in depth
• 🔄 PBKDF2 key derivation - 100,000 iterations for password-protected content
• 🔒 Deterministic IV derivation - IV derived from combined secrets, not transmitted
• ⏰ Auto-expiration - Content automatically deletes after your chosen time
• 🔐 Password protection - Optional additional security layer
• 🔥 One-time access - Content can self-destruct after first read
• 🛡️ Multi-layered rate limiting - Protection against abuse and spam
• 🚫 No IP tracking - True privacy-first approach
• 📦 Binary storage - Encrypted content stored as BYTEA for efficiency

Simple and powerful:

1. 📝 Paste your text - Enter up to 100,000 characters
2. ⚡ Choose mode - Quick Share (4-digit, 5min) or Enhanced Security (10-digit, flexible expiry)
3. ⏰ Set expiration - From 5 minutes to 24 hours
4. 🔐 Add protection - Optional password and one-time access
5. 🔗 Get your link - Share the generated URL with QR code
6. 📱 Mobile sharing - QR codes generated client-side for privacy
7. 🔒 Auto-retrieval - Direct links automatically load content
8. ⌨️ Keyboard shortcuts - Ctrl/Cmd + 1/2 for tab switching

Two sharing modes:

• ⚡ Quick Share - 4-character codes, 5-minute expiry, simplified sharing
• 🔒 Enhanced Security - 10-character codes, URL secrets, flexible expiry

We implement a multi-layered rate limiting strategy to prevent abuse while ensuring fair usage for all users:

• 🚦 Burst protection - Prevents rapid-fire attacks and sudden traffic spikes
• 🛡️ General API protection - Overall usage limits to maintain service stability
• 📝 Share API protection - Specific limits for content creation to prevent spam
• 📖 Retrieval API protection - Balanced limits for content access
• 🔍 IP-based enforcement - Rate limits are enforced based on your IP address
• ⏰ Temporary processing - IP addresses are only processed in memory for rate limiting
• 🚫 No permanent storage - IP addresses are not stored permanently or used for tracking
• 🛡️ Browser extension blocking - Chrome extensions and other potentially malicious origins are blocked

Rate limit responses: When limits are exceeded, the service returns a 429 "Too Many Requests" status with information about limits and reset times.

Exempt endpoints: Health checks (/health, /api/health, /ping) and admin endpoints are exempt from rate limiting.

Privacy is our top priority:

• 🔐 Client-side encryption - Your content is encrypted in your browser before we ever see it
• 🛡️ Zero-knowledge - We literally cannot read your content, even if we wanted to
• 🔒 Binary database storage - Only encrypted data is stored as BYTEA, never plain text
• 🚫 No user accounts - Completely anonymous usage
• 📝 No content logging - We never analyze or mine your text data
• ⏰ Automatic deletion - Encrypted content disappears after expiration
• 🌍 GDPR compliant - Follows European privacy standards
• 🚫 Temporary IP processing - IP addresses are only processed for rate limiting, not stored permanently
• 🔒 Client-side QR generation - QR codes generated locally, no external API calls

Your content is encrypted end-to-end - even if someone hacked our servers, they couldn't read your data!

Yes, we have reasonable limits to ensure fair usage:

• 📄 Content size - Maximum 100,000 characters per clip
• ⏰ Expiration time - Between 5 minutes and 24 hours
• 🚦 Rate limiting - Multi-layered strategy with burst protection, API limits, and content-specific restrictions
• 🔍 Temporary IP processing - IP addresses are only processed in memory for rate limiting, not stored permanently
• 🔐 Password length - Maximum 128 characters
• 🆔 Clip ID - 10 characters (Enhanced Security) or 4 characters (Quick Share)

These limits help us maintain service quality and prevent abuse while ensuring fair usage for all users.

Qopy uses military-grade client-side encryption with advanced hybrid security:

• 🔐 AES-256-GCM - Military-grade encryption algorithm
• 🌐 Client-side processing - Encryption happens in your browser, not on our servers
• 🔑 Hybrid security system:
  • URL secrets - 16-character random secret in URL fragment (e.g., #x7y9z2...)
  • User passwords - Your chosen password for additional protection
  • Combined secrets - Both secrets combined for maximum security
• 🛡️ Zero-knowledge - We never see your plain text content
• 🔄 PBKDF2 key derivation - 100,000 iterations for password-protected content
• ⚡ Automatic - No setup required, encryption happens seamlessly
• 🚫 No password transmission - Passwords never leave your browser
• 🔒 Deterministic IV - For password-protected clips, IV is derived from combined secret (not transmitted)
• 📦 Binary storage - Direct byte concatenation, stored as BYTEA for efficiency
• 🛡️ Defense in depth - Even weak passwords are protected by URL secret
• ⚡ Quick Share mode - Simplified encryption for non-sensitive content

How it works:

1. You type your content in the browser
2. Qopy generates a random 16-character URL secret
3. Your password + URL secret are combined for encryption
4. Content is encrypted with AES-256-GCM using the combined secret
5. For password-protected clips, IV is derived deterministically from combined secret
6. For non-password clips, a random IV is generated
7. Encrypted data is stored using optimized byte concatenation (40% less overhead)
8. Share URL includes the URL secret as fragment (e.g., /clip/abc123#x7y9z2...)
9. Only encrypted data is stored in our database
10. When someone retrieves the content, they need both URL secret + password
11. We never see the plain text at any point
12. Passwords and URL secrets are used only for encryption, never sent to our servers

🔒 Enhanced Security Benefits:

• Brute force protection - Even simple passwords are protected by the URL secret
• URL-based access control - Only those with the complete URL can access the content
• Defense in depth - Two-factor security: something you know (password) + something you have (URL)
• Automatic generation - URL secrets are generated automatically, no user action required

⚠️ Important: Client-side encryption is only available through the web interface. API calls send content as plaintext to the server.

Yes! Qopy provides a complete REST API for programmatic access:

📝 Creating Clips (POST /api/share)

curl -X POST https://qopy.app/api/share \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Your text content here",
    "expiration": "1hr",
    "oneTime": false,
    "hasPassword": false
  }'

📖 Retrieving Clips (GET /api/clip/:clipId)

curl https://qopy.app/api/clip/X8K2M9

ℹ️ Getting Clip Info (GET /api/clip/:clipId/info)

curl https://qopy.app/api/clip/X8K2M9/info

🔧 API Parameters:

• content - Text content (1-100,000 characters)
• expiration - "5min", "15min", "30min", "1hr", "6hr", "24hr"
• oneTime - Boolean, deletes clip after first access
• hasPassword - Boolean, indicates if content is password-protected
• quickShare - Boolean, enables Quick Share mode (4-digit ID, 5min expiry)

📋 Response Format:

{
  "success": true,
  "clipId": "X8K2M9",
  "url": "https://qopy.app/clip/X8K2M9",
  "expiresAt": 1703123456789,
  "oneTime": false
}

⚠️ Important Security Note:

Client-side encryption is only available through the web interface. When using the API directly (e.g., with curl), content is sent as plaintext to the server and then encrypted server-side.

• ✅ Web interface - True client-side encryption (content encrypted in browser)
• ❌ Direct API calls - Server-side encryption only (content sent as plaintext)

For maximum security, always use the web interface at qopy.app for client-side encryption.

🔒 Other API Notes:

• 🔒 Rate limiting - API endpoints are subject to the same rate limiting as the web interface
• 🛡️ Validation - All inputs are validated and sanitized
• 📱 No authentication - No API keys required, but rate limits apply per IP
• ⚡ JSON only - All requests and responses use JSON format

Perfect for: Automation scripts, integrations, mobile apps, and programmatic content sharing!

Qopy outperforms Pastebin in simplicity, privacy, and modern features:

Why choose Qopy?

• 🎯 Simplicity first - Share text in 3 clicks, no registration needed
• 🔐 Military-grade encryption - Client-side AES-256-GCM encryption for ultimate privacy
• 🛡️ Zero-knowledge architecture - We literally cannot read your content
• ⚡ Quick Share mode - 4-character codes for ultra-fast sharing
• 🔒 Enhanced security - 10-character codes with URL secrets for sensitive content
• 📱 Mobile-optimized - QR codes and responsive design for easy sharing
• 🚫 Zero distractions - No ads, no tracking, no bloat
• ⚡ Lightning fast - Instant sharing with auto-retrieval and keyboard shortcuts