Qopy is an enterprise-grade secure text and file sharing service that allows you to share both text content and files temporarily without requiring registration. Your content is encrypted client-side with AES-256-GCM and automatically deleted after a specified time period, ensuring ultimate privacy and security.

Key features:

• Unified platform - Share both text and files securely
• Client-side encryption - Content encrypted in your browser before transmission
• Zero-knowledge architecture - We literally cannot read your content
• Multi-part file uploads - Large files uploaded in secure chunks
• Quick Share mode - 4-character codes for ultra-fast sharing
• Enhanced security mode - 10-character codes with URL secrets
• Mobile-optimized - QR codes and responsive design
• No registration - Instant sharing, completely anonymous

Security implementation:

• Client-side encryption - Content encrypted in your browser with AES-256-GCM before transmission
• Zero-knowledge architecture - Server cannot access plain text content under any circumstances
• Hybrid security system - URL secrets combined with user passwords for defense in depth
• PBKDF2 key derivation - 100,000 iterations for password-protected content
• Deterministic IV derivation - IV derived from combined secrets for password-protected clips
• Auto-expiration - Content automatically deletes after specified time period
• Access code protection - Optional additional security layer
• One-time access - Content deleted after first access if configured
• Multi-layered rate limiting - Protection against abuse and spam
• No IP tracking - IP addresses processed only for rate limiting, not stored
• Binary storage - Encrypted content stored as BYTEA for efficiency

Simple and powerful:

1. Paste your text or select your file - Enter up to 100,000 characters or upload files up to 100MB
2. Choose mode - Quick Share (4-digit, 5min) or Enhanced Security (10-digit, flexible expiry)
3. Set expiration - From 5 minutes to 24 hours
4. Add protection - Optional access code and one-time access
5. Get your link - Share the generated URL with QR code
6. Mobile sharing - QR codes generated client-side for privacy
7. Auto-retrieval - Direct links automatically load content
8. Keyboard shortcuts - Ctrl/Cmd + 1/2 for tab switching

Two sharing modes:

• Quick Share - 4-character codes, 5-minute expiry, simplified sharing
• Enhanced Security - 10-character codes, URL secrets, flexible expiry

We implement a multi-layered rate limiting strategy to prevent abuse while ensuring fair usage for all users:

• Burst protection - Prevents rapid-fire attacks and sudden traffic spikes
• General API protection - Overall usage limits to maintain service stability
• Share API protection - Specific limits for content creation to prevent spam
• Retrieval API protection - Balanced limits for content access
• IP-based enforcement - Rate limits are enforced based on your IP address
• Temporary processing - IP addresses are only processed in memory for rate limiting
• No permanent storage - IP addresses are not stored permanently or used for tracking
• Browser extension blocking - Chrome extensions and other potentially malicious origins are blocked

Rate limit responses: When limits are exceeded, the service returns a 429 "Too Many Requests" status with information about limits and reset times.

Exempt endpoints: Health checks (/health, /api/health, /ping) and admin endpoints are exempt from rate limiting.

Privacy is our top priority:

• Client-side encryption - Content is encrypted in your browser before transmission
• Zero-knowledge - Server cannot access plain text content under any circumstances
• Binary database storage - Only encrypted data is stored as BYTEA, never plain text
• No user accounts - Anonymous usage without registration
• No content logging - Content is not analyzed or processed beyond encryption
• Automatic deletion - Encrypted content deleted after expiration
• GDPR compliant - Follows European privacy standards
• Temporary IP processing - IP addresses processed only for rate limiting, not stored permanently
• Client-side QR generation - QR codes generated locally, no external API calls

Content is encrypted end-to-end. Server compromise would not expose plain text data.

Yes, we have reasonable limits to ensure fair usage:

• Text content size - Maximum 100,000 characters per clip
• File size - Maximum 100MB per file
• Expiration time - Between 5 minutes and 24 hours
• Rate limiting - Multi-layered strategy with burst protection, API limits, and content-specific restrictions
• Temporary IP processing - IP addresses are only processed in memory for rate limiting, not stored permanently
• Access code length - Maximum 128 characters
• Clip ID - 10 characters (Enhanced Security) or 4 characters (Quick Share)

These limits help us maintain service quality and prevent abuse while ensuring fair usage for all users.

Encryption implementation details:

• AES-256-GCM - Advanced encryption algorithm
• Client-side processing - Encryption performed in browser, not on servers
• Hybrid security system:
  • URL secrets - 16-character random secret in URL fragment (e.g., #x7y9z2...)
  • User access codes - User-defined access code for additional protection
  • Combined secrets - Both secrets combined for enhanced security
• Zero-knowledge - Server cannot access plain text content
• PBKDF2 key derivation - 100,000 iterations for access code-protected content
• Automatic - No setup required, encryption happens seamlessly
• No access code transmission - Access codes remain client-side only
• Deterministic IV - For access code-protected clips, IV is derived from combined secret
• Binary storage - Direct byte concatenation, stored as BYTEA for efficiency
• Defense in depth - Access codes protected by URL secret
• Quick Share mode - Simplified encryption for non-sensitive content

How it works:

1. You type your content in the browser
2. Qopy generates a random 16-character URL secret
3. Your access code + URL secret are combined for encryption
4. Content is encrypted with AES-256-GCM using the combined secret
5. For access code-protected clips, IV is derived deterministically from combined secret
6. For non-protected clips, a random IV is generated
7. Encrypted data is stored using optimized byte concatenation (40% less overhead)
8. Share URL includes the URL secret as fragment (e.g., /clip/abc123#x7y9z2...)
9. Only encrypted data is stored in our database
10. When someone retrieves the content, they need both URL secret + access code
11. We never see the plain text at any point
12. Access codes and URL secrets are used only for encryption, never sent to our servers

Enhanced Security Benefits:

• Brute force protection - Access codes protected by URL secret
• URL-based access control - Complete URL required for content access
• Defense in depth - Two-factor security: access code plus URL
• Automatic generation - URL secrets generated automatically

Important: Client-side encryption available only through web interface. API calls transmit content as plaintext.

Yes! Qopy provides a complete REST API for programmatic access:

Creating Clips (POST /api/share)

curl -X POST https://qopy.app/api/share \
  -H "Content-Type: application/json" \
  -d '{
    "content": "Your text content here",
    "expiration": "1hr",
    "oneTime": false,
    "hasPassword": false
  }'

Retrieving Clips (GET /api/clip/:clipId)

curl https://qopy.app/api/clip/X8K2M9

Getting Clip Info (GET /api/clip/:clipId/info)

curl https://qopy.app/api/clip/X8K2M9/info

API Parameters:

• content - Text content (1-100,000 characters)
• expiration - "5min", "15min", "30min", "1hr", "6hr", "24hr"
• oneTime - Boolean, deletes clip after first access
• hasPassword - Boolean, indicates if content is access code-protected
• quickShare - Boolean, enables Quick Share mode (4-digit ID, 5min expiry)

Response Format:

{
  "success": true,
  "clipId": "X8K2M9",
  "url": "https://qopy.app/clip/X8K2M9",
  "expiresAt": 1703123456789,
  "oneTime": false
}

Important Security Note:

Client-side encryption is only available through the web interface. When using the API directly (e.g., with curl), content is sent as plaintext to the server and then encrypted server-side.

• Web interface - True client-side encryption (content encrypted in browser)
• Direct API calls - Server-side encryption only (content sent as plaintext)

For maximum security, always use the web interface at qopy.app for client-side encryption.

Other API Notes:

• Rate limiting - API endpoints are subject to the same rate limiting as the web interface
• Validation - All inputs are validated and sanitized
• No authentication - No API keys required, but rate limits apply per IP
• JSON only - All requests and responses use JSON format

Perfect for: Automation scripts, integrations, mobile apps, and programmatic content sharing!

Technical comparison between Qopy and Pastebin:

Technical advantages:

• Simplified workflow - Share text without registration
• Enterprise-grade encryption - Client-side AES-256-GCM encryption
• Zero-knowledge architecture - Server cannot access plain text content
• Quick Share mode - 4-character codes for simplified sharing
• Enhanced security - 10-character codes with URL secrets for sensitive content
• Mobile-optimized - QR codes and responsive design
• Ad-free interface - No advertisements or tracking
• Performance-optimized - Instant sharing with auto-retrieval and keyboard shortcuts