Qopy is an enterprise-grade secure text and file sharing service that allows you to share both text content and files temporarily without requiring registration. Your content is encrypted client-side with AES-256-GCM and automatically deleted after a specified time period, ensuring ultimate privacy and security.

Key features:

• Unified platform - Share both text and files securely
• Client-side encryption - Content encrypted in your browser before transmission
• Zero-knowledge architecture - We literally cannot read your content
• Multi-part file uploads - Large files uploaded in secure chunks
• Quick Share mode - 6-character codes with zero-knowledge encryption for instant sharing with peers
• Enhanced security mode - 10-character codes with URL secrets
• Mobile-optimized - QR codes and responsive design
• No registration - Instant sharing, completely anonymous

Security implementation:

• Client-side encryption - Content encrypted in your browser with AES-256-GCM before transmission
• Zero-knowledge architecture - Server cannot access plain text content under any circumstances
• Hybrid security system - URL secrets combined with user passwords for defense in depth
• PBKDF2 key derivation - 600,000 iterations (OWASP 2025 compliant) with per-clip random salts
• Random IV generation - Cryptographically random 96-bit IV per encryption operation
• Auto-expiration - Content automatically deletes after specified time period
• Access code protection - Optional additional security layer
• One-time access - Content deleted after first access if configured
• Multi-layered rate limiting - Protection against abuse and spam
• No IP tracking - IP addresses processed only for rate limiting, not stored
• Binary storage - Encrypted content stored as BYTEA for efficiency

Simple and powerful:

1. Paste your text or select your file - Enter up to 100,000 characters or upload files up to 100MB
2. Choose mode - Quick Share (6-digit, 5min) or Enhanced Security (10-digit, flexible expiry)
3. Set expiration - From 5 minutes to 24 hours
4. Add protection - Optional access code and one-time access
5. Get your link - Share the generated URL with QR code
6. Mobile sharing - QR codes generated client-side for privacy
7. Auto-retrieval - Direct links automatically load content
8. Keyboard shortcuts - Ctrl/Cmd + 1/2 for tab switching

Two sharing modes:

• Quick Share - 6-character codes, 5-minute expiry, zero-knowledge encryption — ideal for quick sharing with peers
• Enhanced Security - 10-character codes, longer URL secrets, flexible expiry — for sensitive content requiring maximum protection

We implement a multi-layered rate limiting strategy to prevent abuse while ensuring fair usage for all users:

• Burst protection - Prevents rapid-fire attacks and sudden traffic spikes
• General API protection - Overall usage limits to maintain service stability
• Share API protection - Specific limits for content creation to prevent spam
• Retrieval API protection - Balanced limits for content access
• IP-based enforcement - Rate limits are enforced based on your IP address
• Temporary processing - IP addresses are only processed in memory for rate limiting
• No permanent storage - IP addresses are not stored permanently or used for tracking
• Browser extension blocking - Chrome extensions and other potentially malicious origins are blocked

Rate limit responses: When limits are exceeded, the service returns a 429 "Too Many Requests" status with information about limits and reset times.

Exempt endpoints: Health checks (/health, /api/health, /ping) and admin endpoints are exempt from rate limiting.

What the server NEVER sees

• Plaintext content - Encrypted client-side before upload; server only stores ciphertext
• Real filenames - Replaced with a random hash (e.g. a7f3b2c9) on the client before upload
• Real MIME types - Encrypted inside the file payload; server only sees application/octet-stream or text/plain
• Plaintext access codes - Only a PBKDF2-SHA-512 hash (600,000 iterations) is sent to the server for access validation. The server cannot reverse this hash to recover your code.
• URL secrets - Kept in the URL fragment (#), which is never transmitted to the server
• Decryption keys - Generated and used only in your browser
• IP addresses - Processed in-memory for rate limiting only, never stored in the database

What the server DOES store

All stored data auto-deletes when your chosen expiration time is reached.

Data	Actual value stored	Purpose
Encrypted content	Binary blob (BYTEA)	Core functionality
Filename	Random hash	File reference
Content type	text or file	Routing logic
MIME type	application/octet-stream or text/plain	Response headers
File size	Padded size (not original)	Chunk assembly
Expiration time	Unix timestamp	Auto-deletion
Access code hash	Bcrypt hash	Authentication
Feature flags	one_time, quick_share, has_password	Feature logic
Aggregate statistics	Total clips, total accesses (no per-user data)	Admin dashboard (permanent)

No user accounts, no cookies, no tracking. GDPR compliant. Content is encrypted end-to-end — a server compromise would not expose plaintext data.

Yes, we have reasonable limits to ensure fair usage:

• Text content size - Maximum 100,000 characters per clip
• File size - Maximum 100MB per file
• Expiration time - Between 5 minutes and 24 hours
• Rate limiting - Multi-layered strategy with burst protection, API limits, and content-specific restrictions
• Temporary IP processing - IP addresses are only processed in memory for rate limiting, not stored permanently
• Access code length - Maximum 128 characters
• Clip ID - 10 characters (Enhanced Security) or 6 characters (Quick Share)

These limits help us maintain service quality and prevent abuse while ensuring fair usage for all users.

Encryption implementation details:

• AES-256-GCM - Advanced encryption algorithm
• Client-side processing - Encryption performed in browser, not on servers
• Hybrid security system:
  • URL secrets - High-entropy (256-bit) random secret in URL fragment (never sent to server)
  • User access codes - User-defined access code for additional protection
  • Combined secrets - Both secrets combined for enhanced security
• Zero-knowledge - Server cannot access plain text content
• PBKDF2 key derivation - 600,000 iterations with per-clip random 256-bit salts
• Automatic - No setup required, encryption happens seamlessly
• No plaintext access code transmission - Only a PBKDF2-SHA-512 hash of your access code is sent to the server; the plaintext code never leaves your browser
• Random IV - Cryptographically random 96-bit IV generated per encryption operation
• Binary storage - Direct byte concatenation, stored as BYTEA for efficiency
• Defense in depth - Access codes protected by URL secret
• Quick Share mode - Same zero-knowledge encryption as Enhanced Security, with shorter 6-character codes and URL secrets for instant peer-to-peer sharing

How it works:

1. You type your content or select a file in the browser
2. Qopy generates a high-entropy URL secret (256-bit for Enhanced Security, 31-bit for Quick Share)
3. Your access code + URL secret are combined for encryption
4. A random 256-bit salt and 96-bit IV are generated per clip
5. Content is encrypted with AES-256-GCM using a PBKDF2-derived key (600,000 iterations)
6. Encrypted data is stored using optimized byte concatenation (40% less overhead)
7. Share URL includes the URL secret as fragment (e.g., /clip/abc123#x7y9z2...)
8. Only encrypted data is stored in our database
9. When someone retrieves the content, they need both URL secret + access code
10. We never see the plain text at any point
11. URL secrets are never sent to our servers (kept in URL fragment). Plaintext access codes never leave the browser — only a PBKDF2-SHA-512 hash is transmitted for access validation.

Enhanced Security Benefits:

• Brute force protection - Access codes protected by URL secret
• URL-based access control - Complete URL required for content access
• Defense in depth - Two-factor security: access code plus URL
• Automatic generation - URL secrets generated automatically

Important: Client-side encryption available only through web interface. API calls transmit content as plaintext.

Yes! Qopy provides a complete REST API for programmatic access using a 3-step upload flow:

Step 1: Initiate Upload (POST /api/upload/initiate)

curl -X POST https://qopy.app/api/upload/initiate  -H "Content-Type: application/json"  -d '{
    "filename": "message.txt",
    "filesize": 26,
    "totalChunks": 1,
    "expiration": "1hr",
    "oneTime": false,
    "hasPassword": false
  }'

Step 2: Upload Chunk (POST /api/upload/chunk/:uploadId/:chunkNumber)

Send the file as plaintext (no client-side encryption when using the API). Use the uploadId from step 1.

curl -X POST https://qopy.app/api/upload/chunk/YOUR_UPLOAD_ID/0  -F "chunk=@message.txt"

Step 3: Complete Upload (POST /api/upload/complete/:uploadId)

curl -X POST https://qopy.app/api/upload/complete/YOUR_UPLOAD_ID  -H "Content-Type: application/json"  -d '{}'

Retrieving Clips

Use GET /api/clip/:clipId to get JSON (including redirectTo for the file URL). File download requires POST (GET /api/file/:clipId returns 410).

# Get clip metadata
curl https://qopy.app/api/clip/X8K2M9/info

# Get clip (returns JSON with redirectTo for file content)
curl https://qopy.app/api/clip/X8K2M9

# Download file content (must use POST; optional body: {"accessCode": "<128-char-hex-hash>"} if protected — hash only, never plaintext)
curl -X POST https://qopy.app/api/file/X8K2M9  -H "Content-Type: application/json"  -d '{}'

Upload Parameters:

• filename - Name of the file being uploaded
• filesize - Size of the file in bytes
• totalChunks - Number of chunks (1 for small files)
• expiration - "5min", "15min", "30min", "1hr", "6hr", "24hr"
• oneTime - Boolean, deletes clip after first access
• hasPassword - Boolean, indicates if content is access code-protected
• quickShare - Boolean, enables Quick Share mode (6-digit ID, 5min expiry)

Response Format (from /api/upload/complete):

{
  "success": true,
  "clipId": "X8K2M9R4TL",
  "url": "https://qopy.app/clip/X8K2M9R4TL",
  "expiresAt": 1703123456789,
  "oneTime": false
}

Important Security Note:

Client-side encryption is only available through the web interface. When using the API directly (e.g., with curl), content is sent as plaintext to the server.

• Web interface - True client-side encryption (content encrypted in browser)
• Direct API calls - No client-side encryption (content sent as plaintext)

For maximum security, always use the web interface at qopy.app for client-side encryption.

Other API Notes:

• Rate limiting - API endpoints are subject to the same rate limiting as the web interface
• Validation - All inputs are validated and sanitized
• No authentication - No API keys required, but rate limits apply per IP
• Multipart uploads - Chunk uploads use multipart/form-data; initiate and complete use JSON

Perfect for: Automation scripts, integrations, mobile apps, and programmatic content sharing!

Test the API with the included script

From the Qopy repo you can run a full store-and-retrieve test against qopy.app or your own server:

./scripts/test-api-curl.sh https://qopy.app

The script uses curl for all HTTP calls: it uploads plaintext "Hello from Qopy API test", then retrieves it and verifies the content matches. Requires curl and node (for JSON parsing).

Qopy was born out of a simple, everyday frustration: there was no truly secure, free, and easy way to transfer text and files between different devices and platforms.

As a hobby developer, I constantly found myself needing to share things between my Android phone and a Mac, copy a snippet from Windows to an iPhone, or quickly send a link or password to a friend during a call. Every existing solution either required accounts, lacked encryption, was riddled with ads, or simply didn't work well across all platforms.

Common use cases that inspired Qopy:

• Transferring text, links, or code snippets between Android and iPhone
• Sharing files between Mac and Windows without cloud accounts
• Quickly sending a WiFi password or address to a friend during a call
• Sharing sensitive information like login credentials with family
• Moving content between your phone and computer at work
• Sending code snippets or config files to colleagues

I wanted a solution that is 100% secure with real encryption, built on a zero-knowledge architecture where even the server cannot read your content, with fully open-source code so anyone can verify the security claims. On top of that, it had to work on any device with a browser, require no accounts or installations, and be completely free to use. Since nothing like that existed, I built it myself.

Qopy is and always will be a passion project — built by a developer who needed it, for everyone who needs it too.

Technical comparison between Qopy and Pastebin:

Technical advantages:

• Simplified workflow - Share text without registration
• Enterprise-grade encryption - Client-side AES-256-GCM encryption
• Zero-knowledge architecture - Server cannot access plain text content
• Quick Share mode - 6-character codes with zero-knowledge encryption for instant sharing
• Enhanced security - 10-character codes with URL secrets for sensitive content
• Mobile-optimized - QR codes and responsive design
• Ad-free interface - No advertisements or tracking
• Performance-optimized - Instant sharing with auto-retrieval and keyboard shortcuts