Scratched my own itch. Needed to share passwords without them sitting in chat logs forever. Client-side AES-256-GCM, PBKDF2 key derivation. Server just holds encrypted blobs until expiry.

Questions welcome.

There's nothing self-destructing about your server dropping data, after a decision on (unencrypted) meta data (timeout, number of views).

Yeah fair.. self-destructing is overselling it. Server drops the blob after timeout/view count.

Server sees expiry, view count, salt, iv. Content is encrypted, metadata isn't. Can't avoid this with server-managed TTL - alternative is client-only expiry but then you're trusting the recipient's browser.

Main point is credentials don't live forever in chat history. Smaller window, not magic.