Slack-native ephemeral secret sharing with Fernet encryption and full audit log
A one-command Slack integration for sharing credentials, tokens, and API keys — AES-128 Fernet encryption, user-selectable TTLs (15 min / 1 hr / 4 hr / 24 hr), SHA-256 token hashing so the access token is never stored in plaintext, one-time read destruction, an interactive modal for recipient selection, rate-limiting, database row-level locking to prevent race conditions, and a five-event audit log with sensitive-field redaction.
The problem
Credentials shared over Slack DMs or email persist indefinitely, are visible in channel history, and leave no audit trail. The team needed a way to hand off secrets that automatically expire and leave no trace after delivery.
Approach
- FastAPI backend with Fernet symmetric encryption (AES-128 + HMAC); access tokens are SHA-256-hashed before storage — the plaintext token exists only in the one-time link delivered by DM
- Interactive Slack modal triggered by `/sendsecret` — recipient user-select dropdown, secret input, optional note, and TTL selector (15 min, 1 hr, 4 hr, 24 hr); HMAC-SHA256 signature verification with timestamp replay prevention on every Slack request
- Secret delivery via Slack DM to the selected recipient with a single-use HTTPS reveal link; the reveal page requires explicit confirmation before decryption and displays the plaintext exactly once
- One-time destruction — `viewed_at` and `destroyed_at` set atomically under a database row lock on first reveal; encrypted content nullified immediately, preventing any subsequent reads
- Background cleanup job runs every 10 minutes, marks expired secrets as destroyed, and writes an `expired_destroyed` audit event; expiry also enforced on access before the reveal flow begins
- Five-event audit log (created, DM failed, viewed, decrypt failed, expired destroyed) with IP address, User-Agent, Slack sender/recipient IDs, and sanitised metadata — sensitive key names (`secret`, `token`, `password`) are automatically redacted
- Per-IP rate limiting (60 req / 60 sec) applied globally; MySQL 8 for persistent storage with Alembic migrations; Docker Compose deployment behind HTTPS on the shared network
Outcome
- Credentials never persist in Slack history — the one-time link burns on read or expiry, and the encrypted content is nullified immediately after
- Adopted by the LEARN Québec team as standard practice for credential handoff — zero workflow change beyond typing a slash command
- Full audit trail of every secret lifecycle event without storing sensitive values, giving security teams visibility without exposure
Got a project that's been waiting too long?
We respond to every inquiry within one business day. No funnels — just a real conversation about whether we're a fit.