Security

open-secret's whole reason to exist is its security posture, so it's worth understanding in detail. These pages describe the threat model (what the server can and cannot see), the cryptography (verified against the code, not the marketing), and how authentication and sessions work.

Threat model

The trust boundary, what a server compromise does and doesn't yield, and the limits.

Cryptography

Hybrid post-quantum primitives, per-device envelopes, key-committing AEAD, and the unlock vault.

Authentication & sessions

Passkey-style challenge/response, session tokens, and device revocation.

Reporting a vulnerability

Security reports go through the repository's SECURITY.md, not a public issue. If you've found something, follow the disclosure process there.