Stop sharing secrets
over Slack.

Your team shares production credentials, API keys, and certificates over Slack and email every day. Those messages are often retained indefinitely. CIPH4 replaces them with encrypted, self-destructing links that leave a compliance-ready audit trail.

Start Free Read the API Docs

// The Problem

Every secret you share is a liability.

Slack / Teams

Messages are often retained indefinitely depending on workspace settings, searchable by admins, accessible after account compromise.

Email

Persists in sent folders, recipient inboxes, backups, and e-discovery. Subpoena-able. Forwarded without your knowledge.

Encrypted ZIP

The password gets shared in the same email. Recipients re-share the file. No audit trail, no expiry, no revocation.

.env in Slack DMs

Your entire production environment config sitting in a DM that any compromised device can access. No rotation, no tracking.

CIPH4 replaces all of the above

// Use Cases

Built for how DevOps actually works.

Real workflows, real code. Every example uses the CIPH4 REST API with standard tools.

ONBOARDING

Credential Onboarding

New hire needs DB password, API keys, and VPN certs on day one. Send each via a self-destructing link. They open it once, set up their environment, and the link dies. Nothing persists.

onboarding.sh

# Python SDK
import ciph4
client = ciph4.Client("your-api-key")
link = client.share_text("postgres://prod:s3cret@db:5432/app", expires="1h", max_views=1)
print(link)

# PowerShell Module
Import-Module Ciph4
Set-Ciph4ApiKey "your-api-key"
Send-Ciph4Text "postgres://prod:s3cret@db:5432/app" -Expires 1h -MaxViews 1

ROTATION

Secret Rotation

Rotating production credentials? Share the new values via CIPH4, then revoke the old links. The audit trail shows exactly who received the new credentials and when.

rotation.sh

# Python SDK — rotate + revoke old
import ciph4
client = ciph4.Client("your-api-key")

# Share new credentials
link = client.share_text("new-rotated-api-key-value", expires="1h", max_views=1)
print(f"New creds: {link}")

# Revoke old link
client.revoke("old-drop-id")

# PowerShell Module
Import-Module Ciph4
Set-Ciph4ApiKey "your-api-key"
Send-Ciph4Text "new-rotated-api-key-value" -Expires 1h -MaxViews 1
Revoke-Ciph4Drop "old-drop-id"

CI/CD

CI/CD Artifact Sharing

Your pipeline produces a signed release binary. Share it with QA or a client via an encrypted, expiring link — not a public S3 bucket or an email attachment.

ci/cd.sh

# Python SDK — share build artifact in CI/CD
import ciph4
client = ciph4.Client(os.environ["CIPH4_API_KEY"])
link = client.share_file("build/release.tar.gz", expires="7d", max_views=5)
print(f"Artifact link: {link}")

# GitHub Actions step:
# - run: pip install ciph4 && python share_artifact.py
#   env:
#     CIPH4_API_KEY: ${{ secrets.CIPH4_API_KEY }}

INCIDENT

Incident Response

Production is down. You need to share database dumps, error logs, and config files with an external vendor — fast. CIPH4 file requests let them upload directly to you, encrypted with AES-256-GCM and wrapped with your org's key.

incident.sh

# Python SDK — create a secure upload link for a vendor
import ciph4
client = ciph4.Client("your-api-key")

# The vendor receives a link where they can upload files
# encrypted with AES-256-GCM and wrapped with your org's key — only you can decrypt
# File requests are managed via the CIPH4 dashboard or API

HANDOFF

Cross-Team Secret Handoff

Platform team provisions a new service account. Security team needs the credentials. Instead of Slack, share via CIPH4 — passphrase-protected, auto-expiring, with a full audit trail for compliance.

handoff.sh

# Python SDK
import ciph4
client = ciph4.Client("your-api-key")
link = client.share_text("svc-account-key: Ak9xQ2mN7pL", expires="24h", max_views=1)
print(link)

# PowerShell Module
Import-Module Ciph4
Set-Ciph4ApiKey "your-api-key"
Send-Ciph4Text "svc-account-key: Ak9xQ2mN7pL" -Expires 24h -MaxViews 1

VENDOR

Vendor & Contractor Access

Give a contractor temporary access to staging credentials. The link expires when their engagement ends. Access restrictions prevent printing and downloading, with watermarks to deter screen capture.

vendor.sh

# Python SDK — share with DRM protection (Enterprise)
import ciph4
client = ciph4.Client("your-api-key")
link = client.share_text(
    "staging-db-password: Xk9mQ2pL",
    expires="7d", max_views=3,
    drm_enabled=True, drm_watermark=True,
    drm_no_print=True, drm_no_download=True,
)
print(link)
# Access restrictions: watermark, no-print, no-download
# Link revocable at any time: client.revoke("drop-id")

// How It Works

Zero-knowledge. Zero trust.

Encrypt

AES-256-GCM encryption happens in the sender's browser. The key never leaves the client.

Send the link over any channel. The URL fragment contains the key — the server never sees it.

Access

Recipient opens the link. The browser decrypts in-memory. Optionally gated by passphrase + DRM.

Destroy

After viewing, the ciphertext is deleted. The link returns 'burned'. Audit log records every access.

// Policy Enforcement

Guardrails the security team owns.

Your SRE isn't your CISO. CIPH4 splits admin roles so a security engineer can lock down org policies without touching billing or SSO config.

MFA Enforcement

Flip a toggle and every member must enroll TOTP before their next sign-in. Configurable grace window. Audit-logged.

Recipient Domain Allowlist

Block members from sending drops to recipients outside approved domains. Enforced at send time — no off-network exfiltration.

Maximum Drop Expiry Cap

Hard cap on the longest expiry window a member can choose. Stops the "I'll share this for 30 days" accident.

IP Block / Allow Rules

Block known-bad IPs at both login and drop-view. Allow rules grant exemption from threat detection for trusted ranges.

File Request Retention

Choose how long uploaded files live: fixed period, delete-on-download, or keep-until-manual. 7-day hard ceiling.

Policy Health Summary

Live N-of-5 dashboard at the top of the Security & Policies tab. At-a-glance coverage view for auditors.

// Integrations

Fits your existing stack.

REST API + Bearer auth. Works with anything that can make an HTTP request.

GitHub Actions

Share artifacts, rotate secrets in CI

GitLab CI

Secure variable sharing across pipelines

Terraform

Ephemeral secrets in infrastructure-as-code

Ansible

Vault-less secret delivery for playbooks

Slack Bot

/ciph4 share — right from your channel

PagerDuty

Auto-share runbooks during incidents

Working GitHub Actions example — share every release artifact via a self-destructing link. Drop this in .github/workflows/share-release.yml:

.github/workflows/share-release.yml

name: Share Release Artifact
on:
  release:
    types: [published]

jobs:
  share:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Download release asset
        env:
          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: gh release download ${{ github.event.release.tag_name }} --pattern '*.tar.gz'

      - name: Install CIPH4 SDK
        run: pip install ciph4

      - name: Create secure share link
        env:
          CIPH4_API_KEY: ${{ secrets.CIPH4_API_KEY }}
        run: |
          python <<'EOF'
          import os, glob, ciph4
          client = ciph4.Client(api_key=os.environ["CIPH4_API_KEY"])
          artifact = glob.glob("*.tar.gz")[0]
          drop = client.share_file(
              artifact,
              expires_in="7d",
              max_views=10,
              max_downloads=10,
          )
          print(f"::notice title=Share link::{drop.url}")
          print(f"LINK={drop.url}" , file=open(os.environ["GITHUB_OUTPUT"], "a"))
          EOF

Set CIPH4_API_KEY as a repository secret. Create one under Settings → API Keys in your CIPH4 account.

// Compliance

Your auditor will love this.

Every secret share is logged with a tamper-evident hash chain. Generate compliance reports in one click.

SOC 2

Hash-chained audit trail for trust services criteria

HIPAA

Encrypted PHI transfer with access controls

GDPR

Right to erasure — links self-destruct by design

ISO 27001

Cryptographic controls + incident logging

NIST 800-53

Access enforcement + audit generation

FedRAMP

AES-256-GCM encryption + account management controls

verify-audit-chain.py

import ciph4
client = ciph4.Client("your-api-key")

result = client.verify_audit_chain()
# { "intact": true, "chainedRows": 1847, "verifiedRows": 1847 }

# PowerShell: Import-Module Ciph4; Test-Ciph4AuditChain
# Every access event is SHA-256 chained — tamper = broken chain.

ciph4-security-posture

# CIPH4 Security Posture

Encryption         ✓ AES-256-GCM (client-side, zero-knowledge)
Key Management     ✓ BYOK (org keypair): AWS KMS, Azure, GCP
Transport          ✓ TLS 1.3, HSTS preloaded
CSP                ✓ Nonce-based 'strict-dynamic', per-request
Access Control     ✓ DRM: watermark, no-print, no-download, revocable
Authentication     ✓ SSO (SAML/OIDC), SCIM 2.0, MFA (TOTP + backup codes),
                     API keys (bcrypt-hashed)
Policy Enforcement ✓ Org-level: MFA, passphrase required, domain allowlist,
                     max drop expiry cap, file-request retention, IP rules
RBAC               ✓ 4 roles with separation of duties — SECURITY_MANAGER
                     can manage policies without billing/SSO access
Audit Trail        ✓ Hash-chained SHA-256, tamper-evident, admin-configurable
                     retention, every admin action recorded with before/after
Threat Detection   ✓ IP scanning, geo-anomaly, link forwarding, brute-force,
                     rapid access, time anomaly + IP block/allow rules
                     enforced at both login and drop-view
Proof of Deletion  ✓ Ed25519-signed receipts (Enterprise), JWKS-published,
                     anchored to the audit chain hash
Server Knowledge   ✓ Zero — ciphertext only, keys never leave the client

Ready to secure your DevOps workflow?

Start free. No credit card. Your first encrypted link takes 10 seconds.

Start Free See Automation Examples

Teams plan: $29/seat/month — Enterprise: $49/seat/month

Stop sharing secretsover Slack.