> ## Documentation Index
> Fetch the complete documentation index at: https://www.c1.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.
# Secret sharing
> Share sensitive credentials, files, and notes securely with internal team members or external contacts.
## How it works
Secret sharing is designed so that C1 never has access to your secrets. Encryption happens in your browser, before anything leaves your device. Here's how a secret moves from creation to delivery:
1. **Create** — choose who can access the secret, add your content, and decide how long it should stay available and how many times it can be viewed.
2. **Encrypt** — your browser encrypts the content before upload. C1 stores only the encrypted result and never sees your plaintext.
3. **Share** — copy the generated link and send it to recipients through whatever channel you choose: email, Slack, a ticket, or anything else.
4. **Access** — recipients click the link and authenticate (SSO for internal users, a one-time email magic link for external contacts), then view or download the content.
## Create a secret
In C1, navigate to **Secrets** in the left sidebar, then click **Share a secret**.
**Choose your audience.**
| Audience | Description |
| :---------------------- | :------------------------------------------------------------------------------------------------ |
| **Team members** | Share with C1 users in your organization. Recipients authenticate via SSO. |
| **External recipients** | Share with anyone via email address. Recipients verify their identity with a one-time magic link. |
**Add recipients.**
* **Internal**: Search and select up to 128 users from your organization
* **External**: Enter up to 64 email addresses (comma- or newline-separated)
**Choose a content format.**
| Format | Description |
| :------- | :---------------------------------------------------------------------------- |
| **File** | Any file up to 1 GB — documents, certificates, credential files, SSH keys. |
| **Text** | Passwords, API keys, tokens, or any sensitive plaintext (up to 64 KB). |
| **JSON** | Service account credentials or config objects, with syntax validation. |
| **YAML** | Kubernetes secrets, Helm values, or CI/CD configs. |
| **Env** | Environment variables in KEY=Value format — supports paste from `.env` files. |
**Optional.** To help recipients understand the secret's purpose, add an explanatory label that will be visible to recipients.
**Set access limits.**
* **Expiration**: 1 hour to 30 days. Encrypted content is permanently deleted on expiry.
* **View limit**: Unlimited, or 1–1,000 views. When the limit is reached, the content is permanently and irreversibly deleted.
Click **Share secret**.
Copy the generated **share code** and **share URL** and send them to recipients via email, Slack, Teams, or another preferred channel.
**C1 does not notify recipients.** The share URL is the only way to access the secret, and you must distribute it yourself.
## View a secret
Click the share URL.
Authenticate with your organization's SSO if you're not already signed in.
Click **Reveal content** or **Download file**.
Click the share URL.
Enter your email address and click **Send magic link**.
Click the magic link in your inbox. The link expires in 15 minutes and can only be used once.
Click **Reveal content** or **Download file**.
**Copy or download the secret immediately.** Depending on the view limit, you may not be able to access it again.
## Manage secrets
You can view and manage secrets you've created from the **Secrets** page. Administrators can manage all secrets across the tenant on the **Shared secrets** page.
### As the secret creator
All users with the **Basic user** role can create secrets, view their own secrets, and revoke their own secrets.
Navigate to **Secrets** in the left sidebar.
View all secrets you've created with their status, view count, and expiration.
Use the filters to switch between **Active** secrets and **All** secrets (which includes expired, burned, and revoked secrets).
Click any secret to see its details, share URL, and activity.
**Need to block access to a secret?** Click **Revoke** to immediately and permanently delete the encrypted content of a secret and block further access.
### As an administrator
Requires the **Super admin** role. Super admins can view metadata (not content) for all secrets in the tenant and revoke any secret.
Navigate to **Settings** > **Shared secrets**.
On the **Secrets** tab, you can view, search, and filter all secrets created across your tenant.
Use the **Audit Log** tab to view all secret-related activity. Filter by actor email or IP address.
Click **View** on any secret to view the JSON metadata for the secret.
**Need to block access to a secret?** Click **Revoke** to immediately and permanently delete the encrypted content of a secret and block further access.
## Secret-sharing security
Content is encrypted in your browser before it's uploaded. C1 stores only encrypted blobs and never sees your plaintext. When a recipient accesses a secret, an isolated vault service decrypts and delivers the content to that specific recipient. Plaintext is never stored, logged, or persisted.
| Control | Detail |
| :----------------------------- | :-------------------------------------------------------------------------------------------------------------- |
| **Browser-side encryption** | Content is encrypted before upload; plaintext never touches C1 servers or logs. |
| **Isolated decryption** | A dedicated vault service handles decryption, with access controlled by AWS KMS with hardware security modules. |
| **View limits and expiration** | Content is permanently deleted after the view limit is reached or the expiration time passes. |
| **Magic link protection** | Magic link tokens are single-use and expire after 15 minutes. |
| **Audit logging** | All create, view, revoke, and access-denied events are logged. |
## Frequently asked questions about secret sharing
Absolutely not. C1 stores only encrypted blobs. Decryption occurs in an isolated vault service and plaintext is never stored or logged.
Encrypted content is permanently deleted. Metadata (creator, creation date, recipients) is retained for audit purposes with a status of "Expired" or "Burned."
No. If you need a secret to be available for longer, create a new one with the desired expiration and share the new link with recipients.
Encrypted content is permanently deleted and all future access attempts return a "Revoked" status.
Creators can see the current view count. Administrators can access detailed audit logs with per-viewer, per-event timestamps and client IP addresses.
Internal recipients: up to 128 users. External recipients: up to 64 email addresses. These limits apply per secret.
Files: up to 1 GB. Text content (Text, JSON, YAML, Key-value): up to 64 KB.
Via a single-use magic link sent to their email address. Magic links expire after 15 minutes.
## Secret sharing events in system logs
All secret-sharing activity is recorded in the C1 system log. Events use the `paper_secret_` prefix. For details on accessing, exporting, and querying log data, see [System logs](/product/admin/system-log).
### Event types
| Event | Activity name | Description |
| :----------------- | :-------------------------------- | :------------------------------------- |
| Secret created | `paper_secret_created` | New secret created. |
| Opened (internal) | `paper_secret_opened_internal` | Internal user viewed content. |
| Opened (external) | `paper_secret_opened` | External user viewed content. |
| Revoked | `paper_secret_revoked` | Creator revoked a secret. |
| Revoked (admin) | `paper_secret_revoked_admin` | Admin revoked a secret. |
| Magic link created | `paper_secret_magic_link_created` | Magic link sent to external recipient. |
| Access denied | `paper_secret_access_denied` | Unauthorized access attempt. |
| File downloaded | `paper_secret_file_downloaded` | File secret downloaded. |
### Event payload
Each event includes:
* Secret ID and share code (format: `XXXX-XXXX-XXXX`)
* Sharing mode: internal or external
* Secret type: text or file
* Actor: user or email address
* Client IP and timestamp
### Filter examples
Use these filters in **Settings** > **System Log**.
**All secret sharing activity:**
```
activity_name starts with "paper_secret_"
```
**Views only:**
```
activity_name in ("paper_secret_opened", "paper_secret_opened_internal")
```
**Access denied:**
```
activity_name = "paper_secret_access_denied"
```
**Activity by a specific user:**
```
activity_name starts with "paper_secret_" AND actor.user.email = "user@example.com"
```
**External activity only:**
```
activity_name in ("paper_secret_opened", "paper_secret_magic_link_created")
```