Sharing a snippet of code or a block of config with someone who is not in your repository should not require creating an account, installing an extension, or explaining to a colleague why there is an ad for a VPN sitting next to the credentials you just pasted. textdrop.sh is a web-based tool that strips the workflow down: you paste text, you get a link, and by default the server cannot read what you shared. That is the pitch. Whether it actually holds up depends on a few specifics worth examining.
What textdrop.sh actually does
The core mechanic is client-side encryption. When you create a paste, textdrop.sh runs AES-256-GCM encryption in your browser before anything is transmitted. The decryption key lives in the URL fragment — the portion after the # character. Browsers do not include the fragment in HTTP requests, which means the server receives and stores only ciphertext. The key never touches the server.
This is not a novel architecture — PrivateBin has used the same model for years, and it is open-source and self-hostable — but textdrop.sh packages it in a cleaner hosted interface and runs it on Vercel/Next.js infrastructure.
The practical consequence is that textdrop.sh cannot hand your paste content to a third party in a breach, a subpoena, or a support ticket. The architectural guarantee is real. The caveats are real too: the full URL, including the fragment, is the secret. If you share it over Slack and Slack indexes that message, the protection is only as strong as your Slack configuration. If you paste the URL into a browser that syncs history to a cloud account, the key is in that cloud account. The system protects against the server, not against every other surface.
Paste sizes go up to 5 MB. Expiry options are 1 hour, 1 day, 7 days, 14 days, and 30 days. There is no "keep forever" option. After expiry the paste is permanently deleted, with no recovery path, so this is the wrong tool for anything you want to reference more than a month from now.
Burn-after-read is available as a separate toggle. Enable it and the paste deletes itself after the first open — useful for one-shot credential handoffs, though you should factor in the risk that the recipient opens it on a flaky connection and it disappears before they can copy the content.
Syntax highlighting, Markdown, and the limits of the editor
textdrop.sh supports GitHub-flavored Markdown, including headers, tables, and fenced code blocks. It also does per-paste syntax highlighting for over 20 languages, with TypeScript, Python, Rust, Go, SQL, and Bash listed explicitly in the documentation. If you choose a specific language, the paste renders with highlighting; if you stay in plain text mode, the raw content is shown as-is.
The editor itself is minimal. There is no split-preview mode while you type, no auto-close for brackets, no keybindings for common Markdown shortcuts. If you are pasting something you wrote elsewhere — copying from VS Code, from a terminal, from a README — this is fine. If you need to compose anything longer than a few lines inside textdrop.sh itself, the experience will feel sparse.
Optional password protection adds PBKDF2 key-wrapping on top of the base encryption. When you set a password, the URL alone is not enough to decrypt — the recipient also needs the password. This is useful if you are sharing via a channel you do not fully control, or if you want the recipient to confirm they are who they say they are by knowing the agreed password.
The full URL — including the fragment after # — is the decryption key. Wherever that URL travels, the content is accessible. Browser history, Slack message history, email threads, shared clipboard managers, and screenshot tools with cloud sync are all potential exposure surfaces. The server-side zero-knowledge guarantee does not cover these paths.
The API and the missing CLI
textdrop.sh exposes two documented API endpoints: POST /api/paste creates a paste and GET /api/paste/:id retrieves metadata. This is enough to script paste creation from a shell function or a CI step if you are willing to write the wrapper yourself. There is no official CLI. No npm install -g textdrop command, no Homebrew formula, no bash one-liner in the documentation.
If CLI access is important to you — and for many developers it is, especially when you want to pipe command output directly to a shareable link — this is the gap you will have to fill manually. For comparison, tools like paste.sh (a separate project, not affiliated) ship with a documented curl-based workflow that lets you pipe output directly. Some community-maintained CLI tools exist for PrivateBin instances. textdrop.sh has neither.
The REST API exists and is functional, but the encryption step complicates scripted use: you would need to replicate the AES-256-GCM client-side encryption in your script to match what the browser does. If you skip that, you could POST plaintext to the endpoint, but you would lose the zero-knowledge guarantee. The docs do not walk you through this tradeoff clearly, which means you either accept the limitation or dig into the source code — and the source does not appear to be published under an open-source license, so the digging has limits.
How it compares to the obvious alternatives
The frictionless code-sharing category has a handful of tools that see regular developer use.
GitHub Gist is the default for anything that benefits from version history, forking, or embedding. It requires a GitHub account and has no expiry or burn-after-read. The content is stored server-side with no client-side encryption, and GitHub can and does read it. For sharing across team boundaries where the receiver already has GitHub, it remains the most capable option.
PrivateBin uses the same zero-knowledge architecture as textdrop.sh, is fully open-source, and can be self-hosted. A number of public instances exist. The interface is older and less polished, but the feature parity is close and the self-hosted path gives you control over retention and instance configuration that a hosted service cannot offer.
Pastes.io is a modern hosted alternative with a documented API, burn-after-read, and syntax highlighting, operating at a $1/month paid tier for increased paste size. It does not use client-side encryption by default, so the server can read your content.
Hastebin is the purist option: nearly no features, just text in and a link out, with a documented keyboard shortcut and fast load times. No encryption, no expiry configuration, no Markdown rendering.
textdrop.sh sits between Hastebin and PrivateBin in terms of polish. It is more usable than a raw PrivateBin instance and ships with a cleaner editing surface than most alternatives. The gap is the CLI story and the source availability. If you are comfortable with a hosted black-box and want zero-knowledge encryption without deploying anything yourself, it is a reasonable choice. If you want to audit the encryption code or need a first-class terminal workflow, look at self-hosted PrivateBin.
What to evaluate when you choose any tool in this category
The pastebin-style category has a wide quality range. Before committing to any tool for team use, check five things:
- Where does encryption happen? Client-side (browser) encryption with a fragment-anchored key is the strongest hosted option. Server-side encryption is not the same thing — the server holds the key and can decrypt.
- What are the expiry options? "No expiry" sounds convenient until you share a log that contains a customer ID and forget it exists. Mandatory short expiry is a reasonable policy for anything sensitive.
-
Is there a CLI or documented API? If you cannot pipe
kubectl describe pod my-pod | <tool>and get a shareable link in three seconds, the tool will not survive contact with your actual workflow. - What is the content limit? 5 MB covers most snippets and logs. It does not cover full database dumps or large JSON exports. Know the ceiling before you hit it.
- Who runs the service and what is the sustainability model? Free hosted tools with no revenue model have historically disappeared without notice. PrivateBin instances you run yourself do not.
textdrop.sh is a well-built tool for a narrow use case: sharing text or code quickly, with a meaningful privacy guarantee, when you are working from a browser. It does not pretend to be more than that. The absence of a CLI and open-source code are real limitations, but they are knowable ones — and for occasional use where the browser workflow is fine, they may not matter.
Originally published at pickuma.com. Subscribe to the RSS or follow @pickuma.bsky.social for new reviews.
Top comments (0)