[h4·bin]

// about

The pastebin that can't read your pastes.

h4Bin is a zero-knowledge, zero-server pastebin. Your paste is compressed and encrypted inside your browser, and the encrypted result becomes the link itself. There is no database to breach, no account to compromise, and no operator to subpoena — because nothing is ever uploaded.

How it works

01 / seal

Encrypted in your tab

Your text is deflate-compressed and sealed with AES-256-GCM using the browser's native WebCrypto and a freshly generated 256-bit key. Optionally, a password is mixed into the key derivation (PBKDF2, 600,000 rounds).

02 / mint

The link is the paste

The ciphertext and key are encoded into the part of the URL after # — the fragment. Browsers never send fragments in HTTP requests, so the paste physically cannot reach any server, including ours.

03 / share

Decrypted only by holders

Anyone who opens the link decrypts it locally in their own browser. No link, no paste. No password (when set), no paste — even with the link in hand.

Why you can trust it

How it compares

Encryption Where pastes live Can the operator read them?
Pastebin.com none their database yes — and so can scrapers
GitHub Gist ("secret") none GitHub's database yes
PrivateBin AES-256-GCM, client-side a server (ciphertext) no — but you must trust an instance
NoPaste compression only the link no server — but anyone with the link reads it in plain
h4Bin AES-256-GCM + optional password the link (ciphertext) no — there is nothing to read, anywhere

Questions people ask

Can you recover a paste if I lose the link?

No. The link is the only copy of both the data and the key. This is not a policy — it is physics. Losing the link means the paste is gone.

Can you delete a paste for me?

There is nothing to delete — no copy exists outside the links people hold. To "delete" a paste, delete the link everywhere it was shared. For time-boxed sharing, set an expiry before minting (see how expiry works).

Is there a size limit?

The practical limit is how long a URL your sharing channel tolerates. The editor shows a live estimate: under ~2,500 characters fits everywhere, and the meter warns you as links get harder to share. Compression usually shrinks code by 3–4×.

What does a password add?

Without one, anyone holding the link can decrypt. With one, the password is mixed into the key derivation — a link interceptor faces 600,000 PBKDF2 iterations per guess, offline, with no server to help them.

Can I self-host it?

Yes — it is a static site. Fork the repository, deploy to any static host, done. Links are portable across instances because the format is versioned and documented.

— built and maintained by h4rithd · MIT licensed