One file. Two truths.
Deniable encryption in one API call.
Free. No card. Password optional. 500 API calls/month.
Your API key is still your API credential. We store a hash, never the key itself. A dashboard password only unlocks account controls.
What you get
Encrypt + decoy
One ciphertext, multiple plausible plaintexts. No one can prove which is real.
Vault storage
Store encrypted secrets in the cloud. Retrieve with your password. Deny with another.
Decoy alerts
Register decoy fingerprints and get paged when one is opened.
SDKs in 4 languages
TypeScript, Python, Go, Rust. One import, one function call, done.
What it looks like in practice
# Encrypt a secret
curl deny.sh/api/encrypt \
-H "x-api-key: dk_your_key" \
-d '{"plaintext":"real secret","password":"mypass"}'
{"ciphertext":"a3f8c1..."}
# Layer a decoy on top
curl deny.sh/api/add-decoy \
-d '{"ciphertext":"a3f8c1...","decoy":"nothing here","password":"fakepass"}'
{"ciphertext":"a3f8c1..."} # same blob, two truths
No tracking
No analytics
Independent audit on the roadmap
Apache 2.0
You're in
Here's your API key. You won't see it again.
⚠ Save this somewhere safe. Right now.
What would you like to do?
Developer quickstart ▾
Try it now
Your first encrypt
curl -X POST https://deny.sh/api/encrypt \
-H "Content-Type: application/json" \
-H "x-api-key: dk_your_key" \
-d '{"plaintext":"hello world","password":"test123"}'
Or install an SDK
npm install deny-sh
// encrypt.js
import { DenySh } from 'deny-sh';
const client = new DenySh('dk_your_key');
const { ciphertext } = await client.encrypt('my secret', 'password');
await client.addDecoy(ciphertext, 'decoy text', 'other-password');
pip install deny-sh
# encrypt.py
from deny_sh import DenySh
client = DenySh('dk_your_key')
result = client.encrypt('my secret', 'password')
client.add_decoy(result.ciphertext, 'decoy text', 'other-password')
go get github.com/deny-sh-crypto/deny-go/v2
// main.go
client := denysh.New("dk_your_key")
ct, _ := client.Encrypt("my secret", "password")
client.AddDecoy(ct, "decoy text", "other-password")
# Cargo.toml
[dependencies]
deny-sh = "0.1"
// main.rs
let client = DenySh::new("dk_your_key");
let ct = client.encrypt("my secret", "password")?;
client.add_decoy(&ct, "decoy text", "other-password")?;