Verifying Authentic Onetime Secret Services

Following our domain architecture update, this guide provides concrete methods to verify authentic Onetime Secret services and identify impostor sites.

Website Address Verification

The most reliable way to verify authentic Onetime Secret services:

Regional Subdomains: All legitimate OnetimeSecret services use regional prefixes in their web addresses (e.g., eu.onetimesecret.com, us.onetimesecret.com, nz.onetimesecret.com). On genuine sites, all regional variations will function properly.
Simple Verification Test: If you're on us.onetimesecret.com, try changing to eu.onetimesecret.com in your browser's address bar. It should load our service with European regional settings.
Main Website Address: The core website address is always onetimesecret.com - no variations, hyphens, or character substitutions.

Avoid lookalikes such as one-timesecret.com, 1timesecret.org, onetimesecret-secure.com, and any domains with subtle character substitutions like onetímesecret.com (using the accented letter "í" instead of regular "i")

Verification guide for Onetime Secret services — Regional prefixes (eu., us., nz.) distinguish authentic Onetime Secret domains from others.

Technical Verification

For technical users, verify these elements:

Domain Registration: Official domains registered since 2011 (verify via WHOIS)
HTTPS Enforcement: All legitimate services enforce HTTPS with HSTS (see HSTS Preload List)
DNS Records: Verify A record via DNSChecker.
- ✅ Should be all green check marks indicating valid records.
- ❌ Red X marks or missing records suggest a fraudulent site.

Official Web Presence

To establish trust in the domain you're on, check the following popular sites to compare the spelling of "onetimesecret.com".

GitHub Repository: github.com/onetimesecret/onetimesecret
BlueSky: @onetimesecret.com
Docker Hub: hub.docker.com/r/onetimesecret/onetimesecret
Internet Archive: View our 10+ year history
Hacker News Discussion (2011): Original announcement and discussion

Visual Clues (Secondary Verification)

While visual elements can be easily mimicked, these secondary checks may help supplement domain verification:

Functional Navigation: All links to documentation, blog, and status pages should be operational and lead to legitimate domains within the onetimesecret.com ecosystem.
Attention to Detail: Check for inconsistencies in UI elements, typography errors, or broken functionality that might indicate a hastily-created impostor.

Note: Visual verification alone is insufficient. Always verify the domain pattern first.

Reporting Impostors

Found a suspicious site? Report it:

Email: security@onetimesecret.com
Subject: "Impostor Site Report: domain"
Include: URL, screenshots, how you discovered it

Our team works with hosting providers and security organizations to swiftly remove fraudulent services.

Domain Strategy Reengineered: Building Verification into Our Architecture

A recent phishing attempt exposed users to an impostor site that mirrored our interface but actually exposed secrets. While Cloudflare helped shut down this particular site, the incident highlighted a broader concern: user can struggle to distinguish legitimate from fraudulent services (see Which one of these is the real onetimesecret?).