One Pass

Securely share passwords and sensitive information with one-time links

How it works:
Your secret is encrypted in your browser before being stored. Only the person with the complete link can decrypt it. The link becomes invalid after first use or the chosen expiry time.
Helps the recipient know what they're viewing
This will be encrypted and stored securely
Secret will expire after this time or after first use
View a Secret
If you received a secret link, simply paste the complete URL in your browser's address bar. The secret will load automatically.
Manual Entry:
To manually retrieve a secret, you need both:
  • Secret ID: The number after ?s= in the URL
  • Encryption Key: The part after # in the URL

Example URL: https://.../?s=7#abc123...
  • Secret ID: 7
  • Key: abc123...
The number from the URL (after ?s=)
The key from the URL (after #)

How to Use One Pass

Sharing a Secret (Sender)

  1. Go to the Create Secret tab.
  2. Optionally enter a description (e.g., "Production DB password").
  3. Paste your secret or password into the text area.
  4. Select a link expiry time (1 hour to 7 days). Default is 24 hours.
  5. Click Generate One-Time Link.
  6. Copy the generated link and send it to the recipient via any channel.

Note: The encryption key is embedded in the URL fragment (#). It is never sent to the server.

Viewing a Secret (Recipient)

  1. Click the link you received — the secret loads and decrypts automatically.
  2. The secret is displayed once and the link is immediately invalidated.
  3. Copy the secret and store it securely (e.g., in a password manager).

Important: If the link has already been opened or has expired, you will see an error message.

Chrome Extension

The One Pass It Chrome extension lets you create secrets directly from selected text on any web page.

Installation

  1. Download one-pass-it-extension.zip.
  2. Extract the ZIP to a local folder.
  3. Open Chrome and navigate to chrome://extensions.
  4. Enable Developer mode (toggle in the top-right corner).
  5. Click Load unpacked and select the extracted folder.
  6. The extension icon appears in your toolbar. Done!

Usage

  1. Select any sensitive text on a web page.
  2. Right-click and choose One Pass It from the context menu.
  3. One Pass opens with the text pre-filled in the secret field.
  4. Choose an expiry time and click Generate One-Time Link.

Security Notes

  • The selected text is passed via a URL fragment (#prefill=...) — it is never sent to any server.
  • The extension does not store or persist any data locally.
  • Encryption happens entirely in the browser using the Web Crypto API.
  • The extension requires only the contextMenus permission.

CLI (Node.js)

A Node.js CLI that creates one-time secret links using native crypto. Authenticate via the --cookie flag, a cached session, or an interactive browser prompt.

Download

Download one-pass-cli.js

Save to your project folder and run with Node.js 18+.

Prerequisites

Requires Node.js 18+. No external packages needed.

How It Works

  1. CLI checks for a cookie via --cookie flag, ONEPASS_COOKIE env var, or the local cache (~/.onepass-cli/cookie).
  2. If no valid cookie is found, the CLI opens your browser and prompts you to paste the cookie from DevTools (F12 → Application → Cookies → CF_Authorization).
  3. The secret is encrypted locally using AES-256-GCM via the Web Crypto API (same as the browser).
  4. The encrypted payload is sent to the /api/create endpoint, and the one-time link is printed to stdout.
Cookie caching: Once obtained, the cookie is cached in ~/.onepass-cli/cookie (file permissions 0600) and reused until it expires.

Usage

Basic usage (email auto-detected from SSO): 
node cli/one-pass-cli.js --secret "MyP@ssw0rd"
With description and custom expiry: 
node cli/one-pass-cli.js --secret "pwd" --description "DB password" --expiry 48
Pipe from stdin: 
echo "SuperSecret" | node cli/one-pass-cli.js
Provide cookie directly: 
node cli/one-pass-cli.js --cookie "eyJ..." --secret "pwd"
Force SSO re-login: 
node cli/one-pass-cli.js --login
Custom base URL (local dev): 
node cli/one-pass-cli.js --secret "token" --url "http://localhost:8788" --email "user@roche.com"

Parameters

Flag Short Description Default
--secret -s Secret text (or pipe via stdin)
--email -m Your Roche email (auto-detected from SSO)
--description -d Optional label for recipient
--expiry -e Link expiry (1–168 hours) 24
--url -u One Pass base URL Production URL
--cookie -c CF_Authorization cookie value
--login -l Force SSO re-login (refresh cached cookie)
--help -h Show help text

Email is auto-detected from your SSO session. Use --email to override. Must end with @roche.com, @businesspartner.roche.com, @gene.com, or @external.gene.com

Getting the Cookie

  1. Open onepass.roche.com in Chrome and log in via SSO.
  2. Press F12Application tab → Cookies → select the One Pass origin.
  3. Find CF_Authorization → double-click the ValueCtrl+C to copy.
  4. Pass it with --cookie "value" or set ONEPASS_COOKIE environment variable.

One Pass v2.0.0 - Running on Cloudflare Pages

Powered by Web Crypto API + GitHub Issues API

Support: embeddedsecurity@roche.com | Source Code