⚡ Sentria — One-time Secret Sharing on AWS

Inspiration

We’ve all pasted a password or API key into Slack or email and felt that “yikes” moment—because from that second on, the secret lives in backups, logs, screenshots, and hacker keyword searches forever. Sentria eliminates that risk by turning sensitive text or files into self-destructing links.

What It Does

🔐 One-time links – Each secret or file can be opened only a limited number of times
⏳ Auto-expiry – Pick a lifetime (minutes → days); links erase themselves when the timer hits zero
🔑 Optional passphrase – Add a password without creating accounts or sessions
📊 Live stats – Dashboard shows Total · Active · Accessed · Deleted secrets in real time

No login, no leftovers—just temporary, encrypted sharing that evaporates on cue.

How I Built It

Step	AWS Service / Tool	What It Does
API Front Door	Amazon API Gateway (HTTP)	Handles CORS, routes `POST /secrets` & `GET /secrets/{id}`
Business Logic	AWS Lambda	Functions: `createSecret`, `getSecret`, `metricsListener`
Data Store	Amazon DynamoDB	`Secrets` table (TTL auto-deletes) · `SecretMetrics` counter table
File Storage	Amazon S3	Presigned PUT / GET URLs, 30-day lifecycle cleanup
Real-Time Metrics	DynamoDB Streams → Lambda	Fires on `REMOVE` events to update counters when TTL deletes an item
Observability	Amazon CloudWatch Logs & Metrics	Automatic logging & basic dashboards—zero extra config
Static Hosting	Netlify	Serves the React front-end and deep links via a single `_redirects` rule

I built the entire stack solo in under a week: React for the UX, AWS serverless for everything backend, and Netlify for instant deploy previews.

Challenges & Lessons

Challenge	Solution
Secure file sharing with no user accounts	Presigned S3 URLs + optional passphrase
Counters even after records disappear	Atomic counters in `SecretMetrics` + stream listener
Double CORS (API & S3)	Wildcard in dev, locked origin in prod

🛠️ Built With

Category	Tech Stack
Front-end	React · Vite · Tailwind CSS · Lucide Icons
Hosting / CDN	Netlify
API & Compute	AWS Lambda · Amazon API Gateway
Database	Amazon DynamoDB (TTL & Streams)
Storage	Amazon S3 (presigned URLs + lifecycle)
Observability	Amazon CloudWatch
Security	bcryptjs for passphrase hashing

Paste. Share. Forget.

Sentria lets secrets vanish on your schedule—powered entirely by AWS serverless.

Serverless Architecture

 ┌────────────── Client ──────────────┐
 │  React + Tailwind (static Netlify) │
 └───────────────┬────────────────────┘
                 │ 1. POST /secrets
                 ▼
 ┌────── Amazon API Gateway ──────┐
 │  CORS + Routing (HTTP API)     │
 └────────┬───────────┬───────────┘
          │           │
          │2a. create │2b. get
          ▼           ▼
  ┌─────── Lambda ────────┐   ┌────── Lambda ───────┐
  │  createSecret()       │   │   getSecret()       │
  └───────┬───────┬───────┘   └────────┬────────────┘
          │3a. put│3b. log            4a. read
          ▼       ▼                    ▼
   ┌─ DynamoDB ──┐ 5. PUT presign ┌─ DynamoDB ─┐
   │ Secrets tbl │───────────────▶│ Secrets tbl │
   │  (TTL)      │                │            │
   └─────────────┘                └────┬───────┘
                                       │4b. presign GET
                 ┌─────────────────────▼─────────────────┐
                 │        Amazon S3 (files bucket)       │
                 └───────────────────────────────────────┘
                                       ▲
                                       │6. REMOVE (TTL)
                                   ┌───┴──────────┐
                                   │ DynamoDB     │
                                   │   Stream     │
                                   └───┬──────────┘
                                       │7. event
                                   ┌───▼──────────┐
                                   │ Lambda       │
                                   │ metricsListener() │
                                   └───┬──────────┘
                                       │8. update
                                   ┌───▼──────────┐
                                   │ DynamoDB     │
                                   │ SecretMetrics│
                                   └──────────────┘

All Lambda functions stream logs and metrics to **Amazon CloudWatch** automatically.

Data Flow

Client (Netlify-hosted React app) sends POST /secrets → API Gateway.
API Gateway invokes createSecret Lambda which
- stores the secret record in DynamoDB (TTL enabled)
- presigns an S3 PUT URL for optional file upload
- increments counters in SecretMetrics
Browser uploads the file directly to S3 using the presigned URL.
Link receiver hits GET /secrets/{id} → API Gateway → getSecret Lambda which
- validates password, decrements remaining-views counter in DynamoDB
- presigns an S3 GET URL for download
When remainingViews reaches 0, or TTL expires, the record is deleted.
The DynamoDB Stream emits a REMOVE event; trigger Lambda updates global counters (Deleted ↓, Active ↓) and removes the S3 file.
All Lambdas emit logs to CloudWatch Logs; metrics can be graphed in CloudWatch Metrics.

Built With

amazon-web-services
api-gateway
aws-lambda
bcryptjs
dynamodb
dynamodb-streams
lambda
netlify
s3

Updates

Krishnanshu Gupta started this project — Jun 30, 2025 07:58 PM EDT

Leave feedback in the comments!

Log in or sign up for Devpost to join the conversation.