MagicBin · About · Free Zero-Knowledge Encrypted Pastebin

📋 What is MagicBin?

MagicBin is a pastebin with one core property: we are technically incapable of reading what you paste. Not because of a policy — because of math. Your content is encrypted in your browser before it ever touches our server, using AES-256-GCM, the same cipher used by governments and financial institutions worldwide.

The decryption key is embedded in the URL fragment — the part after the # symbol. Browsers never include the fragment in HTTP requests. Your key never travels to us. It lives only in the URL you share.

🔐 How Zero-Knowledge Works

1

You write in the editor

Content stays entirely in your browser. Nothing has left your device yet.

2

A random 256-bit key is generated locally

Created by the Web Crypto API — a cryptographically secure RNG built into every modern browser. We have no involvement in this step.

3

Content is encrypted in your browser

AES-256-GCM encryption runs client-side. The plaintext never leaves your device.

4

Only the ciphertext is sent to our server

We receive an encrypted blob. Without the key, it is computationally indistinguishable from random noise.

5

The key goes into the URL fragment only

Embedded as #key~… — browsers never include fragments in HTTP requests. Even your own network logs won't capture it.

6

The recipient's browser decrypts locally

Their browser extracts the key from the fragment and decrypts the content locally. No round-trip to the server for decryption.

What this means in practice: Even if someone subpoenas our servers, breaches our database, or intercepts our traffic — they get encrypted blobs they cannot read. We cannot hand over plaintext we have never possessed.

⚡ Features

🔥

Burn After Read

Self-destructs after a single view. Server-side deletion confirmed.

⏱

Expiry Controls

30 minutes, 1 hour, 24 hours, 5 days, or 7 days.

👁

View Limits

Cap reads before automatic deletion.

🔑

Split Sharing

Share URL and key through separate channels for opsec.

🎨

Syntax Highlighting

Auto-detects 25+ languages. Night Owl & Light Owl themes.

📱

Mobile Friendly

Fully responsive on any screen size.

🇨🇦 Hosted in Canada

MagicBin is hosted on Canadian soil. Your encrypted data physically resides under Canadian jurisdiction, governed by Canadian federal law. However, all traffic passes through a US-based DNS and proxy provider before reaching our servers — meaning that provider observes IP addresses and request metadata at the network layer, subject to US law. Your paste contents remain encrypted end-to-end and unreadable to any third party, including the proxy.

PIPEDA — Canada's Federal Privacy Law
The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's federal private-sector privacy law, in force since 2001. It sets out 10 Fair Information Principles governing how organisations collect, use, and disclose personal information in commercial activity.

📌

Purpose limitation

Data may only be used for the purpose it was collected. We store encrypted paste data to serve it back on request — nothing else.

🗑️

Retention limits

PIPEDA requires information not be retained longer than necessary. Every paste carries an expiry, after which it is permanently deleted.

🔒

Security safeguards

We hold only ciphertext. Because content is encrypted before reaching us, there is no plaintext to protect, leak, or have seized.

🚫

Law enforcement requests

We have no mechanism to retrieve or decrypt content. Any law enforcement request would go to our Canadian hosting provider for network-level access logs.

🌐

No cross-border data transfers

Encrypted paste data stays in Canada. We use no third-party analytics that transfer personal data internationally.

Canadian federal law (PIPEDA) governs data practices for MagicBin and supersedes provincial legislation. Questions can be directed to the Office of the Privacy Commissioner of Canada.

🧹 Data & Privacy

Our data footprint is minimal by architecture, not just by policy.

✓ What we store

Data	Why
Encrypted ciphertext	The paste content — unreadable without your key
Initialisation vector (IV)	Required for AES-GCM decryption, not secret
Language hint	So the viewer knows which syntax highlighter to use
Expiry & view count	Enforces your chosen paste lifetime and view limits
Burn flag	Marks a paste for deletion after first read

✗ What we never store

Data	Why not
Decryption key	Lives only in your URL fragment — never sent to us
Plaintext content	Encrypted before leaving your browser
IP address	Not logged by this application — collected at the network layer by infrastructure providers
Browser fingerprint	Not collected
Account or identity	No accounts, no sign-up required
Cookies or analytics	Zero third-party scripts or trackers

⚖️ Disclaimer

MagicBin is provided "as-is" without warranty of any kind, express or implied. While we have made every reasonable effort to implement strong encryption, secure infrastructure, and privacy-respecting architecture, no software system can guarantee absolute security or zero downtime.

We are not liable for any loss of data, inability to access a paste, or any damages arising from the use or inability to use this service. Pastes are ephemeral by design — always keep a copy of sensitive content in a secure location of your own if permanent retention is needed.

This service is intended for lawful purposes only. Do not use MagicBin to share content that is illegal, harmful, or violates the rights of others.

About MagicBin