Threat model
This public threat model explains what Shhhs is designed to protect, what remains out of scope, and where metadata, support, billing, API, CLI, MCP, and Private Rooms boundaries apply.
01
Shhhs protects supported secret content, file payloads, request submissions, private-room messages, account tokens, API keys, passkeys, recovery codes, billing references, and operational metadata according to separate boundaries.
02
The model focuses on link previews, accidental chat/email retention, recipient overexposure, API misuse, webhook leakage, admin/support metadata leakage, billing abuse, token theft, and automation logs.
03
Controls include client-side encryption for supported payloads, URL-fragment key placement where applicable, TTL and view limits, burn/delete states, passkeys for paid accounts, scoped API keys, noindex private routes, Cloudflare security controls, and metadata-only audit events.
04
Shhhs does not protect against compromised endpoints, malware, malicious browser extensions, screenshots, clipboard history, weak passphrases, recipient copying, social engineering, or sending every factor through the same compromised channel.
05
Changes to encryption, lifecycle, authorization, billing, API keys, admin access, webhooks, or private-route handling require tests and a security review note before release.
No. There is no AI processing on secret content.
No. Secret recovery would weaken the privacy model.
Support can help cancel billing after billing validation, but cannot restore account access or secret content.