MCPcopy
hub / github.com/jhaals/yopass

github.com/jhaals/yopass @14.3.0 sqlite

repository ↗ · DeepWiki ↗ · release 14.3.0 ↗
855 symbols 3,201 edges 135 files 249 documented · 29%
README

Yopass-horizontal

Yopass - Share Secrets Securely

Go Report Card codecov GitHub release (latest SemVer)

demo

Yopass lets you share secrets, passwords, and files securely with end-to-end encryption. Secrets are encrypted in the browser using OpenPGP before being sent to the server — the decryption key never leaves your machine. Each secret gets a one-time URL that expires automatically.

No accounts, no tracking, no plaintext storage. Stop sharing secrets in Slack, email, and ticket systems.

Try the demo | It's recommended to self-host Yopass for sensitive use.

Features

  • End-to-end encryption using OpenPGP
  • One-time secret viewing
  • No accounts or user management
  • Configurable expiration (hours, days, or weeks)
  • Optional custom password protection
  • File upload with streaming encryption
  • Multi-language support
  • OpenID Connect (OIDC) authentication with email domain restrictions
  • Theming and branding (custom themes, logo, app name)
  • Compliance audit logging (SOC 2, ISO 27001, GDPR)
  • Read receipts — know when a secret was opened
  • Webhooks for secret lifecycle events (created, viewed, expired)

Table of Contents

Getting Started

See the docs for detailed guides on configuration, theming, OIDC authentication, audit logging, and more.

Docker Compose

The quickest way to get Yopass running with TLS and automatic certificate renewal via Let's Encrypt.

  1. Point your domain to the host where you want to run Yopass
  2. Edit deploy/with-nginx-proxy-and-letsencrypt/docker-compose.yml and replace the placeholder values for VIRTUAL_HOST, LETSENCRYPT_HOST, and LETSENCRYPT_EMAIL
  3. Start the containers:
docker-compose up -d

Yopass will be available at the domain you configured.

Already have a reverse proxy handling TLS? Use the simpler setup:

cd deploy/docker-compose/insecure
docker-compose up -d

Then point your reverse proxy to 127.0.0.1:80.

Docker

With TLS encryption:

docker run --name memcached_yopass -d memcached
docker run -p 443:1337 -v /local/certs/:/certs \
    --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211 --tls-key=/certs/tls.key --tls-cert=/certs/tls.crt

Yopass will be available on port 443 on all host interfaces. To restrict to localhost, use -p 127.0.0.1:443:1337.

Without TLS (requires a reverse proxy for transport encryption):

docker run --name memcached_yopass -d memcached
docker run -p 127.0.0.1:80:1337 --link memcached_yopass:memcached -d jhaals/yopass --memcached=memcached:11211

Then point your TLS-terminating reverse proxy to 127.0.0.1:80.

Kubernetes

kubectl apply -f deploy/yopass-k8.yaml
kubectl port-forward service/yopass 1337:1337

This is a minimal setup to get started. Configure TLS before using in production.

Server Configuration

Yopass uses Memcached (default) or Redis as its storage backend. All flags can also be set via environment variable (uppercase, dashes → underscores).

# Memcached (default)
yopass-server --memcached localhost:11211

# Redis
yopass-server --database redis --redis redis://localhost:6379/0

For the full flag reference see yopass.se/docs/server-options. Topic-specific guides:

Guide Description
TLS / HTTPS Built-in TLS, Nginx, Caddy, Traefik, Let's Encrypt
File Storage Disk and S3/MinIO backends, size limits
Read-Only Mode Split-instance deployments
OpenID Connect OIDC authentication (license required)
Theming & Branding Custom themes, logo, app name (license required)
Metrics Prometheus, alerting rules, Grafana
Audit Logging NDJSON compliance logging (license required)
Read Receipts Know when a secret was opened (license required)
Webhooks Signed lifecycle event notifications (license required)

Translations

Yopass supports multiple languages via react-i18next. See the current translations. Contributions for new languages are welcome — see this example PR.

History

Yopass was first released in 2014 and has been maintained with the help of many contributors. It is used by organizations including Spotify, Doddle, and Gumtree Australia.

If you use Yopass and want to support the project, you can give thanks via email, consider donating, or give consent to list your company here.

Extension points exported contracts — how you extend this code

Database (Interface)
Database interface [13 implementers]
pkg/server/database.go
ReceiptDisplay (Interface)
(no doc)
website/src/features/receipts/ReceiptList.tsx
StoredRequest (Interface)
(no doc)
website/tests/secret-request.spec.ts
Secret (Interface)
(no doc)
microsite/src/components/EncryptionTerminal.tsx
FileStore (Interface)
FileStore interface for storing large encrypted file blobs. Metadata (expiration, filename, one_time) is stored separate [3 …
pkg/server/filestore.go
ResultProps (Interface)
(no doc)
website/src/features/display-secret/Result.tsx
MockSecretResponse (Interface)
(no doc)
website/tests/helpers/mock-api.ts
Props (Interface)
(no doc)
microsite/src/components/CheckoutModal.tsx

Core symbols most depended-on inside this repo

jsonError
called by 79
pkg/server/server.go
HTTPHandler
called by 66
pkg/server/server.go
failure
called by 64
pkg/server/audit.go
Error
called by 57
pkg/yopass/client.go
Get
called by 56
pkg/server/database.go
mockConfigEndpoint
called by 44
website/tests/helpers/mock-api.ts
redactSecretID
called by 25
pkg/server/audit.go
getLastRequest
called by 23
website/tests/helpers/mock-api.ts

Shape

Function 513
Method 253
Struct 50
Interface 31
Class 4
TypeAlias 3
FuncType 1

Languages

Go78%
TypeScript22%

Modules by API surface

pkg/server/server_test.go80 symbols
pkg/server/oidc_test.go75 symbols
pkg/server/audit.go32 symbols
pkg/server/webhook.go28 symbols
pkg/server/server.go28 symbols
pkg/server/server_stream_test.go24 symbols
pkg/server/require_auth_test.go23 symbols
pkg/server/request_test.go23 symbols
pkg/server/filestore_s3_test.go22 symbols
deploy/cdk/main.go21 symbols
cmd/yopass/main_test.go21 symbols
pkg/server/oidc.go20 symbols

Dependencies from manifests, versioned

github.com/Masterminds/semver/v3v3.5.0 · 1×
github.com/ProtonMail/go-cryptov1.4.1 · 1×
github.com/akrylysov/algnhsav1.1.0 · 1×
github.com/aws/aws-cdk-go/awscdk/v2v2.257.0 · 1×
github.com/aws/aws-sdk-gov1.55.8 · 1×
github.com/aws/aws-sdk-go-v2v1.42.0 · 1×
github.com/aws/aws-sdk-go-v2/aws/protocol/eventstreamv1.7.13 · 1×
github.com/aws/aws-sdk-go-v2/configv1.32.25 · 1×
github.com/aws/aws-sdk-go-v2/credentialsv1.19.24 · 1×
github.com/aws/aws-sdk-go-v2/feature/ec2/imdsv1.18.29 · 1×
github.com/aws/aws-sdk-go-v2/internal/configsourcesv1.4.29 · 1×

For agents

$ claude mcp add yopass \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact