share.refueler.io
System Status
Loading…
Loading…
Scheduled maintenance
Incidents
Fetching status…
Cryptographic integrity layer
Zero-knowledge guarantee
✓ Architectural
AES-256 keys are generated browser-side and placed in the URL fragment only.
The fragment is never transmitted to our Worker per RFC 3986.
We receive and store ciphertext. Reading your files is not technically possible for us.
Anonymous auth
✓ Cashu NUT-00
Upload credentials are blind-signed. The server issues a token without
learning its serial number. Transfers cannot be linked to identity at the
ledger layer. Double-spend prevention via Supabase spent-token table (NUT-07).
Chunk integrity
✓ BLAKE3 (browser)
Each 50 MB chunk is BLAKE3-hashed client-side via a compiled WASM module
loaded from a local bundle. Hash roots enable byte-exact resume on
interrupted transfers without restarting from chunk 0.
Passphrase gating
✓ NUT-11 Mode 1
Share links can require a passphrase. The SHA-256 hash of the passphrase is
stored in the transfer manifest. The Worker issues a time-scoped download
token only on hash match. The passphrase never travels the wire in plaintext.
Server-side chunk verification
⚠ Known gap
The Worker verifies chunk receipt but does not re-verify the client-declared
BLAKE3 hash server-side. A compromised client could declare a hash mismatch
undetected. Fix: compile BLAKE3 to a static WASM binary in the Worker.
No integrity or audit claims are made until this is resolved.
Storage ephemerality
✓ R2 lifecycle
Hard expiry enforced by Cloudflare R2 lifecycle rules: all objects deleted
after 92 days maximum. Incomplete multipart uploads aborted after 1 day.
No manual deletion required. No exceptions.