This release introduces several new features that have been in the back of my mind for a long time. Many of these will aid companies in onboarding, support and working with secrets in ticket management systems. I have also made these available in the demo instance for testing.
Secret Requests
You can now ask someone to send you a secret instead of the other way around. Create a request link, share it over any channel, and whatever the recipient types is encrypted in their browser with a public key that only you hold — the server never sees the plaintext. The request list tracks every request you've created with live status, and collected secrets are deleted from the server the moment you retrieve them. Full key management (rotation, export/import, revoke) is available from the UI. → Secret Requests docs
Requires a license key. Opt-out available via
--disable-secret-requests.
Read Receipts
Know exactly when a secret you shared was opened. Tick Read receiptou get a token that lets you — and only you — poll whether and when the
recipient decrypted it. The Receipts page in the nav bar tracks alive status across browser sessions. The receipt stores only state and timestamps; the decryption key never touches the server and is never persisted by the receipt machinery. → Read Receipts docs
Requires a license key. Opt-out available via
--disable-read-receipts.
Webhooks
Get notified in real time when secrets are created, viewed, or expire — without polling logs. Point --webhook-url at any HTTP endpoint and Yopass will POST a JSON payload for each lifecycle event (secret.created, secret.viewed, secret.expired, and the equivalent request.* events for secret requests). Deliveries are signed
with HMAC-SHA256 when --webhook-secret is set, retried up to three in the yopass_webhook_deliveries_total Prometheus metric. →Webhooks docs
Requires a license key.
Forced Expiration
Administrators can now lock all secrets to a single expiration duratiexpiration 1h|1d|1w`. The server rejects any create request with adifferent value, and the UI replaces the expiration selector with theice, no workarounds. → Server Optionsdocs
- build(deps-dev): bump prettier from 3.8.3 to 3.8.4 in /website by @dependabot[bot] in #3570
- build(deps-dev): bump @types/node from 25.9.2 to 25.9.3 in /website by @dependabot[bot] in #3573
- build(deps): bump react-use from 17.6.0 to 17.6.1 in /website by @dependabot[bot] in #3572
- build(deps): bump github.com/aws/aws-sdk-go-v2/config from 1.32.24 to 1.32.25 by @dependabot[bot] in #3574
- feat: Add Secret requests functionality by @jhaals in #3571
- Backend cleanup and simplifications by @jhaals in #3575
- feat: add --force-expiration server flag to enforce secret expiration time by @Copilot in #3557
- Cleanup website, lint languages by @jhaals in #3576
- build(deps): bump eslint-plugin-react-hooks, typescript, react, and @… by @jhaals in #3577
- feat: Add webhooks and read receipts by @jhaals in #3578
Full Changelog: 14.1.1...14.2.0