What authentication methods does dead-drop support?

dead-drop supports email and password authentication with multi-factor authentication (MFA) for human users accessing the web interface, and API key authentication for programmatic access via the API.

Is multi-factor authentication (MFA) mandatory for dead-drop users?

While not strictly mandatory, dead-drop strongly recommends and supports MFA for all user accounts. Enabling MFA significantly enhances security by requiring a second verification factor.

How do I get an API key for dead-drop?

You can generate an API key by logging into your dead-drop account and navigating to the 'API Keys' section in your account or team settings. From there, you can create new keys and configure their permissions.

Where should I store my dead-drop API key?

API keys should be stored securely, ideally in environment variables, dedicated configuration files not committed to version control, or a secrets management solution. Never hardcode them directly into your application's source code.

Can I set permissions for my dead-drop API keys?

Yes, when generating API keys, you can typically assign them a scope or specific permissions to ensure they only have the necessary access to perform their intended tasks, adhering to the principle of least privilege.

How often should I rotate my dead-drop API keys?

It is a recommended security best practice to rotate API keys periodically. While dead-drop keys may not auto-expire, regular rotation minimizes risk if a key is compromised. You can generate new keys and revoke old ones from your API dashboard.

What is the recommended way to authenticate API requests with dead-drop?

API requests to dead-drop are authenticated by including your API key in the 'Authorization' header of your HTTP request, typically using the 'Bearer' scheme (e.g., Authorization: Bearer YOUR_API_KEY).

dead-drop Authentication: Methods and Security (2026)

dead-drop authentication provides mechanisms for users and systems to verify their identity when interacting with the DeadDrop service, ensuring that only authorized entities can create, retrieve, or manage ephemeral secrets. This process is crucial for maintaining the integrity and confidentiality of sensitive data shared through the platform, protecting against unauthorized access.

Authentication overview

Authentication for dead-drop establishes and verifies the identity of users and programmatic clients accessing the DeadDrop platform. This process is fundamental to the platform's core function of secure one-time secret sharing, ensuring that secrets are only accessible by authorized parties. The DeadDrop platform offers distinct authentication flows tailored for human users interacting with the web interface and for automated systems utilizing the API. All authentication mechanisms are designed to uphold the confidentiality and integrity of secrets managed within the system, aligning with security best practices for secrets management platforms.

For human users, dead-drop leverages traditional email and password combinations, augmented with multi-factor authentication (MFA) to provide an additional layer of security. Programmatic access, essential for integrating dead-drop into existing workflows and applications, relies on API keys. These keys serve as a token of authentication, granting specific permissions to the calling application. The use of separate authentication methods for users and APIs allows for granular control over access privileges and facilitates auditing of interactions with the secret sharing service. This separation helps in adhering to the principle of least privilege, where entities are granted only the necessary access to perform their designated tasks, as outlined in security guidelines for web application authentication.

Supported authentication methods

dead-drop supports different authentication methods to accommodate both interactive user access and automated API interactions. Each method is designed with security and usability in mind, appropriate for its specific use case.

Method	When to Use	Security Level
Email and Password with MFA	Human users accessing the dead-drop web interface for managing secrets, inviting team members, and configuring settings.	High (with MFA enabled). Provides protection against credential stuffing and brute-force attacks.
API Key	Programmatic access for creating, retrieving, or managing secrets from applications, scripts, or continuous integration/continuous deployment (CI/CD) pipelines.	Moderate to High (depends on key management). Requires secure storage and rotation of keys.

Email and Password with MFA

This method is the standard for user accounts accessing the dead-drop web application. Upon initial registration, users create an account with an email and password. dead-drop strongly recommends and supports the activation of multi-factor authentication (MFA) for all user accounts. MFA significantly enhances security by requiring a second verification factor, such as a code from an authenticator app (e.g., Google Authenticator, Authy) or a hardware security key, in addition to the password. This prevents unauthorized access even if the primary password is compromised. Users can manage their MFA settings within their account profile on the dead-drop user guide for security settings.

API Key Authentication

For automated systems and integrations, dead-drop provides API key authentication. An API key is a unique token generated within the dead-drop platform that applications include in their requests to authenticate themselves. These keys typically grant specific permissions, which can be configured to adhere to the principle of least privilege. API keys should be treated as sensitive credentials and protected accordingly. They are suitable for server-to-server communication or when integrating dead-drop into custom applications where user interaction is not required. Developers can learn more about API key management and usage in the dead-drop API authentication reference.

Getting your credentials

Accessing dead-drop, whether via the web interface or API, requires appropriate credentials. The process for obtaining these credentials is straightforward and managed through the DeadDrop platform.

For User Accounts (Email/Password with MFA)

Account Registration: New users can register for a dead-drop account directly on the dead-drop sign-up page. This typically involves providing an email address and creating a strong password.
Password Management: Passwords can be reset via the 'Forgot Password' link on the login page. Users are encouraged to use strong, unique passwords for their dead-drop accounts.
MFA Setup: After logging in, users should navigate to their account security settings to enable and configure multi-factor authentication. This usually involves scanning a QR code with an authenticator app or registering a security key. Detailed instructions are available in the dead-drop MFA setup guide.

For API Keys

Accessing the API Dashboard: To generate API keys, log into your dead-drop account and navigate to the 'API Keys' section, typically found in your account or team settings.
Generating a New Key: From the API Keys dashboard, you can generate a new API key. When generating a key, you may be prompted to assign it a descriptive name for easier identification and to define its scope or permissions. This helps in managing different keys for various applications and ensuring that each key only has the necessary access.
Storing the Key Securely: Once generated, the API key will be displayed. This is often the only time you will see the full key, so it is crucial to copy and store it immediately in a secure location, such as an environment variable or a secrets manager. If a key is lost, it cannot be recovered and must be regenerated.
Key Expiration and Rotation: While dead-drop API keys generally do not expire automatically, it is a recommended security practice to rotate them periodically. You can delete existing keys and generate new ones from the API Keys dashboard.

Authenticated request example

When making programmatic requests to the dead-drop API, you must include your API key in the request header. The following example demonstrates how to create a new ephemeral secret using a curl command, authenticating with an API key.

Replace YOUR_API_KEY with your actual dead-drop API key and YOUR_SECRET_MESSAGE with the data you wish to share.

curl -X POST \ 
  https://api.deaddrop.io/v1/secrets \ 
  -H "Content-Type: application/json" \ 
  -H "Authorization: Bearer YOUR_API_KEY" \ 
  -d '{ 
    "payload": "YOUR_SECRET_MESSAGE", 
    "expiresInSeconds": 3600, 
    "maxReads": 1 
  }'

In this example:

-X POST specifies the HTTP method to create a new secret.
https://api.deaddrop.io/v1/secrets is the endpoint for creating secrets.
-H "Content-Type: application/json" indicates that the request body is in JSON format.
-H "Authorization: Bearer YOUR_API_KEY" is the crucial authentication header, where YOUR_API_KEY is your generated API key. The Bearer scheme is a common method for sending access tokens, as detailed in the IETF RFC 6750 for OAuth 2.0 Bearer Token Usage.
-d '{...}' contains the JSON payload for the secret, specifying the content, expiration time, and maximum number of reads.

Security best practices

Adhering to security best practices is essential when authenticating with dead-drop to protect sensitive information. These practices apply to both user accounts and API key management.

For User Accounts

Enable Multi-Factor Authentication (MFA): Always enable MFA for your dead-drop user account. This provides a critical layer of defense against unauthorized access, even if your password is compromised.
Use Strong, Unique Passwords: Create complex passwords that are unique to your dead-drop account. Avoid reusing passwords across different services. Consider using a password manager to generate and store strong passwords securely.
Regular Password Changes: While not strictly necessary with MFA, periodic password changes can add an extra layer of security, especially if you suspect your credentials may have been exposed elsewhere.
Be Wary of Phishing Attempts: Always verify the legitimacy of emails or communications requesting your dead-drop credentials. Only enter your login information on the official dead-drop login page.

For API Keys

Secure Storage: Never hardcode API keys directly into your application's source code. Instead, store them in environment variables, dedicated configuration files that are not committed to version control, or a secure secrets management solution (e.g., HashiCorp Vault).
Principle of Least Privilege: When generating API keys, configure them with the minimum necessary permissions required for the task. Avoid granting broad access if only specific operations (e.g., creating secrets) are needed.
Regular Rotation: Implement a policy for regular API key rotation. Periodically generate new keys and revoke old ones. This minimizes the window of opportunity for an attacker if a key is compromised.
Monitor API Key Usage: Pay attention to access logs and audit trails provided by dead-drop (if available) to detect any unusual activity associated with your API keys.
Delete Unused Keys: Immediately revoke any API keys that are no longer in use or associated with decommissioned applications/services.
IP Whitelisting (if available): If dead-drop offers IP whitelisting for API keys, configure it to restrict API access only from trusted IP addresses or ranges. This adds another layer of network-level security.

By implementing these security measures, users and organizations can significantly enhance the protection of their secrets and maintain the integrity of their data within the dead-drop platform.

dead-drop Authentication: Methods and Security (2026)

Authentication overview

Supported authentication methods

Email and Password with MFA

API Key Authentication

Getting your credentials

For User Accounts (Email/Password with MFA)

For API Keys

Authenticated request example

Security best practices

For User Accounts

For API Keys

Frequently asked questions

Reviews

Discussion

Written by