Password Pusher vs OneTimeSecret
Two purpose-built secret sharing tools, head to head. Both are standalone, both are open source — but they've made very different product decisions. Here's how they compare.
The Short Version
Both Password Pusher and OneTimeSecret are dedicated, open-source secret sharing tools — not features bolted onto a password manager. The core difference: Password Pusher supports files, teams, white-label branding, and self-hosted enterprise deployments. OneTimeSecret is text-only by design, with no team plans, but offers 5 geographic regions and a custom domain on the free tier. Choose based on whether you need a full-featured sharing platform or a deliberately simple text-sharing tool.
Feature-by-Feature Comparison
The closest competitive matchup in the one-time secret sharing space. Both are standalone, both are open source — the differences are in scope and philosophy.
| Feature | Password Pusher | OneTimeSecret |
|---|---|---|
| Basics | ||
| Standalone product | Yes | Yes |
| Free tier | YesNo account required for basic use | YesAccount optional. Includes 1 custom domain. |
| Account required to send | NoAnonymous push, zero signup | NoAnonymous (100KB max, 7-day expiry) |
| Open source | YesApache-2.0, 14+ years | YesMIT, Ruby + Redis |
| Project maturity | 14+ years100M+ secrets shared, 74M+ Docker pulls | 12+ years2,781 GitHub stars, active development |
| Content Types | ||
| Text / passwords | All tiers | All tiersAnonymous: 100KB. Free account: 1MB. |
| File sharing | Paid tiersPremium ($19/mo) and above | Not availableText-only by design decision |
| URL sharing | Yes | No |
| Secure inbound requests | YesOne-time upload links | In development"Incoming Secrets" backend shipping in v0.25.0 |
| QR codes | Yes | No |
| Security | ||
| Encryption at rest | AES-256-GCM | YesServer-side encryption |
| End-to-end encryption | Server-side | Server-sideSecret transmitted to server over HTTPS |
| Passphrase protection | All tiers | All tiersPassphrase integrated into encryption key |
| View limits | CustomSet any number of allowed views | One-time onlySingle view, then destroyed |
| Bot protection (1-click step) | YesPrevents Slack/Teams bots from consuming views | No |
| Two-factor auth (2FA) | All tiers | Full auth modeMFA + WebAuthn in Full mode (self-hosted) |
| Expiry & Lifecycle | ||
| Maximum lifespan | Up to 90 days3× longer than OneTimeSecret | 30 days maxIdentity Plus only. Free: 14 days. Anonymous: 7 days. |
| Minimum lifespan | 15 minutes | MinutesExact minimum not documented |
| Auto-delete on expiry | Yes | Yes |
| Burn before reading | Yes | YesAccount holders can delete before recipient views |
| Audit logging | All tiersFull lifecycle tracking per push & request | NoNo audit trail for secret access |
| Branding & Customization | ||
| Custom domain | Pro+$29/mo hosted or any Self-Hosted tier | All tiers1 domain free. Unlimited on Identity Plus. |
| Custom logo | Premium+ | Identity Plus only€35/mo |
| Custom text on delivery pages | Premium+ | No |
| Full white-label | Pro+Complete end-to-end branding | Not availableOTS branding remains on delivery pages |
| Homepage access control | YesAllow anonymous use, require sign-in, or disable logins entirely | Identity PlusControl who can create secrets at your domain |
| Teams & Enterprise | ||
| Team management | Pro+Roles, policies, shared dashboards | Not availableTeam infrastructure in development, not yet live |
| Team policies | Pro+Force defaults, hide features, enforce 2FA | Not available |
| SSO / SAML | Google (Premium+), Microsoft (Pro+), Custom OAuth2 (Self-Hosted Enterprise) | In developmentSSO config added in v0.25.0, not yet publicly available |
| Auto-dispatch email | Premium+Instantly emails the link to recipients | Account holdersEmail links to recipients |
| Deployment | ||
| Self-hosted option | YesOSS + Self-Hosted Pro (SSO, policies, air-gap, 10+ storage backends) | YesOSS only. Docker + Redis. No Pro self-hosted tier. |
| Dedicated data regions | EU + USeu.pwpush.com & us.pwpush.com | 5 regionsEU, UK, US, Canada, New Zealand |
| REST API | All tiers | All tiersAPI v2 (current), v1 (legacy) |
| CLI | Yes | Community onlyNo official CLI tool |
| Languages | 32 languages | 12+ languages |
| Compliance | ||
| SOC 2 Type II | Via self-hostedDeploy on your certified infrastructure → | No"Supports SOC 2 workflows" — not certified |
| ISO 27001 | Via self-hostedDeploy on your certified infrastructure → | No |
| HIPAA | Via self-hostedDeploy on your certified infrastructure → | No"Supports HIPAA workflows" — not certified |
| GDPR | YesEU hosting, auto-deletion by design | YesEU hosting, GDPR-aware privacy policy |
Key Differentiators
Six differences that matter most when choosing between these two tools.
Files, URLs, and QR Codes vs. Text Only
Password Pusher supports file sharing (paid tiers), URL sharing, and QR codes. OneTimeSecret is deliberately text-only — they've made a philosophical decision to avoid file metadata risks. If you share files, API keys, or certificates as files (not pasted text), OTS can't help.
Teams vs. Solo Accounts
Password Pusher Pro includes team management — roles, shared dashboards, team policies, 2FA enforcement, custom defaults. OneTimeSecret has no team features (they're building the infrastructure but it's not live). If you have a team sharing credentials together, only Password Pusher supports that today.
Full White-Label vs. Logo Only
Password Pusher offers complete end-to-end white-labeling: custom domain, custom logo, custom text on delivery pages. Recipients see your brand entirely. OTS offers custom domain (free!) and logo (€35/mo), but OTS branding still appears on delivery pages. For true white-label, Password Pusher is the only option.
OTS Wins: 5 Geographic Regions
OneTimeSecret offers 5 data regions — EU, UK, US, Canada, and New Zealand — with full share-nothing isolation between them. Password Pusher offers EU and US regions. If you need data to stay in Canada, the UK, or New Zealand specifically, OTS has the edge on geographic flexibility.
Self-Hosted Pro vs. OSS Only
Both are open source and self-hostable. The difference: Password Pusher offers a Self-Hosted Pro product with enterprise features (SSO, team management, policies, air-gap, 10+ storage backends). OTS self-hosting is the open source edition only — no managed Pro tier, no SSO (yet), no enterprise support SLA.
Audit Logging vs. No Audit Trail
Password Pusher includes audit logging on all tiers — track when a push was created, viewed, by whom, from what IP, and when it expired. OneTimeSecret has no audit trail for secret access. For compliance-driven organizations that need to prove a secret was delivered and when, this is a critical gap.
Pricing Comparison
Both tools offer free tiers. The paid tier structures are quite different.
Hosted (pwpush.com)
Hosted (onetimesecret.com)
When to Choose Which
Honest guidance — both are good products with different strengths.
Choose Password Pusher if…
- You need to share files, not just text. OTS is text-only by design. If you share API key files, certificates, config files, or documents, Password Pusher is the only option.
- You have a team. Password Pusher Pro includes roles, shared dashboards, team policies, and 2FA enforcement. OTS has no team features.
- You need true white-label. Password Pusher Pro delivers complete end-to-end branding — recipients never see "Password Pusher." OTS branding remains on delivery pages even with a custom domain and logo.
- You need audit logging. Full lifecycle tracking on every push and request, free on all tiers. OTS has no audit trail.
- You need self-hosted with enterprise features. SSO (Okta, Auth0, Google, Microsoft), team management, policies, air-gap support, 10+ cloud storage backends. OTS self-hosting is the open source edition only.
- You need secrets that last longer than 30 days. Password Pusher supports up to 90 days. OTS caps at 30 days on its most expensive tier.
- You need custom view limits. Allow a secret to be viewed 3 or 5 times. OTS is strictly one-time-view.
- You need inbound requests. Create one-time upload links for clients or vendors to send you files securely.
Choose OneTimeSecret if…
- You only share text and want maximum simplicity. OTS is deliberately focused on text-only secrets. Fewer features means a simpler, more focused experience.
- You need a free custom domain. OTS includes one custom domain on the free tier — Password Pusher requires Pro ($29/mo) for custom domains on the hosted service.
- You need data residency beyond EU/US. OTS offers 5 regions (EU, UK, US, Canada, New Zealand) with full isolation. Password Pusher offers EU and US.
- You want a lighter self-hosted footprint. OTS runs on Ruby + Redis with a simple Docker setup. Password Pusher requires more infrastructure for its fuller feature set.
- You prefer OTS's approach to homepage access control. Both tools offer access controls, but the implementation differs. Evaluate which model fits your deployment.
⚠️ Where We're Honest About Our Gaps
OneTimeSecret genuinely has the edge in a few areas:
- Free custom domain. OTS gives you one custom domain at no cost. We require Pro ($29/mo hosted) or any Self-Hosted tier. If custom domain is all you need and your budget is zero, OTS wins.
- 5 geographic regions vs. 2. EU, UK, US, Canada, New Zealand — each fully isolated. We offer EU and US. If you need data in Canada, UK, or NZ specifically, OTS has more options.
- Simpler product for simple needs. If you truly only share text secrets and want the fewest moving parts, OTS's deliberate simplicity is an advantage, not a limitation.
Frequently Asked Questions
Common questions when evaluating OneTimeSecret alternatives.
Can OneTimeSecret share files?
No. OneTimeSecret is text-only by an explicit design decision — they cite file metadata risks as the reason. If you need to share files, certificates, API key files, or documents as attachments, Password Pusher supports file sharing on paid tiers (Premium $19/mo and above).
Does OneTimeSecret have team features?
Not yet. OTS has been building team/organization infrastructure (visible in their v0.24.0 and v0.25.0 releases), but no team plan is publicly available as of May 2026. Password Pusher Pro ($29/mo) includes team management with roles, shared dashboards, policies, and 2FA enforcement.
Is Password Pusher more expensive than OneTimeSecret?
It depends on what you need. OTS Basic is free with a custom domain — genuinely hard to beat. But OTS Identity Plus (€35/mo) only adds branding and 30-day expiry — no files, no teams, no audit logs. Password Pusher Premium ($19/mo) includes files, branding, auto-dispatch, and audit logs. For the feature set, Password Pusher offers more value per dollar.
Does OneTimeSecret have audit logging?
No. OneTimeSecret does not provide an audit trail showing when a secret was viewed, by whom, or from what IP. Password Pusher includes full lifecycle audit logging on all tiers — free included — tracking creation, views, expiry, and deletion.
Can I set a secret to be viewed more than once on OneTimeSecret?
No. OneTimeSecret enforces strict one-time viewing — a secret is destroyed after a single view. Password Pusher lets you set custom view limits (e.g., allow 3 or 5 views before expiry), which is useful when multiple team members need to access the same credential.
Which tool has better self-hosting?
Both are open source and self-hostable. OTS uses Ruby + Redis with a lighter footprint. Password Pusher offers a Self-Hosted Pro product with enterprise features (SSO, team management, policies, air-gap support, 10+ cloud storage backends) starting at $59/month. If you need enterprise features on-prem, Password Pusher has no equivalent from OTS.
Does OneTimeSecret have SOC 2 certification?
No. OTS's website states it "supports SOC 2 workflows," but this is not a certification claim — no SOC 2 Type II audit report is published. Password Pusher also does not hold SOC 2 for its hosted service, but offers a self-hosted path where you deploy on your own SOC 2-certified infrastructure.
Can Password Pusher be self-hosted?
Yes. Password Pusher offers both a free open-source edition (Apache-2.0) and a Self-Hosted Pro product with SSO, teams, policies, and air-gap support. Self-Hosted Pro starts at $59/month for 5 users. The self-hosted option also enables compliance inheritance — deploy on your SOC 2 / HIPAA / ISO 27001-certified infrastructure.
Need more than text-only sharing?
Files, teams, audit logs, white-label, self-hosted enterprise — all in one platform. Start free, no account required.
OneTimeSecret is a trademark of Delano Mandelbaum. This page is not affiliated with or endorsed by OneTimeSecret.