Files burn after one read. Use the relay, or run your own.
A free account tracks your sends, keeps them longer, and lets you send more per month. Or drop one file anonymously in 30 seconds.
Create free account → Or skip account — send anonymously →Self-hosters on Raspberry Pi. OT teams deploying sector-isolated relays. Blockchain nodes needing ciphertext passthrough. Developers integrating encrypted transfer into their own products.
Read the docs →Your file is encrypted in the browser before it leaves your device. The relay never sees plaintext.
The ciphertext moves through the relay and is hashed into the CT Merkle log. ParaShare verified transfers are padded to a fixed 5 MB block; anonymous links travel at their actual encrypted size, up to 5 MB.
The recipient decrypts locally. On download, the relay erases the blob from RAM. Burn-on-read.
The Merkle root is updated. Transfer is proven without storing what was transferred.
Browser-generated key in URL fragment — never sent to relay. Prove-by-design that we cannot decrypt what we relay.
Post-quantum hybrid key exchange. FIPS 203. ML-DSA-65 signed receipts (FIPS 204). All math client-side.
The relay loads 3 KEMs and 18 signatures from FIPS 203, 204, 205, and 206. Clients pick, the relay validates against the live registry, unsupported algorithms get HTTP 415. The official SDKs (sdk-py 3.0.0, sdk-js 3.0.0) produce wire format v1 today; the WebApp tools and extensions are migrating in stages — see crypto-agility § 06 for per-client status.
Full cryptography spec →Paramant has no login form. No username. No password to phish, steal, or breach. Authentication is a cryptographic key and an optional TOTP code — nothing else.
Generated once on account creation. Shown once. Store it in your password manager or secret vault. Rotate instantly if compromised.
RFC 6238, SHA-256, 30-second codes. Works with Aegis, Authy, 1Password. Each code is single-use — replay attacks have no window.
Credential stuffing, dictionary attacks, and phishing require a password to target. With no password those attack vectors don't exist.
Source-available under BUSL-1.1. Free for up to 5 users. Works on a Raspberry Pi. If the managed service ever closes, every self-hosted relay keeps running indefinitely.
curl -fsSL https://paramant.app/install.sh | bash
or
docker compose up -d
Drop a file, share link, burns after one read. No account, no trace.
send a file →ML-KEM-768 hybrid with ML-DSA-65 signed receipts. Proof of who sent what.
try ParaShare →AirDrop alternative across iOS, Android, Windows, Linux. QR or 6-digit code.
use ParaDrop →Create an account on our relay. 30 seconds to your first send. EU-hosted.
create account →BUSL-1.1 source. Docker compose. Free up to 5 users. Raspberry Pi supported.
deploy guide →Dedicated relay with SLA. Compliance docs, single-tenant. NIS2, IEC 62443, NEN 7510.
see enterprise plan →