Why your note URL isn't a secret (and what actually is)
The link to your note is guessable. The password is what keeps it private. Here’s how to think about it.
Your note lives at a URL like www.inkrypt.online/my-secret-note. Anyone who has that URL can request the page. What they get is the encrypted blob—ciphertext, salt, IV. Without the password, they can’t decrypt. So the URL is not a secret; it’s more like a public identifier. The secret is the password.
Implications
Don’t rely on “no one will guess my URL.” If the note is sensitive, use a long, random-looking slug and a strong password. Don’t paste the URL in public places if you care about not advertising that the note exists. And never send the URL and password in the same message to an untrusted channel.
What actually protects you
Encryption with a key derived from your password. So: strong password, unique per note when it matters, and treat the URL as “who can try to open this” and the password as “who can actually read it.”