Comparison

Password Pusher vs OneTimeSecret

Two purpose-built secret sharing tools, head to head. Both are standalone, both are open source — but they've made very different product decisions. Here's how they compare.

Last updated May 2026 · Prices verified against live pricing pages

The Short Version

Both Password Pusher and OneTimeSecret are dedicated, open-source secret sharing tools — not features bolted onto a password manager. The core difference: Password Pusher supports files, production-ready team collaboration with policy enforcement, white-label branding, and self-hosted enterprise deployments with SSO. OneTimeSecret is text-only by design and has been building team/organization infrastructure in its open-source codebase, but no team plan is available to SaaS customers as of May 2026. OTS does offer 5 geographic regions and a free custom domain. Choose based on whether you need a full-featured sharing platform or a deliberately simple text-sharing tool.

Feature-by-Feature

Feature-by-Feature Comparison

The closest competitive matchup in the one-time secret sharing space. Both are standalone, both are open source — the differences are in scope and philosophy.

Feature Password Pusher OneTimeSecret
Basics
Standalone product Yes Yes
Free tier YesNo account required for basic use YesAccount optional. Includes 1 custom domain.
Account required to send NoAnonymous push, zero signup NoAnonymous (100KB max, 7-day expiry)
Open source YesApache-2.0, 14+ years YesMIT, Ruby + Redis
Project maturity 14+ years100M+ secrets shared, 74M+ Docker pulls 14+ years2,781 GitHub stars, active development
Content Types
Text / passwords All tiers All tiersAnonymous: 100KB. Free account: 1MB.
File sharing Paid tiersPremium ($19/mo) and above Not availableText-only by design decision
URL sharing Yes No
Secure inbound requests YesOne-time upload links In development"Incoming Secrets" backend shipping in v0.25.0
QR codes Yes No
Security
Encryption at rest AES-256-GCM YesServer-side encryption
End-to-end encryption Server-side Server-sideSecret transmitted to server over HTTPS
Passphrase protection All tiers All tiersPassphrase integrated into encryption key
View limits CustomSet any number of allowed views One-time onlySingle view, then destroyed
Bot protection (1-click step) YesPrevents Slack/Teams bots from consuming views No
Two-factor auth (2FA) All tiers Full auth modeMFA + WebAuthn in Full mode (self-hosted)
Expiry & Lifecycle
Maximum lifespan Up to 90 days3× longer than OneTimeSecret 30 days maxIdentity Plus only. Free: 14 days. Anonymous: 7 days.
Minimum lifespan 15 minutes MinutesExact minimum not documented
Auto-delete on expiry Yes Yes
Burn before reading Yes YesAccount holders can delete before recipient views
Audit logging All tiersFull lifecycle tracking per push & request NoNo audit trail for secret access
Branding & Customization
Custom domain Pro+$29/mo hosted or any Self-Hosted tier All tiers1 domain free. Unlimited on Identity Plus.
Custom logo Premium+ Identity Plus only€35/mo
Custom text on delivery pages Premium+ No
Full white-label Pro+Complete end-to-end branding Not availableOTS branding remains on delivery pages
Homepage access control YesAllow anonymous use, require sign-in, or disable logins entirely Identity PlusControl who can create secrets at your domain
Teams & Enterprise
Team management Pro+Production-ready. Invite members, assign roles, shared dashboard. Not available to customersOrg/team code in v0.24–v0.25, but no SaaS team plan exists
Team roles & permissions Pro+Admin and member roles with granular workspace permissions Not available to customersRBAC in OSS code (owner/member only), not exposed on SaaS
Shared team dashboard Pro+All team members see pushes, requests, and audit activity Not available
Team policy enforcement Pro+Force expiry defaults, hide features, enforce security settings Not available
Mandatory 2FA for team Pro+Workspace admins can require 2FA for all members Not available
Sign in with Google / Microsoft YesSocial login on all hosted tiers (convenience sign-in) Not availableNo social login on hosted SaaS
Enterprise SSO (OIDC) Self-Hosted ProOkta, Auth0, Entra, NetScaler, Custom OAuth2. Enforceable. In developmentPer-org SSO config in v0.25.0 code, not available to SaaS customers
Auto-dispatch email Premium+Instantly emails the link to recipients Account holdersEmail links to recipients
Deployment
Self-hosted option YesOSS + Self-Hosted Pro (SSO, policies, air-gap, 10+ storage backends) YesOSS only. Docker + Redis. No Pro self-hosted tier.
Dedicated data regions EU + USeu.pwpush.com & us.pwpush.com 5 regionsEU, UK, US, Canada, New Zealand
REST API All tiers All tiersAPI v2 (current), v1 (legacy)
CLI Yes Community onlyNo official CLI tool
Languages 32 languages 12+ languages
Compliance
SOC 2 Type II Via self-hostedDeploy on your certified infrastructure → No"Supports SOC 2 workflows" — not certified
ISO 27001 Via self-hostedDeploy on your certified infrastructure → No
HIPAA Via self-hostedDeploy on your certified infrastructure → No"Supports HIPAA workflows" — not certified
GDPR YesEU hosting, auto-deletion by design YesEU hosting, GDPR-aware privacy policy
Key Differences

Key Differentiators

The differences that matter most when choosing between these two tools.

📂

Files, URLs, and QR Codes vs. Text Only

Password Pusher supports file sharing (paid tiers), URL sharing, and QR codes. OneTimeSecret is deliberately text-only — they've made a philosophical decision to avoid file metadata risks. If you share files, API keys, or certificates as files (not pasted text), OTS can't help.

👥

Production-Ready Teams vs. No Team Plan

Password Pusher Pro ($29/mo) includes team workspaces with role-based access, shared dashboards, enforceable security policies, and mandatory 2FA — shipping in production today. OneTimeSecret has been building organization and team infrastructure in its open-source codebase (v0.24.0 and v0.25.0), but as of May 2026, no team plan exists on their SaaS pricing page. If your organization needs collaborative secret sharing with admin controls, Password Pusher is the only option available to buy today.

🏷️

Full White-Label vs. Logo Only

Password Pusher offers complete end-to-end white-labeling: custom domain, custom logo, custom text on delivery pages. Recipients see your brand entirely. OTS offers custom domain (free!) and logo (€35/mo), but OTS branding still appears on delivery pages. For true white-label, Password Pusher is the only option.

🌍

OTS Wins: 5 Geographic Regions

OneTimeSecret offers 5 data regions — EU, UK, US, Canada, and New Zealand — with full share-nothing isolation between them. Password Pusher offers EU and US regions. If you need data to stay in Canada, the UK, or New Zealand specifically, OTS has the edge on geographic flexibility.

🖥️

Self-Hosted Pro vs. OSS Only

Both are open source and self-hostable. The difference: Password Pusher offers a Self-Hosted Pro product with enterprise features (SSO, team management, policies, air-gap, 10+ storage backends). OTS self-hosting is the open source edition only — no managed Pro tier, no SSO (yet), no enterprise support SLA.

🔍

Audit Logging vs. No Audit Trail

Password Pusher includes audit logging on all tiers — track when a push was created, viewed, by whom, from what IP, and when it expired. OneTimeSecret has no audit trail for secret access. For compliance-driven organizations that need to prove a secret was delivered and when, this is a critical gap.

Deep Dive

Team Collaboration Compared

If your organization shares secrets as a team — IT departments, MSPs, DevOps groups — this is the section that matters most.

Password Pusher Pro

Available today — $29/mo
  • Team workspaces — invite members by email, manage from a shared dashboard
  • Role-based access — admin and member roles with granular permissions
  • Policy enforcement — force expiry defaults, restrict features, set team-wide security baselines
  • Mandatory 2FA — workspace admins can require two-factor authentication for every team member
  • Team audit trail — every push, view, and expiry logged per member — visible to admins
  • White-label for clients — share secrets under your own brand, domain, and logo

OneTimeSecret

In development — no team plan on SaaS

OTS has been actively building team and organization infrastructure in their open-source codebase:

  • v0.24.0 (Mar 2026): Replaced old Teams model with Organizations + RBAC (owner/member roles)
  • v0.25.0 (Apr 2026): Per-organization SSO configuration, invitation system groundwork

However, as of May 2026, none of this is available to SaaS customers. The OTS pricing page lists only Basic (free) and Identity Plus (€35/mo) — neither includes teams, organizations, or SSO. These features exist in the self-hosted open-source code only.

🏢 Self-Hosted Enterprise: A Structural Advantage

Beyond hosted teams, Password Pusher offers something OTS cannot match at any price: a Self-Hosted Pro product with enterprise-grade features for organizations that need to keep secrets on their own infrastructure.

Enterprise SSO

Connect your own Okta, Auth0, Entra, NetScaler, or any OAuth2/OIDC provider. Enforce SSO-only login. Self-Hosted Pro Advanced ($79/mo) and Enterprise ($119/mo).

Kubernetes & Air-Gap

Official Helm charts, Argo CD support, multi-replica with HPA. Deploy in air-gapped environments with no external network access required.

Compliance Inheritance

Deploy on your SOC 2, HIPAA, or ISO 27001-certified infrastructure. The application inherits your existing compliance posture.

10+ Storage Backends

S3, Azure Blob, GCS, MinIO, and more. Use your existing cloud storage. OTS self-hosted uses Redis only.

OTS self-hosting is the open-source edition only — Docker + Redis, no enterprise features, no managed tier, no support SLA. Password Pusher Self-Hosted Pro starts at $59/month.

Pricing

Pricing Comparison

Both tools offer free tiers. The paid tier structures are quite different.

Password Pusher

Hosted (pwpush.com)

Free No account required. Text, URLs, QR codes. Audit logs.
$0
Premium Files, branding (logo + text), auto-dispatch, requests.
$19/mo
Pro Teams (5 seats), custom domain, white-label, policies, 2FA enforcement.
$29/mo
Self-Hosted Pro Full control. Air-gap. SSO. 10+ storage backends.
From $59/mo
OneTimeSecret

Hosted (onetimesecret.com)

Basic (Free) 1 custom domain, API, email links, 14-day expiry.
€0
Identity Plus Unlimited domains, logo branding, 30-day expiry, homepage control.
€35/mo
Self-Hosted (OSS) MIT license. Docker + Redis. No enterprise features.
Free
Pricing context: For basic branding (logo), OTS Identity Plus costs €35/mo. Password Pusher Premium costs $19/mo and includes files, auto-dispatch, and audit logs that OTS doesn't offer at any price. For teams and white-label, Password Pusher Pro at $29/mo is the only option — OTS has no team plan. OTS's free custom domain is a genuine advantage if custom domain is your only need.
Decision Guide

When to Choose Which

Honest guidance — both are good products with different strengths.

Choose Password Pusher if…

  • You need to share files, not just text. OTS is text-only by design. If you share API key files, certificates, config files, or documents, Password Pusher is the only option.
  • You have a team. Password Pusher Pro includes team workspaces, role-based access, shared dashboards, enforceable policies, and mandatory 2FA. OTS has been building team infrastructure in their codebase but has no team plan available to SaaS customers as of May 2026.
  • You need true white-label. Password Pusher Pro delivers complete end-to-end branding — recipients never see "Password Pusher." OTS branding remains on delivery pages even with a custom domain and logo.
  • You need audit logging. Full lifecycle tracking on every push and request, free on all tiers. OTS has no audit trail.
  • You need self-hosted with enterprise features. SSO (Okta, Auth0, Google, Microsoft), team management, policies, air-gap support, 10+ cloud storage backends. OTS self-hosting is the open source edition only.
  • You need secrets that last longer than 30 days. Password Pusher supports up to 90 days. OTS caps at 30 days on its most expensive tier.
  • You need custom view limits. Allow a secret to be viewed 3 or 5 times. OTS is strictly one-time-view.
  • You need inbound requests. Create one-time upload links for clients or vendors to send you files securely.

Choose OneTimeSecret if…

  • You only share text and want maximum simplicity. OTS is deliberately focused on text-only secrets. Fewer features means a simpler, more focused experience.
  • You need a free custom domain. OTS includes one custom domain on the free tier — Password Pusher requires Pro ($29/mo) for custom domains on the hosted service.
  • You need data residency beyond EU/US. OTS offers 5 regions (EU, UK, US, Canada, New Zealand) with full isolation. Password Pusher offers EU and US.
  • You want a lighter self-hosted footprint. OTS runs on Ruby + Redis with a simple Docker setup. Password Pusher requires more infrastructure for its fuller feature set.
  • You prefer OTS's approach to homepage access control. Both tools offer access controls, but the implementation differs. Evaluate which model fits your deployment.

⚠️ Where We're Honest About Our Gaps

OneTimeSecret genuinely has the edge in a few areas:

  • Free custom domain. OTS gives you one custom domain at no cost. We require Pro ($29/mo hosted) or any Self-Hosted tier. If custom domain is all you need and your budget is zero, OTS wins.
  • 5 geographic regions vs. 2. EU, UK, US, Canada, New Zealand — each fully isolated. We offer EU and US. If you need data in Canada, UK, or NZ specifically, OTS has more options.
  • Simpler product for simple needs. If you truly only share text secrets and want the fewest moving parts, OTS's deliberate simplicity is an advantage, not a limitation.
FAQ

Frequently Asked Questions

Common questions when evaluating OneTimeSecret alternatives.

Can OneTimeSecret share files?

No. OneTimeSecret is text-only by an explicit design decision — they cite file metadata risks as the reason. If you need to share files, certificates, API key files, or documents as attachments, Password Pusher supports file sharing on paid tiers (Premium $19/mo and above).

Does OneTimeSecret have team features?

Not for SaaS customers. OTS has been actively building team and organization infrastructure in their open-source codebase — v0.24.0 (March 2026) introduced Organizations with RBAC, and v0.25.0 (April 2026) added per-organization SSO configuration and invitation groundwork. However, the OTS SaaS pricing page still lists only Basic (free) and Identity Plus (€35/mo) — neither includes teams, roles, or SSO. These features exist in the self-hosted open-source code only. Password Pusher Pro ($29/mo) includes production-ready team management with role-based access, shared dashboards, enforceable policies, and mandatory 2FA today.

Which tool supports SSO?

Password Pusher has two levels of sign-in support. The hosted service (pwpush.com) offers Google and Microsoft social login on all tiers — this is convenience sign-in, not IT-admin-configured enterprise SSO. For real enterprise SSO — connecting your own Okta, Auth0, Entra, NetScaler, or custom OAuth2/OIDC provider with enforceable login policies — you need Self-Hosted Pro (Advanced at $79/mo or Enterprise at $119/mo). OneTimeSecret has added per-organization SSO configuration in their v0.25.0 open-source release, but this is not available to SaaS customers — OTS's hosted pricing page shows no SSO option on any tier.

Is Password Pusher more expensive than OneTimeSecret?

It depends on what you need. OTS Basic is free with a custom domain — genuinely hard to beat. But OTS Identity Plus (€35/mo) only adds branding and 30-day expiry — no files, no teams, no audit logs. Password Pusher Premium ($19/mo) includes files, branding, auto-dispatch, and audit logs. For the feature set, Password Pusher offers more value per dollar.

Does OneTimeSecret have audit logging?

No. OneTimeSecret does not provide an audit trail showing when a secret was viewed, by whom, or from what IP. Password Pusher includes full lifecycle audit logging on all tiers — free included — tracking creation, views, expiry, and deletion.

Can I set a secret to be viewed more than once on OneTimeSecret?

No. OneTimeSecret enforces strict one-time viewing — a secret is destroyed after a single view. Password Pusher lets you set custom view limits (e.g., allow 3 or 5 views before expiry), which is useful when multiple team members need to access the same credential.

Which tool has better self-hosting?

Both are open source and self-hostable. OTS uses Ruby + Redis with a lighter footprint. Password Pusher offers a Self-Hosted Pro product with enterprise features (SSO, team management, policies, air-gap support, official Helm charts for Kubernetes, Argo CD support, and 10+ cloud storage backends) starting at $59/month. If you need enterprise features on-prem, Password Pusher has no equivalent from OTS.

Does OneTimeSecret have SOC 2 certification?

No. OTS's website states it "supports SOC 2 workflows," but this is not a certification claim — no SOC 2 Type II audit report is published. Password Pusher also does not hold SOC 2 for its hosted service, but offers a self-hosted path where you deploy on your own SOC 2-certified infrastructure.

Can Password Pusher be self-hosted?

Yes. Password Pusher offers both a free open-source edition (Apache-2.0) and a Self-Hosted Pro product with SSO, teams, policies, and air-gap support. Self-Hosted Pro starts at $59/month for 5 users. The self-hosted option also enables compliance inheritance — deploy on your SOC 2 / HIPAA / ISO 27001-certified infrastructure.

Need more than text-only sharing?

Files, teams, audit logs, white-label, self-hosted enterprise — all in one platform. Start free, no account required.

Try Password Pusher Free View Pricing

OneTimeSecret is a trademark of Delano Mandelbaum. This page is not affiliated with or endorsed by OneTimeSecret.