Live at pste.dev · Quick start · CLI · API · Self-hosting · Security
pste is a paste / code-sharing tool for developers and adjacent technical folks — SREs, sysadmins, security, data. Anonymous by default, end-to-end encrypted on demand, and deliberately not a social pastebin: no trending feed, no public discovery, no accounts required. A tool, not a destination.
| Anonymous-first | No account needed to create or view a paste. |
| End-to-end encrypted | Toggle private and the body is encrypted in your browser with AES-GCM — either a random key carried in the URL fragment (#k=…), or a passphrase-derived key (PBKDF2-HMAC-SHA256) that's in neither the link nor the server. |
| Real expiry | 1h / 1d / 1w / 30d, capped at 30 days. On expiry the row, the blob, and the backup are deleted. No soft-delete. |
| Burn-after-read | The first viewer destroys the paste; link-preview bots are bypassed so they can't pre-burn it. |
| Smart viewer | Server-rendered syntax highlighting (Shiki), JSON/YAML/TOML tree views, unified-diff rendering, Markdown, line-range permalinks (#L42-L60). |
| Secret scanning | Paste content is scanned for credentials (Gitleaks-style rules); warns with one-click redaction, never blocks. |
| Zero-install API | curl pste.dev -d @file just works. Full REST API with idempotency keys and an oEmbed endpoint. |
pste CLI |
A small, dependency-free Go binary for Linux, macOS, and Windows. |
| Optional accounts | GitHub / Google OAuth and passkeys, for a personal paste dashboard. A convenience layer, never a requirement. |
| Transparent | A public /transparency page with aggregate moderation counts, and a /security page on what the server can and can't see. |
# Zero install — pipe anything to pste.dev:
curl pste.dev -d @notes.txt
echo "hello" | curl pste.dev --data-binary @-
# Fetch it back:
curl pste.dev/<id>/rawInstall — once a release is published:
# Linux / macOS
curl -fsSL https://pste.dev/install.sh | sh
# Windows (PowerShell)
irm https://pste.dev/install.ps1 | iexOr build from source — see Development.
pste notes.txt # create a paste, print the URL
cat error.log | pste --burn # burn-after-read from a pipe
pste --private secrets.env # end-to-end encrypted
pste --private --password secrets.env # passphrase-derived E2E
pste # no file, no pipe → reads the clipboard
pste get <id|url> # fetch a paste to stdout
pste rm <id|url> # delete a paste with its delete token
pste auth login # store a personal access token
pste completion zsh # shell completion script (bash|zsh|fish)| Flag | Meaning |
|---|---|
--url |
pste server (default: $PSTE_URL or pste.dev) |
--expire |
1h · 1d · 1w · 30d · never (default 30d) |
--lang |
language slug for highlighting |
--burn |
burn-after-read |
--private |
end-to-end encrypted |
--password |
with --private: derive the key from a passphrase ($PSTE_PASSPHRASE or a prompt) |
| Method | Endpoint | Notes |
|---|---|---|
POST |
/api/v1/paste |
Create. Headers: X-Expiry, X-Language, X-Burn-After-Read, X-E2E, X-Idempotency-Key. |
GET |
/api/v1/paste/:id |
Metadata (JSON). |
DELETE |
/api/v1/paste/:id |
Requires X-Delete-Token. |
GET |
/:id/raw |
Raw text/plain body (non-E2E only). |
GET |
/api/v1/oembed?url=… |
oEmbed link document. |
Anonymous requests are rate-limited per IP; a signed-in session raises the ceiling. There is no paid tier.
pste is source-available and runs as a portable monolith — SvelteKit on Bun, SQLite for metadata, the local filesystem for blob storage. There is no cloud dependency. ops/ contains a Caddyfile, a systemd unit, an env.example, and a deploy script; see those files to run your own instance.
Self-hosting for any non-competing purpose is permitted under the license — see License.
Requires Bun. The Go CLI additionally needs Go 1.24+.
bun install
bun run dev # dev server at http://localhost:5173
bun run check # svelte-check / type-check
bun test # unit + integration tests
bun run lint # prettier + eslint
bun run build # production build (adapter-node)
cd cli && go test ./... # CLI testsCI runs check, test, and lint for the app plus vet, test, and a cross-compile sweep for the CLI on every push and PR.
src/lib/server/ server modules (paste store, auth, abuse, crypto-adjacent)
src/lib/ shared code — e2e.ts (browser crypto), secrets.ts, detectLang.ts
src/routes/ SvelteKit routes: pages, /api/v1/*, /auth/*, /admin/*
cli/ the `pste` Go CLI (stdlib only)
ops/ Caddyfile, systemd unit, deploy script
.github/ CI and release workflows
How the encryption works, what the server can and cannot see, and how to verify it: pste.dev/security.
Found a vulnerability? Email security@pste.dev. Please don't open a public issue for anything exploitable until it's fixed.
FSL-1.1-Apache-2.0 — the Functional Source License. Read, audit, modify, and self-host it for any non-competing purpose; you may not use it to build a competing product. Each release converts to Apache-2.0 two years after it ships.