sendfast
Sign inGet started
Docs

Build with SendFast.

Encrypted file transfer for humans and agents. Same zero-knowledge architecture across the REST API, the TypeScript SDK, and the MCP server.

01 / QUICKSTART

Send your first file

Drop a file at /upload to try the flow end-to-end. The encryption key is generated in your browser and lives in the URL fragment — the server never sees it.

Open the uploader
02 / REST API

Upload, deliver, expire

Three endpoints cover the full flow: request a presigned URL, PUT the encrypted blob, and share the resulting transfer link. Authentication is by API key on Pro plans.

Jump to endpoints
03 / TYPESCRIPT SDK

Wrap it in three lines

Our SDK handles encryption, chunking, and presigned uploads for you. Designed for Node and the browser. Use it in your backend, your frontend, or an agent tool.

SDK docs
04 / MCP SERVER

Give your agent file transfer

An MCP server exposes upload, transfer status, and delete tools. Drop it into Claude Desktop, Cursor, or any MCP-compatible client and your agent can hand files to humans.

MCP setup
Endpoints

REST reference.

All requests are JSON unless noted. Encrypt files in the browser before calling /api/upload; the server only stores ciphertext and metadata.

POST/api/upload

Register a transfer and receive presigned upload URLs

BODY
{
  "files": [{ "name": "report.pdf", "size": 14200000, "type": "application/pdf", "iv": "<base64-iv>" }],
  "expiry": "24h",
  "password": "optional",
  "emails": "[email protected]",
  "title": "Q4 financials"
}
RETURNS
{ "transferId": "8a3f...", "presignedUrls": [{ "index": 0, "url": "https://..." }] }
PUT<presigned-url>

Upload the encrypted blob directly to storage

BODY
<encrypted bytes — Content-Type: application/octet-stream>
RETURNS
200 OK
GET/api/download/:transferId

Fetch the metadata + per-file download URLs

BODY
?password=… (only if the transfer is password-protected)
RETURNS
{ "id": "8a3f...", "files": [{ "id": "...", "name": "report.pdf", "url": "https://...", "iv": "..." }], "expiresAt": "...", "downloadCount": 2 }
DELETE/api/transfers/:id

Delete a transfer and its ciphertext (auth required)

BODY
RETURNS
204 No Content
Encryption

Zero-knowledge by construction.

SendFast uses AES-256-GCM. The key is generated by crypto.subtle.generateKey in the user's browser, never sent to our servers, and embedded in the URL fragment (https://sendfast.raicode.tech/t/abc#K2x…vQ9). Browsers do not transmit the fragment in requests.

The recipient's browser reads the fragment, fetches the ciphertext via a presigned URL, and decrypts locally. We see filenames, sizes, MIME types, and IVs — never plaintext.

Read the full architecture in Security and our public commitments in Privacy policy.