My Profile
Sign Out
Tickets
Knowledge Base
Login
Articles in this section
Category / Section
  2. Integrations

Share Secrets Module

Updated:

Share sensitive information securely through self-destructing links with FlowMattic’s Share Secrets module. This guide walks you through creating workflows that generate secure, time-limited links for sharing passwords, API keys, and confidential data.

Overview

Share Secrets allows you to:

  • Create encrypted, self-destructing links for sensitive information
  • Set time-based or view-based expiration
  • Add password protection for extra security
  • Customize the reveal page with your branding
  • Receive notifications when secrets are accessed

FlowMattic - Share Secret.gif

Prerequisites

Before you begin, ensure you have:

  • FlowMattic 5.5.0 or later installed
  • An active FlowMattic license
  • A workflow trigger configured (webhook, form submission, etc.)

Step 1: Create a New Workflow

  1. Navigate to FlowMattic → Workflows in your WordPress admin
  2. Click Add New Workflow
  3. Give your workflow a descriptive name (e.g., “Secure Password Sharing”)

Step 2: Configure Your Trigger

Choose a trigger based on your use case:

Option A: Webhook Trigger

Use this when you want to trigger secret creation from external applications.

  1. Select Webhook as your trigger
  2. Copy the webhook URL for use in your external application
  3. The webhook can receive the secret content as a POST parameter

Option B: Form Submission Trigger

Use this when you want users to submit secrets through a form.

  1. Select your form plugin trigger (WPForms, Gravity Forms, etc.)
  2. Map the form field containing the secret content

Step 3: Add the Share Secrets Action

  1. Click the + button to add a new action
  2. Search for Share Secrets in the integration list
  3. Select Create Secret Link action

Choose share secrets module.png

Step 4: Configure Secret Content

Secret Content

Enter the sensitive information you want to share. You can:

  • Type static content directly
  • Use dynamic data from previous steps (click the database icon)
  • Combine text with dynamic fields

Example:

Your temporary password is: {{trigger.password}}
Please change it after first login.

Page Title

Set a title that appears on the reveal page. Keep it generic to avoid revealing the content type.

Good examples:

  • “Secure Message”
  • “Confidential Information”
  • “Private Note”

Avoid:

  • “Your Password”
  • “API Keys”

Step 5: Set Expiration Options

Choose how and when the secret should expire:

Expiration Type

Time-Based Expiration

The secret expires after a set duration, regardless of views.

Duration Use Case
5 minutes One-time passwords, verification codes
1 hour Meeting credentials, temporary access
24 hours Daily passwords, shift handover info
7 days Project credentials, onboarding info

View-Based Expiration

The secret expires after a set number of views.

Views Use Case
1 view Burn after reading - maximum security
3 views Small team sharing
5 views Department-wide distribution

Expiration Value

Enter the numeric value corresponding to your expiration type:

  • For time-based: number of minutes, hours, or days
  • For view-based: number of allowed views

Step 6: Add Password Protection (Optional)

For additional security, enable password protection:

  1. Enter a password in the Password field
  2. The recipient will need to enter this password to view the secret
  3. Share the password through a different channel (phone, SMS, etc.)

Best practices:

  • Use a simple but not obvious password
  • Never include the password in the same message as the link
  • Consider using a verbal password for sensitive secrets

Step 7: Configure Branding (Optional)

Customize the reveal page to match your brand:

Branding Logo URL

Enter the full URL to your logo image:

https://yoursite.com/wp-content/uploads/logo.png

Recommended specifications:

  • Format: PNG or SVG
  • Max width: 200px
  • Transparent background preferred

Branding Text

Add custom text below the logo:

Secure message from Acme Corporation

Button Style

Choose a color scheme for the reveal button:

  • Primary - Blue/Indigo (default)
  • Secondary - Gray
  • Success - Green
  • Danger - Red

Step 8: Set Up Access Notifications (Optional)

Get notified when someone accesses your secret:

Notification Email

Enter the email address to receive notifications:

security@yourcompany.com

Notification Details

When enabled, you’ll receive an email containing:

  • Date and time of access
  • IP address of the viewer
  • Browser and device information
  • Remaining views (for view-based secrets)
  • Viewed by ( if user is logged in )

Step 9: Customize Button Text (Optional)

Reveal Button Text

Default: “Reveal Secret”

Customize to match your use case:

  • “Show Password”
  • “View Credentials”
  • “Unlock Message”

Copy Button Text

Default: “Copy to Clipboard”

Customize as needed:

  • “Copy Password”
  • “Copy to Clipboard”

Step 10: Advanced Options

Custom Messages

Expired Message Title

Shown when the secret has expired:

Link Expired

Expired Message

Detailed message for expired secrets:

This secure link has expired and the content is no longer available.

Redirect URL

Redirect users to a specific page after the secret expires:

https://yoursite.com/request-new-password

Custom CSS

Add custom styles to the reveal page:

.fm-secret-container {
    font-family: 'Your Custom Font', sans-serif;
}
.fm-reveal-btn {
    border-radius: 20px;
}

Step 11: Test Your Workflow

  1. Click Save to save your workflow
  2. Toggle the workflow status to Active
  3. Trigger the workflow (submit form, call webhook, etc.)
  4. Check the workflow execution log for the generated link
  5. Open the link in an incognito window to test the user experience

Step 12: Use the Generated Link

The Share Secrets action returns a secret_url that you can use in subsequent actions:

Send via Email

Add an email action after Share Secrets:

Subject: Your Secure Access Link

Hi {{trigger.name}},

Click the link below to view your secure credentials:
{{share_secrets.secret_url}}

This link will expire in 24 hours.

Best regards,
Your Team

Send via SMS

Use an SMS integration (Twilio, etc.):

Your secure link: {{share_secrets.secret_url}}
Password hint: First pet's name

Store in Database

Save the link to your database for tracking:

  • Secret URL
  • Recipient email
  • Creation timestamp
  • Expiration time

Common Use Cases

1. New Employee Onboarding

Trigger: HR form submission
Content: Initial login credentials
Expiration: 24 hours or 1 view
Notification: IT admin email

2. Client Credential Sharing

Trigger: Project management webhook
Content: API keys, FTP credentials
Expiration: 7 days or 3 views
Branding: Company logo and colors

3. Password Reset

Trigger: Support ticket creation
Content: Temporary password
Expiration: 1 hour or 1 view
Password: Verbal confirmation required

4. Secure Document Access

Trigger: Manual or scheduled
Content: Access codes, PINs
Expiration: Based on sensitivity
Notification: Always enabled

Security Best Practices

  1. Use the shortest practical expiration time - Reduce the window of vulnerability

  2. Enable password protection for highly sensitive data - Add a second authentication factor

  3. Never include passwords in the same channel as links - Use separate communication methods

  4. Enable notifications for audit trails - Track who accessed what and when

  5. Use view-based expiration for maximum security - “Burn after reading” ensures one-time access

  6. Customize expired message with next steps - Guide users on how to request new credentials

  7. Regularly review notification emails - Monitor for unauthorized access attempts

Troubleshooting

Secret link not working

  • Check if the secret has expired (time or views)
  • Verify the URL wasn’t truncated in the email
  • Ensure no extra characters were added to the link

Password not accepted

  • Passwords are case-sensitive
  • Check for leading/trailing spaces
  • Verify the correct password was shared

Notification emails not received

  • Check spam/junk folders
  • Verify the email address is correct
  • Ensure your WordPress can send emails

Branding not showing

  • Verify the logo URL is publicly accessible
  • Check if the image URL uses HTTPS
  • Ensure the image format is supported (PNG, JPG, SVG)

Global Settings

Configure default settings for all Share Secrets links in FlowMattic � Settings � Share Secrets Settings:

Error Page Button Text

Customize the button text on expired/error pages:

  • Default: “Go to Homepage”
  • Example: “Contact Support”

Error Page Button URL

Set a custom destination for the error page button:

  • Default: Site homepage
  • Example: https://yoursite.com/support

Output Data

The Share Secrets action returns the following data for use in subsequent steps:

Field Description Example
secret_url The full URL to access the secret https://yoursite.com/secret/abc123def456
secret_id Unique identifier for the secret abc123def456
expires_at Timestamp when the secret expires 2025-12-10 15:30:00
max_views Maximum allowed views (if view-based) 3

Need Help?
Attachments
Was this article useful?
Like
Dislike
Help us improve this page
Please provide feedback or comments
Access denied
Access denied