Text Share

How the URL Actually Carries Your Text

There's no server storage here, because everything rides inside the URL's fragment — the part after #. Per RFC 3986 §3.5, browsers are required to strip the fragment before sending an HTTP request, so the toolery.xyz server logs see only /tools/text-share — never your payload. Decoding happens entirely in the recipient's browser.

To make arbitrary text fit in a URL, we run it through LZ-String, a browser-specific implementation of the LZ77 dictionary algorithm published by Lempel and Ziv in 1977. Its compressToEncodedURIComponent() method compresses and emits URL-safe base64 in one pass. In practice we see roughly 55–70% size reduction on natural language, JSON, and source code because of their high token repetition. The library itself is 3.5 KB gzipped, so it's cheaper to ship than most compression alternatives.

Encryption, when you enable a password, uses the browser's native Web Crypto API — AES-256-GCM with a key derived via PBKDF2-HMAC-SHA256 at 100,000 iterations and a random 16-byte salt. GCM is an AEAD mode, so a wrong password fails verification immediately instead of returning garbage. The key is marked extractable: false so JavaScript (including browser extensions) can't read it back out.

Practical limits to know: Firefox handles URLs up to about 65,000 characters, Chrome roughly double that. After compression that's ~100 KB of plain text, which covers almost every real use case. The one honest caveat — fragments still appear in browser history, clipboard managers, and screenshots. For genuinely sensitive content, always set a password and rotate the underlying secret after the recipient has read it.