Create and read self-destructing pastes programmatically. No API key or signup required — endpoints are public and rate-limited per IP.
Creates a new paste and returns its id.
| Field | Type | Required | Notes |
|---|---|---|---|
| content | string | yes | The paste body. Max 100KB. |
| duration | string | no | One of 1h 6h 1d 3d 7d 30d 90d. Defaults to 3d. |
| deleteAfterOpen | boolean | no | Burn the paste after its first read. Defaults to true. |
| password | string | no | If set, the paste requires this password to reveal. |
Request:
curl -X POST https://shalommail.com/api/tmp \
-H "Content-Type: application/json" \
-d '{
"content": "the secret payload",
"duration": "1d",
"deleteAfterOpen": true,
"password": "optional-passphrase"
}'
Response 200:
{ "id": "9f1c2a7b8e4d0a31" }
The paste is viewable at https://shalommail.com/tmp/<id>, or fetched directly via the read endpoints below.
Fetches metadata. This call never burns/deletes the paste, so it's safe to poll or check existence.
Response shape depends on how the paste was created:
| Condition | Response |
|---|---|
| Password protected | { "needsPassword": true, "deleteAfterOpen": bool } |
| No password, burns on read | { "deleteAfterOpen": true } |
| No password, persists | { "content", "expiresAt", "createdAt", "deleteAfterOpen": false } |
Response 404 if the paste doesn't exist or has expired.
Reveals the content. Required for password-protected pastes and for any paste with deleteAfterOpen — this is the call that actually burns it.
Request body (only needed if password protected):
{ "password": "optional-passphrase" }
Response 200:
{
"content": "the secret payload",
"expiresAt": "2026-07-20T12:00:00.000Z",
"createdAt": "2026-07-17T12:00:00.000Z",
"burned": true
}
Errors: 403 missing/incorrect password · 404 not found or expired · 429 too many password attempts for this paste (5 per 5 minutes per IP).
| Scope | Limit |
|---|---|
| All /api/* requests | 60 requests / minute / IP |
| POST /api/tmp (paste creation) | 20 creates / hour / IP |
| POST /api/tmp/:id password attempts | 5 attempts / 5 minutes / IP+paste |
Creation responses include standard rate-limit headers so scripts can back off correctly:
X-RateLimit-Limit: 20
X-RateLimit-Remaining: 14
X-RateLimit-Reset: 1752345600 (unix seconds)
When the creation limit is exceeded, you'll get:
HTTP/1.1 429 Too Many Requests
Retry-After: 1800
{ "error": "Too many pastes created, try again later" }