Here is every hop a secret takes on its way into the vault, and everything that isn't kept along the way. If anything here is unclear, please contact Umain.
The form on the upload page runs entirely in your browser. It does not use localStorage, sessionStorage, or cookies. When you click save, the values are posted once to the Umain server over HTTPS.
A small server process receives the request, hands it straight to 1Password's SDK, and returns the vault URL. It does not write the secret to a database, a file, a cache, or a log line.
The SDK encrypts the item in transit and at rest. 1Password stores it in the configured vault using their secret-key architecture — the data is end-to-end encrypted, and 1Password's own operators cannot read it.
The saved item appears in Umain's shared 1Password vault a moment later. Only Umain team members who are already in that vault can open it. The copyable link resolves to the same access-checked page — passing it to someone outside the vault won't grant them access.
TLS from your browser to the server, and TLS again from the server to 1Password. No plaintext hop.
This tool authenticates to 1Password with a service-account token that is scoped to a single vault. It cannot see or touch any other vault. The token lives only on the server — it never reaches your browser, and it can be rotated at any time from the 1Password admin console.
Who can read a saved item is governed entirely by Umain's 1Password vault membership. This tool doesn't create or change permissions — it drops new items into the existing team vault, nothing else.