Frequently Asked Questions

What is ZPST?

ZPST is a paste site — a place to share text and code quickly. Paste anything, get a short link, share it. No account required for the basics.

What can I paste?

Any plain text or code — source files, config snippets, log output, notes, scripts, error messages. ZPST supports syntax highlighting for 37 languages. You can also attach a single image (JPG, PNG, GIF, or WEBP) to any paste.

How big can a paste be?

The default maximum paste size is 4096 KB of text content. This is configurable by the site administrator. If you hit the limit, you'll see a clear error message. Image attachments have a separate limit (currently 5 MB).

Do I need an account?

No. You can create and share pastes as a guest. Registered accounts unlock editing, version history, private pastes, folders, the API, and more — but the core paste-and-share workflow needs nothing.

How do I share a paste?

After creating a paste you're taken to its page — copy the URL from your browser's address bar, or use the copy button. Every paste also has a QR code you can display or download if you need to share it offline or on a screen.

Can I delete a paste I created as a guest?

Yes. When you create a paste without an account, a one-time delete token is shown on the paste page and stored in your browser session. Save that token — it's the only way to delete the paste later. Registered users can delete any of their pastes from their dashboard or the paste page itself at any time.

What happens to expired pastes?

When a paste's expiry time is reached it is automatically deleted — including any attached image from storage. Expired pastes return a 410 Gone response to anyone who tries to access them. The deletion runs on a scheduled background job (cron) that runs every minute.

Can I fork someone else's paste?

Yes — any public or unlisted paste has a Fork button. Forking creates a copy under your own account (or as a guest paste) that you can edit freely. The fork is linked back to the original.

What are the visibility options?

There are three:

• Public — anyone can find and view the paste. It may be indexed by search engines.
• Unlisted — accessible to anyone with the direct link, but it won't appear in public listings or be submitted to search engines.
• Private — only visible to you when logged in. Requires an account. Not accessible by link to anyone else.

Can I add a password to a paste?

Yes. Any paste — public, unlisted, or private — can have a password set at creation time. Visitors are shown a lock screen and must enter the correct password before the content is revealed. The password is hashed with bcrypt and never stored in plain text. Unlocked pastes are remembered for the duration of your browser session so you don't have to re-enter it on every visit.

What is burn after read?

Burn after read is a mode where the paste is permanently destroyed the moment it is first viewed. When someone visits a burn paste they see a warning screen with the share link and a confirmation button — clicking it reveals the content and immediately deletes the paste from the database. There is no way to recover it afterwards. This is designed for one-time secrets, temporary credentials, or anything you want to share exactly once.

Are pastes encrypted?

Yes. All paste content is encrypted at rest in the database using AES-256-GCM with a random IV per paste. Even a direct database dump reveals nothing without the server-side encryption key. Transmission is protected by TLS (HTTPS).

Does ZPST appear in search results?

Public pastes can be indexed by search engines. Unlisted and private pastes send a noindex directive in their HTTP headers and are excluded from the sitemap. If you don't want a paste indexed, set it to Unlisted or Private.

Who can see an unlisted paste?

Anyone who has the direct link. Unlisted pastes are not listed publicly anywhere on the site, do not appear in search results, and are not in the sitemap — but the URL is not a secret. If you share the link, the recipient can share it further. For truly confidential content, use Private (requires an account) or add a password.

Is registration free?

Yes, completely free. No payment, no email verification, no invite required — just a username, email address, and password.

What do I get with an account?

Registered users get: a paste dashboard, editing with version history and diff view, private paste visibility, folders to organise pastes, the ability to pin important pastes, comments on public pastes, a JSON API key, access to the CLI client, data export, and full account deletion. See the Features page for the full breakdown.

How do I change my password or email?

Go to Settings. Both require you to enter your current password to confirm the change.

Can I export my data?

Yes. Settings → Export Data downloads a JSON file containing all your pastes and account information.

How does syntax highlighting work?

Syntax highlighting is applied client-side using highlight.js. You select the language when creating a paste from the dropdown (37 languages available). The CLI client and API also accept a language parameter. If you choose Plain Text, no highlighting is applied.

Can I change the syntax theme?

Yes. The theme picker in the top navigation lets you switch between 15 themes (12 dark, 3 light) with a live hover preview. Your choice is saved to your session — no account needed.

How does version history work?

Every time you save an edit to one of your pastes, the previous version is stored automatically — up to 25 versions per paste. You can browse the history from the edit page, restore any version, delete individual versions you don't want, or open a split diff between any saved version and the current state.

What is the diff view?

The diff view (/diff/<slug>?v=<version_id>) shows a side-by-side comparison of a historical version and the current paste. Additions are highlighted green, deletions red. You can toggle to a unified view. It's only accessible to the paste owner and admins.

How do folders work?

Registered users can create named folders and assign pastes to them from the dashboard or the paste creation/edit form. Folders are flat (no nesting) and appear as a sidebar in your dashboard. Selecting a folder filters the list to only pastes inside it. An Unfiled view shows pastes not assigned to any folder.

What does pinning a paste do?

Pinned pastes are sorted to the top of your dashboard above all other pastes, with a visual divider separating them. There's no limit on how many pastes you can pin. Useful for pastes you refer to often.

Can I load a file directly into the editor?

Yes. The file load button on the new paste form lets you open any text or code file from your device — up to 4 MB. The file's extension is used to auto-detect and set the language. The file content is loaded into the editor; nothing is uploaded until you submit the paste.

How does the Firefox extension work?

The Firefox extension adds a toolbar button that lets you create pastes without leaving the current tab. You can capture selected text, the full page source, the visible page text, or just the current URL. It supports draft persistence (your draft survives closing the popup), guest and authenticated pasting, and configurable defaults. Install it, point it at your ZPST URL in the extension settings, and add your API key for authenticated pastes.

How is my password stored?

Passwords are hashed using bcrypt before being stored. The plain-text password is never written to disk or logged anywhere. Paste passwords (the optional lock on a paste) are also bcrypt-hashed.

What protects against CSRF attacks?

Every form and state-changing action on the site uses CSRF tokens — a unique per-session secret that is verified server-side on every POST request. An attacker cannot trick your browser into performing actions on your account.

How do sessions work?

Sessions are 12 hours long and use HttpOnly, Secure, and SameSite=Lax cookies. The session ID is regenerated on login to prevent session fixation attacks.

I found a security vulnerability — what should I do?

Please disclose it responsibly by emailing contact@zpst.net before making it public. Include a description of the issue and steps to reproduce. We take security seriously and will respond promptly.

Does ZPST have rate limits?

Yes. Rate limits are applied per IP address to protect the service from abuse and ensure fair access for everyone. Current defaults:

What happens when I hit a rate limit?

You'll receive an HTTP 429 Too Many Requests response. The response includes a Retry-After header telling you how many seconds to wait before trying again. On the web, a human-readable error page is shown. Via the API, the response is JSON: {"ok": false, "error": "Rate limit exceeded. Retry after Xs."}

I'm hitting rate limits legitimately — what can I do?

If you run an automation, CI pipeline, integration, or server that has a genuine need to exceed the default limits, you can apply for a trusted IP whitelist. Whitelisted IPs bypass all rate limits and IP bans. To request this, email contact@zpst.net with your IP address(es), a brief description of your use case, and your ZPST username if you have one. We review requests individually and typically respond within a few days.

Are rate limits the same for authenticated users?

Rate limits apply per IP regardless of whether you're logged in or using an API key. The trusted IP whitelist (see above) is the mechanism for high-volume legitimate use — it's not tied to an account, it's tied to a network address, so it covers all traffic from that IP.

Can my IP be banned?

Yes. IPs that repeatedly violate the terms of service — for example through automated abuse, scraping without permission, or distributing malware — can be banned by administrators. Banned IPs receive a 403 Forbidden response on all requests. If you believe your IP has been banned in error, contact us at contact@zpst.net.

Does ZPST have an API?

Yes — a JSON REST API. Endpoints for creating, reading, deleting, and listing pastes. Full documentation is at api-docs.php.

How do I get an API key?

Register for an account, then go to Settings. Your API key is shown there — it's generated automatically when your account is created. You can regenerate it at any time; the old key is immediately invalidated.

Can I use the API without an account?

Guest API calls (no key) are supported for creating and reading public and unlisted pastes, as long as guest pastes are enabled on the instance. Private pastes and the list endpoint require authentication.

How do I authenticate API requests?

Pass your API key in one of three ways: the X-API-Key header (preferred), the Authorization: Bearer <key> header, or the api_key field in a JSON request body. Avoid passing the key in the URL query string — it will appear in server logs.

Is the API rate limited?

Yes. The create endpoint shares the paste creation rate limit. Read endpoints (get and raw) are limited to 300 requests per 30 seconds per IP. Check the Retry-After header on any 429 response. High-volume use cases can apply for a trusted IP whitelist — see the Rate Limits section above.

What is the CLI client?

The zpst CLI client is a Bash script that wraps the API. It lets you create pastes directly from your terminal: zpst create file.py, pipe output in (command | zpst create --lang bash), or retrieve paste content by slug. Download it from download-client.php or with curl https://zpst.net/zpst -o zpst && chmod +x zpst.

Does the API support burn after read pastes?

Yes — set "burn": true in your create request. Note that burn pastes accessed via the API are destroyed immediately on the first get or raw call, with no confirmation step. There is no interstitial when accessing burn pastes through the API.

What content is not allowed?

The full rules are in the Terms of Service, but the short version: no illegal content, no malware or exploit code intended for harm, no private personal data posted without consent, no harassment, and no spam. Pastes that exist solely to distribute phishing links or malicious payloads will be removed and the IP banned.

How do I report a paste?

Use the Report button on the paste page. You'll be asked to select a reason (spam, illegal content, malware, harassment, copyright, or other) and optionally add details. Reports go directly to the admin panel. For urgent matters, email contact@zpst.net with the paste URL.

Can I post security research or proof-of-concept code?

Legitimate security research, CTF writeups, and educational PoC code are generally fine as long as the intent is clearly research or education and the content isn't an operational attack tool. If you're unsure, err on the side of using private or unlisted visibility and email us at contact@zpst.net if you have questions.

Can I export or delete my data?

Yes. Registered users can export all their pastes and account data at any time from the Settings page, and can permanently delete their account and all associated data with no hoops to jump through. See the Privacy Policy for full details on what is collected and how it is handled.

Is ZPST available on Tor?

Yes. ZPST runs a Tor hidden service accessible via a .onion address using the Tor Browser. The link is in the footer of every page. The hidden service runs the same codebase as the clearnet site — all features work identically.

Why do I need an account to paste on the onion address?

Due to abuse, guest pasting is disabled on the Tor hidden service. Anonymity combined with open guest pasting was being exploited to post spam and harmful content at scale. Requiring an account provides just enough accountability to deter automated abuse while keeping the service free and open. Registration is free, requires no payment, and is available on both the clearnet and onion address.

Can I register an account on the onion address?

Yes. The registration page is fully accessible on the onion address. You can create an account without ever visiting the clearnet site.

Why can't I make a public paste on the onion address?

Public pastes on the onion address were being used to host and distribute content that circumvented the clearnet moderation. To prevent this, pastes created via the hidden service must be unlisted or private — they are not listed publicly and will not appear in search engines or the sitemap. Unlisted pastes are still shareable via direct link.

Are onion pastes treated differently from clearnet pastes?

The content is handled identically — the same AES-256-GCM encryption at rest, same expiry rules, same burn-after-read support. The only difference is that public visibility is not available — all pastes must be unlisted or private.

Does the onion address keep separate sessions from the clearnet site?

Yes. Browsers do not share cookies between zpst.net and the .onion address, so you will need to log in separately on each. This is intentional — it means your onion activity is kept completely separate from your clearnet activity, even if you use the same account credentials.

What is the URL structure?

Pastes are at /p/<slug> (e.g. /p/aB3xKq). Raw text is at /raw/<slug>. The diff view is at /diff/<slug>?v=<version_id>. Slugs are 6 random alphanumeric characters.

How are paste slugs generated?

Slugs are 6 characters drawn from [a-zA-Z0-9] (62 characters) using a cryptographically secure random source. That's over 56 billion possible slugs. Uniqueness is checked against the database on generation — collisions are automatically retried.

How does unique view counting work?

View counts on pastes reflect unique IPs, not raw hits. Each IP is recorded once per paste in a dedicated table; repeat visits from the same IP don't increment the counter. View records older than 30 days are pruned automatically by the background cron job, after which a returning IP would be counted again.

Where are image attachments stored?

Images are uploaded to S3-compatible object storage and served via CDN. The original image is stored under a randomly generated key — the filename you uploaded is not preserved. When a paste with an attached image is deleted (manually, by expiry, or by burn-after-read), the image is deleted from storage at the same time.

Is there a sitemap?

Yes. Public pastes are included in /sitemap.xml. The sitemap is generated on demand and automatically splits into an index + chunk files for large instances. Unlisted, private, and password-protected pastes are excluded.

What browsers and platforms are supported?

Any modern browser. The Firefox extension requires Firefox 140 or later and is compatible with Firefox for Android. The CLI client requires Bash and curl — it runs on Linux, macOS, and WSL on Windows.

How do I delete my account?

You can delete your account from the Settings page. For full details on what gets removed and step-by-step instructions, see the account deletion information page.