/ docs
about login
OVERVIEW

Introduction

Urethane is a privacy and security toolkit running as a web service. It gives you six tools — a malware and metadata file scanner, a link safety checker, a personal data breach monitor, a disposable email system, a network intelligence module, and a zero-knowledge encrypted paste service — all under one account.

You don't need an account to use most features, but usage is tracked per session for guests. Signing up links your usage to your account and gives you higher limits. Upgrading to Pro removes most limits entirely.

No files are stored after scanning. No email addresses are shared. No telemetry beyond what's needed to enforce rate limits.

OVERVIEW

Plans & Limits

Urethane runs on three tiers. Limits reset on the 1st of each calendar month (UTC), except for temp mail send counts which reset daily.

FEATURE GUEST FREE PRO — $5.99/mo
File scans 10 / month 10 / month Unlimited
Link checks 10 / month 10 / month Unlimited
Breach checks 1 / month 1 / month Unlimited
Temp mail addresses 1 (1 hour expiry) 1 (3 day expiry) 5 (30 day expiry)
Temp mail — send Not available 3 / day 50 / day
Custom email prefix No No Yes
Cross-device sync No Yes Yes
Network intel lookups 3 / month 3 / month Unlimited
Network intel (Pro features) Open ports · Street address · Threat score · DNS check
Max file size 650 MB 650 MB 650 MB
Secure paste creations 5 / day 20 / month Unlimited
Secure paste max size 4 KB 10 KB 500 KB
Secure paste max expiry 24 hours 7 days 30 days
Secure paste — password protection No No Yes
Remote Browser 1 session · 30 min · auto-wipe
NOTE
Pro subscriptions are billed monthly through Stripe. You can cancel at any time from your account plan page — no cancellation fee. Access continues until the end of the billing period. Full refund available within 7 days of payment.
OVERVIEW

Account Setup

Registration

Go to /register.html. Enter your email and choose a username. We send a 6-digit OTP to your email — enter it to verify. Once verified, set your password. You're in.

Passwords must be at least 8 characters. There's no enforced complexity rule, but use something you don't reuse elsewhere.

Login

Go to /login.html. Enter your email and password. Sessions last 30 days. You can view and revoke active sessions from /account.html.

After 10 consecutive failed login attempts, your account is locked for 15 minutes.

Changing your password

Go to /account.html → Change Password. You'll need to enter your current password first.

Deleting your account

Go to /account.html → Delete Account. This is irreversible. All your data is removed immediately. If you have an active Pro subscription, cancel it via the account plan page first — deleting your account does not automatically cancel billing with Stripe.

FEATURE

File Scanner

The file scanner does two things: it submits your file to VirusTotal for malware analysis, and it extracts and strips metadata from documents and images.

How to use it

  1. Go to /scan.html
  2. Drop a file onto the upload zone or click to browse
  3. Click SCAN FILE
  4. Wait for results — typically 10–30 seconds depending on file size and VirusTotal queue
  5. Download the cleaned file (metadata stripped) if applicable

What gets checked

Malware detection: Your file is hashed and the hash is checked against VirusTotal's database of 70+ antivirus engines. If the file is new, it may be submitted for a fresh scan, which takes longer.

Metadata extraction: Supported for PDF, DOCX, XLSX, PPTX, images (JPEG, PNG, TIFF, HEIC), MP3, MP4, and most common document formats. The tool strips fields like GPS coordinates, author name, software version, company name, and revision history.

Supported file types

Any file up to 650 MB. Metadata extraction works on documents and images. Non-supported formats are still scanned for malware but returned without metadata stripping.

What the results mean

RESULTMEANING
CLEANNo engines flagged this file. Safe to open.
DETECTEDOne or more engines flagged it. Don't open it. Check the engine list for false positive assessment.
UNRATEDFile is new to VirusTotal — scan is still running or the file was never submitted before. Re-check in a few minutes.
IMPORTANT
A "clean" result is not a guarantee. New malware may not yet be in any engine's signature database. Don't open files from untrusted sources even if they pass.
FEATURE

Breach Monitor

The breach monitor checks whether your email address has appeared in known data breach dumps. Data is sourced from BreachDirectory, which aggregates billions of leaked credential records from publicly disclosed breaches.

How to use it

  1. Go to /monitor.html
  2. Enter your email address
  3. Click CHECK
  4. Results show the number of leaked credential records found

What the count means

The number shown is how many times your email appeared across all indexed breach databases. A count of 1 means one breach. A count of 2,500 usually means a large breach like LinkedIn or Adobe exposed your credentials across multiple indexed sources.

If breaches are found, change your password on any service where you used the same credentials, and enable two-factor authentication.

What this does not check

  • Breaches that happened today or recently — databases take time to index
  • Private breaches that were never publicly disclosed
  • Phone numbers, physical addresses, or social security numbers
PRIVACY
Your email is sent to BreachDirectory's API over HTTPS and is not stored on our servers or logged beyond what's needed to enforce rate limits.
FEATURE

Temp Mail

Temp Mail generates a real, functioning disposable email address. You can use it to receive emails from any sender, and optionally send emails from it. Addresses are automatically deleted when they expire.

How to use it

  1. Go to /tempmail.html
  2. Click GENERATE ADDRESS
  3. Your address appears at the top. Copy it and use it wherever you need a throwaway inbox.
  4. Incoming emails appear in the inbox automatically — it polls every 5 seconds.
  5. To send an email, click [ COMPOSE ]

Address lifecycle

PLANADDRESSESEXPIRYSEND LIMIT
Guest11 hourNot available
Free13 days3 / day
Pro530 days50 / day

Custom prefix (Pro)

Pro users can choose the first part of their address. For example, entering work-signups generates something like work-signups-a4f2@deltajohnsons.com. The suffix is always randomized to prevent conflicts. Only letters, numbers, and hyphens are allowed in the prefix.

Cross-device sync

If you're logged in, your temp mail addresses follow your account. Log in on any device and your inbox is there. Guests use browser localStorage — clearing your browser data loses the address.

Sending emails

Outgoing emails are sent via Urethane's mail relay (noreply@urethane.site) on your behalf, with your temp address shown as the display sender. Replies go to your temp address inbox. Note that some mail providers may filter these as spam due to the relay — this is a limitation of shared sending infrastructure and not a bug.

FEATURE

Network Intelligence

The network intelligence module gives you a full picture of your IP exposure and network health — or lets you look up any IP address for threat intelligence.

Two modes

My Exposure — analyzes your own public IP. Detects WebRTC leaks (your real IP leaking through browser even with a VPN), shows your ISP and geolocation, and on Pro, reveals your precise location, open ports, and DNS integrity status.

IP Lookup — look up any IP address for threat intelligence: geolocation, ISP, VPN/proxy detection, abuse score, and on Pro, open ports and known vulnerabilities.

Free vs Pro

FEATUREFREEPRO
IP geolocation (city/country)
ISP / ASN
VPN / proxy / Tor detection
Abuse threat score
WebRTC leak detection
Street-level address (GPS)
Open ports & services (Shodan)
Known CVEs / vulnerabilities
DNS integrity check
Monthly lookups3Unlimited

WebRTC leak

WebRTC is a browser feature used for video calls. It can expose your real IP address even when you're using a VPN. The "My Exposure" tab checks for this automatically when you run a scan. If a leak is detected, it means your browser is revealing your true IP to any website — consider disabling WebRTC in your browser settings or using a browser extension to block it.

DNS integrity (Pro)

Checks whether your DNS responses match what authoritative servers return for major domains. A mismatch may indicate DNS hijacking, captive portal interference, or a compromised resolver. Results show per-domain: resolved address vs. expected address.

PRIVACY
Your IP address is processed in real time to perform the lookup. It is not stored on our servers beyond the session. IP lookups use AbuseIPDB and Shodan's pre-scanned data — we do not actively port-scan any address.
FEATURE

Secure Paste

Secure Paste lets you share text — passwords, API keys, notes, credentials — with true zero-knowledge encryption. The content is encrypted in your browser with AES-256-GCM before it ever leaves your device. The decryption key is stored only in the URL fragment (#), which browsers never send to servers. We store only ciphertext we cannot read.

How to use it

  1. Go to /paste.html
  2. Type or paste your content into the editor
  3. Optionally configure expiry time, maximum read count, and (Pro) a passphrase
  4. Click ENCRYPT & CREATE
  5. Copy the share link or scan the QR code. Also save the delete token if you may want to destroy it later.
  6. Send the link to your recipient. They open it and see the content after a one-click confirmation.

Destruction settings

SETTINGBEHAVIOR
Expiry timePaste is destroyed after this duration regardless of views. Choices: 1h, 6h, 24h, 7d, 30d (30d is Pro only).
Max readsPaste is destroyed after being viewed this many times. Set to 1 for true burn-after-reading.
Manual deleteUse the delete token link to destroy a paste at any time, even before expiry or max reads.

All three conditions are combined — the paste is destroyed by whichever fires first.

Plans & limits

LIMITGUESTFREEPRO
Pastes per day / month5 / day20 / monthUnlimited
Max paste size4 KB10 KB500 KB
Max expiry24 hours7 days30 days
Password protectionNoNoYes (PBKDF2 + AES key wrap)

Password protection (Pro)

When you set a passphrase, the encryption key itself is wrapped using a key derived from your password via PBKDF2 (100,000 iterations, SHA-256). The wrapped key and its derivation parameters are stored in the URL fragment — not on our server. Recipients must enter the correct password to unwrap the key and decrypt. We never receive or store the password.

Manage a paste

When you create a paste you receive a delete token. Visit /paste.html?id=<id>&dtok=<token> to view stats (creation time, view count, expiry) and manually destroy the paste. The delete token is one-time-derivable — save it when created.

ZERO-KNOWLEDGE ARCHITECTURE
The URL fragment (#...) is never sent to our server by browsers. The server only stores AES-256-GCM ciphertext. Even with full database access, Urethane cannot read paste content. Paste data is also wiped from the database as soon as a paste is destroyed.
IMPORTANT
The share link IS the key. Anyone with the full URL can decrypt the paste. Share it over a secure channel (Signal, iMessage, etc.) and not via email or chat where it may be logged.
FEATURES

Remote Browser PRO

Remote Browser runs a real Chromium instance on Urethane's servers and streams it to your device. You see a live browser window you can fully control — keyboard, mouse, touch — without the target site ever seeing your IP address or device fingerprint.

How it works

When you click Launch Browser, a fresh isolated Chromium process starts on the server inside a temporary directory. A JPEG video stream is sent to your browser over a secure WebSocket. Your inputs are forwarded back. When you close the page or your session ends, the process is killed and the entire temporary directory is wiped — no cookies, no history, no cache.

Session limits

  • 1 concurrent session per Pro account
  • 30-minute maximum per session
  • Auto-wipe on disconnect (page close, timeout, or network drop)
  • All browser data destroyed on exit — no persistence between sessions

Controls

  • URL bar — type any URL and press Enter to navigate
  • ← → — back and forward
  • — reload current page
  • — fullscreen the browser stream
  • ⌨ (mobile) — open soft keyboard
  • ■ END — terminate session and wipe data

Security properties

  • Each session is fully isolated — no shared state between users
  • Downloads are disabled — files cannot be exfiltrated to the server
  • New tab/popup requests are blocked
  • Private IP navigation is blocked (SSRF protection)
  • Session stream is authenticated — only your account can view your session
NOTE
The remote browser is provided for privacy browsing and research. Do not use it to access sites that violate our Acceptable Use Policy. Sessions are subject to the same conduct rules as all other Urethane services.
REFERENCE

Error Reference

This table covers every error message or code you might encounter while using Urethane, what it means, and how to fix it.

HTTP Status Codes

CODEMEANINGWHAT TO DO
400 Bad request — malformed input Check what you submitted. Usually a missing field or invalid email format.
401 Not authenticated Your session expired or you're not logged in. Go to login.
403 Forbidden — feature not available on your plan This action requires a higher plan. Check what's available on your current tier.
413 File too large Maximum file size is 650 MB. Split or compress your file.
429 Rate limit reached You've hit the limit for this feature this month (or today for sends). Wait for reset or upgrade.
500 Internal server error Something broke on our end. Wait a few minutes and retry. If it persists, contact us.
502 Upstream service unavailable An external API (VirusTotal, BreachDirectory, mail.tm) is temporarily down. Retry in a few minutes.
503 Service not configured A required API key is missing server-side. This is an admin issue — contact support.

File Scanner Errors

ERROR MESSAGECAUSEFIX
"File too large" File exceeds 650 MB Compress or split the file before uploading.
"VirusTotal analysis failed" VirusTotal API is down or quota exceeded Wait a few minutes and retry. VirusTotal has free-tier rate limits.
"Metadata extraction failed" Unsupported format or corrupted file The file may be corrupt. Malware scan still ran — only metadata stripping failed.
"Monthly scan limit reached" You've used all 10 scans this month (Free) Wait for the 1st of next month, or upgrade to Pro for unlimited scans.

Link Checker Errors

ERROR MESSAGECAUSEFIX
"Invalid URL" URL is malformed or missing protocol Make sure the URL starts with http:// or https://.
"Check failed" VirusTotal API timeout or connectivity issue Retry. If persistent, the URL may be unreachable or VirusTotal is down.
"Monthly link check limit reached" 10 checks used this month (Free) Wait for the 1st of next month, or upgrade to Pro.

Breach Monitor Errors

ERROR MESSAGECAUSEFIX
"Please enter a valid email address" The entered string is not a valid email Check formatting — no spaces, must have @ and domain.
"Service unavailable" BreachDirectory API is down or key is expired Retry later. If persistent, contact us.
"Limit reached" 1 check used this month (Free) Wait for the 1st of next month, or upgrade to Pro.

Temp Mail Errors

ERROR MESSAGECAUSEFIX
"Mail service unavailable" mail.tm API is temporarily down Retry in a few minutes. This is an upstream provider issue.
"Account creation failed" The randomly generated address already exists (rare) Click Generate again. A new address will be attempted.
"Active address limit reached" You already have the maximum number of active addresses Delete an existing address first, or upgrade to Pro for up to 5.
"Sign in to send emails" Guests cannot send mail Create a free account. Sending requires authentication.
"Daily send limit reached" 3 sends used today (Free) or 50 (Pro) Wait until midnight UTC for the count to reset, or upgrade.
"Custom prefix is a Pro-only feature" Prefix field was submitted without a Pro account Upgrade to Pro, or leave the prefix blank to get a random address.
"Invalid or expired key" Address has expired or was deleted Generate a new address.

Authentication Errors

ERROR MESSAGECAUSEFIX
"Invalid credentials" Wrong email or password Check your input. Email is case-insensitive, password is case-sensitive.
"Account locked" 10+ failed login attempts Wait 15 minutes. The lockout resets automatically.
"OTP expired" Verification code was not entered within the time window Request a new code and enter it within 10 minutes.
"Email already registered" An account with this email already exists Log in instead, or use a different email to register.
REFERENCE

Known Limitations

  • Temp mail deliverability: Some services block disposable email domains. If a signup form rejects your temp address, that site specifically blocks known temp mail providers — this is not a bug.
  • Outgoing email spam: Emails sent from temp mail may land in spam on the recipient's end. This is due to the shared sending domain reputation and is a known limitation of relay-based sending.
  • VirusTotal queue: On first submission, a file may wait in VirusTotal's analysis queue. Results may take up to 2 minutes for large or novel files.
  • Breach data freshness: BreachDirectory indexes known public breaches. A breach that happened last week may not yet be indexed. The database covers billions of records but is not real-time.
  • File size: The maximum upload is 650 MB. Very large files may time out on slow connections — consider uploading on a faster network.
  • Browser support: Urethane requires a modern browser. Internet Explorer is not supported. Safari on iOS may have issues with certain file upload behaviors.
  • Temp mail guest addresses: Guest addresses survive only in your browser's localStorage. Clearing your browser data, using incognito mode, or switching browsers will lose the address and its messages.
REFERENCE

FAQ

Do you store my files?

No. Files are held in memory during scanning and deleted immediately after. We do not log file contents, file names, or scan results on our servers. The only record is your usage count for rate limiting.

Do you store my email address when I check for breaches?

No. The email is passed directly to BreachDirectory's API and not written to our database. It appears in server access logs for a few hours (standard web server behavior) and is then overwritten.

Can I get a refund?

If you were charged and didn't mean to be, contact us within 7 days for a full refund. We don't offer partial refunds for unused portions of a billing period.

Why did my temp mail address expire early?

If you deleted it, it's gone. If you didn't, check that the address hadn't hit its plan expiry window (1 hour for guests, 3 days for Free, 30 days for Pro). If it disappeared before it should have, contact us.

Why is my scan showing "unrated"?

The file is either new to VirusTotal or was not previously submitted. VirusTotal is running a live scan. Wait 1–2 minutes and re-check. If it stays unrated, the file may be too unusual for any engine to classify.

I cancelled my Pro subscription but still see Pro on my account.

Pro access continues until the end of your current billing period. Cancellation stops the next charge — it doesn't cut off access immediately. This is standard behavior and intentional.