How to Use Bidirectional Sharing, TTL Expiration, and Team Permissions in UnveilPass

← Back to Blog

Sharing credentials securely is one of the most requested features in any password manager. But sharing is not one-size-fits-all. Sometimes you need to share a password temporarily. Sometimes both parties need to update it. Sometimes an entire team needs access with different permission levels. UnveilPass provides all of these options with end-to-end encryption.

One-Way vs. Two-Way Sharing

UnveilPass supports two sharing modes, each designed for different use cases:

One-Way Sharing

In one-way mode, only the owner (the person who shares the credential) can update it. The recipient receives a read-only copy. If the owner changes the password, the update is automatically synced to the recipient. But the recipient cannot modify the shared entry.

Owner updates password → Change syncs to recipient
Recipient cannot modify → Read-only access

Best for: Sharing streaming service passwords with family members, giving a client access to their hosting dashboard, distributing Wi-Fi passwords to guests.

Two-Way Sharing

In two-way mode, both the owner and the recipient can update the credential. Changes from either side are synced to the other. This is true bidirectional collaboration on a shared credential.

Owner updates password → Change syncs to recipient
Recipient updates password → Change syncs to owner

Best for: Co-managed accounts (joint bank accounts, shared business accounts), IT teams where multiple admins manage the same credentials, couples sharing household accounts.

When to choose which: Use one-way when you want to maintain control over the credential. Use two-way when both parties need the ability to rotate or update the password.

Share TTL: Time-Limited Access

Not every shared credential should last forever. TTL (Time-to-Live) lets you set an expiration date on shared access. When the TTL expires, the recipient loses access automatically — no manual cleanup required.

Available TTL options range from as short as 5 minutes to as long as 30 days, plus an unlimited option for permanent sharing:

5 minutes — Quick one-time access. "Here's the Wi-Fi password, it'll expire in 5 minutes."
1 hour — Temporary troubleshooting access for a support technician.
24 hours — A contractor needs access for the day.
7 days — A freelancer working on a week-long project.
30 days — A temporary team member or intern.
Unlimited — Permanent sharing for family or long-term team members.

Security best practice: Always use the shortest TTL that meets your needs. Temporary access that expires automatically is safer than permanent access that you might forget to revoke.

Creating and Managing Teams

For organizations that need to share credentials across multiple people, UnveilPass offers Teams. A team is a group of users who share access to a collection of credentials with role-based permissions.

Setting Up a Team

Step 1: Navigate to the Teams section and create a new team with a descriptive name (e.g., "Engineering," "Marketing," "Family").
Step 2: Invite members by their email address. Each invited member receives a notification.
Step 3: When a member accepts the invitation, the team's encryption key is securely shared using X25519 ECDH key exchange — end-to-end encrypted.
Step 4: Add credentials to the team vault. Each entry can have individual permission settings.

Team Roles

Owner — Full control. Can add/remove members, change roles, add/edit/delete entries, and delete the team.
Admin — Can add/remove members, add/edit/delete entries, but cannot delete the team or change the owner.
Member — Can view entries they have access to. Can edit entries marked as read-write. Cannot manage team membership.

Per-Entry Read/Write Permissions

Within a team, each vault entry has its own permission level:

Read-only — Members can view the credential but cannot modify it. The password is visible (for login purposes) but the entry cannot be edited or deleted by non-admins.
Read-write — Members can both view and edit the credential. Useful for shared accounts where multiple people may need to rotate the password.

This granularity means you can share your company's social media credentials as read-only with the marketing team while giving the IT team read-write access to infrastructure passwords.

Real-World Scenarios

IT Team Managing Shared Infrastructure

Create a team called "Infrastructure." Add server credentials, cloud provider logins, and database passwords. Set admins and senior engineers to read-write. Set junior engineers to read-only. When someone leaves the team, remove their access and rotate the affected passwords.

Family Sharing Household Accounts

Create a team called "Family." Add streaming services, utility accounts, and the home Wi-Fi password. Set all family members as members with read-only access. The parent (owner) controls password changes.

Freelancer Temporary Access

Share your CMS login with a freelance designer using one-way sharing and a 7-day TTL. The freelancer gets access for the duration of the project. After 7 days, access revokes automatically. No need to remember to remove them manually.

All sharing in UnveilPass is end-to-end encrypted. The shared credential is encrypted using X25519 ECDH key exchange between the sender and recipient. The server never sees the plaintext password, even during sharing.

Create Your First Team in UnveilPass

End-to-end encrypted sharing with one-way/two-way sync, TTL expiration, and per-entry permissions. Collaborate securely.

Get Started Free

The Bottom Line

Sharing credentials does not have to mean sacrificing security. With bidirectional sync, time-limited access, and granular team permissions, you can collaborate on shared accounts while maintaining full control over who has access, for how long, and with what permissions. Every operation is end-to-end encrypted, so the server never sees your plaintext credentials — even when sharing.