alias-key is a tool that generates email aliases for any purpose. Its main strength comes from being able to secure each alias with the signature alias-key — Unique per service, always reproducible from the same inputs, and unpredictable to anyone who doesn't have your secret key.

Usability — one-click copyable aliases on the fly for any purpose.
Privacy — give every service a different address, so you know exactly which one leaked if you start receiving spam.
Security — treat your aliases like passwords; without your key an attacker cannot enumerate or predict your addresses.
Traceability — validate any address against all your profiles to verify it's an alias you created and identify which service it belongs to.

Aliases are assembled from an ordered pipeline of blocks, each contributing a segment separated by its configured separator character.

The alias-key block is the cryptographic core. It computes HMAC-SHA256(secret key, hmac-input), encodes the result (decimal, hex, base32 or base36) and slices it to the configured length. The hmac-input is built from the values of selected blocks — so the alias-key value changes whenever the included input changes, allowing you to make each alias-key unique.

The alias-name block holds the main alias identifier. With encryption enabled, the name is encrypted using a symmetric keystream cipher (XOR [hex, base32] or additive/shift [alpha]). That way, the plaintext name is never visible in the alias but can be recovered during the verification. The keystream is derived from HMAC-SHA256(secret key, alias-key-value). The alpha encryption preserves length and only encrypts alphanumerical characters, others are just passed through.

Random blocks (random-word, random-chars) uses crypto.getRandomValues to generate random values. The random words are sourced from the EFF large wordlist for passphrases.

Verification works by parsing the pasted alias against all profile block structures, trying all separator-consistent splits, and re-running the HMAC computation to confirm which split is correct. When the result is ambiguous (e.g. no separator between blocks) and the automatic solver fails, the ambiguity solver lets you drag boundary handles or run an extended automated solve.

1. Go to Auth and set a secret HMAC key. Back it up somewhere safe — losing it means losing the ability to verify or reproduce your aliases.
2. Add your email domains in the Domain block (e.g. mydomain.com).
3. Enter a name in the alias-name block for whatever the alias will be used for (e.g. github, amazon). The URL parser in the alias-name block can extract a name from a pasted URL.
4. Optionally enable alias-name encryption via the lock icon — the name becomes an opaque ciphertext in the alias, recoverable only with your key.
5. Adjust the block pipeline — add, remove, edit and reorder blocks to control the alias structure. Use the three dotted button between the draggable blocks and the domain block to add new blocks.
6. Configure the hmac-input to control what feeds the cryptographic function.
7. The alias is generated live at the top. Regenerate random blocks or copy the alias to the clipboard using the neighboring buttons.
8. Use profiles to maintain separate configurations, e.g. one per identity or use case. Use export/import to transfer the full profile configuration to other devices.
9. To identify an alias later, paste it into the Verify field. If needed, the ambiguity solver lets you manually or automatically resolve the correct interpretation.
10. Every copied alias is added to the alias log. Clear it or download the full log as a .tsv file as you please.

If you find alias-key useful and are considering a Proton account for your email aliases, consider using the referral link below as a token of appreciation.
Sign up for Proton with referral