COOKIEJARCHROME EXTENSIONRED • WHITE • BLACK

Secure Cookie Sync that keeps you in control.

Pick domains. Encrypt locally. Sync via your private GitHub Gist. No servers. No trackers. Cross-device convenience with end-to-end encryption.

How it works

CookieJar uses your GitHub Gist as an encrypted vault. Cookies never leave your device unencrypted.

01
Choose domains

Tell CookieJar exactly which sites to sync. No more, no less.

02
Encrypt locally

Data is encrypted on-device using AES-256-GCM with a key derived from your passphrase (PBKDF2/Argon2).

03
Push / Pull via Gist

Encrypted blobs are stored in your private GitHub Gist with your PAT (gist scope). Pull & decrypt on any device.

Features

Cross-browser sync (Chrome now; others soon)
End-to-end encryption with AES-256-GCM
Domain-level selection (fine-grained control)
Zero backend — your private GitHub Gist only
Your PAT + your passphrase = your control
Auto sync on change + periodic sync (default 15 min)

Security model

  • Encryption: AES-256-GCM (authenticated encryption).
  • Key derivation: PBKDF2/Argon2 from your passphrase with salt.
  • IV/nonce: unique per sync blob.
  • Storage: only encrypted data is saved to your private Gist.
  • Passphrase: never leaves your device, never stored.
  • PAT: gist scope only; you can revoke it anytime in GitHub.
  • Trust model: GitHub sees ciphertext only.
  • Device limits: some sites bind sessions to device/IP; those may not transfer.
  • Loss of passphrase: data can’t be recovered — reset and re-sync.
  • Telemetry: none by default; no trackers.

Quick setup

  1. Create a GitHub Personal Access Token with gist scope.
  2. Choose a strong passphrase — used to derive your encryption key.
  3. Open CookieJar → paste PAT, set passphrase, select domains.
  4. Sync — Push from device A, Pull on device B. Done.

Tip: keep the same passphrase on every device you sync with.

FAQ

Where are my cookies stored?

As encrypted blobs inside your private GitHub Gist. No plaintext cookies are stored by CookieJar.

Can GitHub read my cookies?

No. Cookies are encrypted locally before upload. Without your passphrase, the data is useless.

What permissions does the extension need?

Minimal permissions to read/write cookies for the domains you select, store settings locally, and schedule periodic syncs.

Does this work for every site?

Most sites work. Some services bind sessions to device/IP or add integrity checks; those might require re-login.

What if I lose my passphrase?

It cannot be recovered. Revoke your PAT, clear the Gist, set a new passphrase, and re-sync from a logged-in device.