The encryption key is passed after the hash (#) in the URL. Therefore the keys are never sent to the server over the HTTP request (more info about this can be found here: https://nofile.io/security/).