FEATURE · Communications

Receipts that can't be forwarded as a leak. forwarded as a leak

Every fee receipt, marksheet, admit card and payment-link invoice that Inkwelly sends a parent in India is wrapped in a private 30-day download link. The PDF never sits at a public URL. When the link expires, copies stop opening — no leaked document floats around for months.

Transport management dashboard for schools

The cost of a public PDF link

It is the second week of April in a CBSE school in Lucknow. The accountant has just emailed a fee receipt to a parent — a single PDF, hosted on a public URL the office staff copy-pasted into the parent's WhatsApp. The parent, helpful as ever, forwards the same message to her younger brother, who is a chartered accountant helping her with the ITR claim under Section 80C. By Friday, that same WhatsApp message has travelled into a parents' group chat with 187 members, then into a forwarded broadcast list that the brother's friend uses to share "income-tax tips for families".

The receipt PDF — with the parent's name, the child's class, the school's bank reference, the exact amount, and an internal invoice number — is now floating freely in three group chats the school has no idea about. Nothing the parent did was malicious; the link was just a normal link. A public URL behaves like a poster on a noticeboard: once you put it there, anybody who walks past can read it. For school finance documents, that is the wrong default.

Inkwelly's Communications module takes the opposite approach. Every receipt, marksheet, admit card or payment-link invoice we hand a parent is delivered as a private download link that works for 30 days for that parent — and then quietly stops opening. The first forward in the WhatsApp chain still works fine for the right person; the third forward six months later opens on a 'link expired' screen. The PDF is never at a public URL anyone can guess.

Inkwelly secure document link on a parent WhatsApp message showing a fee receipt PDF attachment with a 30-day expiry
A fee receipt delivered as a private WhatsApp attachment with a 30-day expiry — guessing the URL gets you nowhere.

How the secure link is built — without the parent ever noticing

The parent's experience is unchanged. The fee receipt arrives on WhatsApp as a normal PDF attachment in the school's regular message; the marksheet email arrives with a clean 'Download marksheet' button; the admit card SMS carries a short link they can tap. Behind the scenes, every one of those links is freshly minted in the second the message is rendered, signed with the school's account secret, and serves the file only when the signature still matches and the 30-day window is still open.

The PDF itself is never copied to a public bucket, never stored on a Cloudinary folder, never given a forever URL. When a parent clicks, Inkwelly verifies the link is still valid, looks up the current state of the underlying receipt or marksheet, regenerates the PDF on the spot, and streams it back. That has two clean side effects. First, the bytes never live on disk between sends — there is nothing to leak from storage. Second, the document always reflects the latest state of the record: if the school later voided the receipt or corrected a grade, the next click shows the corrected version, not the old one.

This pattern is the same one Stripe and Razorpay use for their hosted invoices — anyone with the link can view, but the link itself is unguessable and time-bound. For an Indian school sending finance documents during the March admission rush or the May Form 16 deadline, that's the right balance: parents get the receipt the moment they ask for it, the school is not handing out a permanent file that could quietly surface in a tax audit two years later.

What's covered by the secure-link wrapper

  • Fee receipts — every payment that creates a receipt row, whether UPI, cheque, cash, NEFT or via the payment gateway
  • Payment-link invoices shared from the Send-to-Parent dialog — Razorpay UPI and standard links alike
  • Marksheets and report cards once the result is marked Published by the exam coordinator
  • Admit cards generated for term exams, board pre-boards and entrance tests
  • Invoice-detail summaries (paid invoices acting as receipt copies for ITR)
  • Reminder PDFs attached to outstanding fee reminders
  • Annual fee statements emailed at the end of the financial year for Section 80C use
  • Transfer Certificates (TC) and Bonafide certificates downloaded by parents from the parent app
  • Custom document attachments uploaded once and sent through the broadcast composer
  • Re-sent copies — every resend mints a fresh link with its own 30-day window

What the parent sees — and doesn't see

Transport management dashboard for schools
WhatsApp message preview — the receipt appears as an inline PDF chip, not a raw URL.
Transport management dashboard for schools
The parent taps the chip and the receipt opens straight inside WhatsApp's PDF viewer — no separate app.
Transport management dashboard for schools
Email version of the same receipt with a clean Download button. The hover-URL is a long, unguessable string.
Transport management dashboard for schools
What a stranger sees: the same link copy-pasted by someone else opens a polite 'link expired' page, not the file.

A 30-day window — long enough for ITR season

The default expiry is 30 days for every document Inkwelly mints. That is not a number we picked at random. It is the longest practical window for the two situations parents most often forward a fee receipt for — sending the PDF to a CA for Section 80C verification, or attaching it to a corporate tuition-reimbursement claim before the company's HR closes the cycle. Beyond 30 days, that workflow is over; the file should stop opening. If a parent loses their copy three months later, they simply ask the office to re-send, which mints a fresh link with a new 30-day clock. The office is never out of receipts; the network is never holding live ones forever. The link itself is unguessable — a long random-looking string — so even pasting it on a public webpage today would not let a stranger open the file.

Inkwelly secure download link expiry banner explaining the 30-day window for fee receipts and marksheets
Inkwelly admin Resend button on a fee receipt — single click mints a fresh secure link and sends the message again

Resend is one tap — and it always works

The office never has to chase down where the original file lives. From the receipt detail page, payment-link invoice, marksheet view or admit card, an admin can hit Resend and a fresh secure link is generated on the spot — new 30-day clock, new signature, same underlying record. If a parent calls in May saying her WhatsApp got cleared and she needs the April receipt for income-tax filing, the accountant just opens the receipt and re-sends — the file is regenerated from the live row, so any correction made in the meantime flows through automatically. There is no 'old PDF' lying around to keep in sync, and there is no manual searching through a Drive folder. Every resend is logged in the audit ledger with the staff member's name, the channel and the timestamp.

Works inside WhatsApp's document attachment chip

For WhatsApp specifically, Inkwelly uses Meta's official document attachment so the receipt looks like any other PDF a parent receives in WhatsApp — a small chip with the school's filename, a tap-to-open preview, share, save-to-files. There is no clunky redirect, no separate browser tab, no 'open this link' nudge. Meta's servers do fetch the file once when the message is sent, so the PDF is baked into the message chip — but the link they used can no longer be reused by anyone else, and the file is identical to what the parent already sees. The whole illusion is that this is just an attachment; the security is invisible. For SMS and email, the same secure link appears as a friendly 'Download receipt' button or a short tap link.

WhatsApp document chip showing a fee receipt PDF served from Inkwelly with the school's name and a tap-to-preview thumbnail
Inkwelly expired link page shown to parents explaining the receipt expired and how to request a fresh copy from the school

When the link expires — a friendly dead-end, not a leak

If someone tries to open the receipt after 30 days, they don't see a broken page or a download error that hints at the URL pattern. They see a polite 'this link has expired' message in the school's brand, with a one-line nudge to ask the school office for a fresh copy. Same response if the URL is tampered with by even a single character — Inkwelly checks the signature byte-for-byte before deciding whether to render anything. There is no probing, no guessing, no leak of the underlying receipt number through error messages. Search engines that occasionally crawl forwarded links see the same dead-end page and never index the content. The dead-end is the feature.

Pehle accountant ko bolna padta tha ki receipt 6 mahine wala bhej do — usse drive search karke purana PDF dhoondhna padta tha. Ab parent Resend bole, 10 second me fresh link chala jata hai, aur purana link automatic band ho jata hai. ITR season me sabse zyada relief hai.
Suman Tiwari · Accountant · Bazar Atariya School, Bahraich, UP

Where it really pays off — five everyday school scenarios

  1. The forwarded ITR receipt. A parent forwards her March fee receipt to her CA on 28 May. The link still works — she's within the 30-day window. Her CA gets the PDF, files the Section 80C deduction, and the link quietly expires on 17 June. Forwarded again in October by mistake? Polite dead-end. The school's records stay clean.

  2. The shared marksheet that shouldn't be shared. A relative asks the parent to forward the Class 10 marksheet so they can show it to a tuition centre. The parent forwards on day 12. The marksheet opens. The tuition centre saves a screenshot. Two months later the same WhatsApp message reaches a third party — the link is dead. The screenshot the tuition centre kept is not Inkwelly's problem, but the schoolwide leak risk is contained.

  3. The admit-card panic. Pre-board exams in February. A parent has misplaced the admit card the night before the exam. The class teacher opens the student's record at 9 p.m., hits Resend admit card, and a fresh 30-day link lands on the parent's phone in seconds. No office assistant has to dig into Drive for the original PDF.

  4. The 'wrong parent' send. An office assistant accidentally sends the wrong receipt to the wrong parent. Both parents call. The school re-sends the correct receipts to each one — fresh links, correct records. The wrongly-sent link does not need to be revoked manually; it just expires with its own 30-day clock and is far less harmful than a permanent public URL would have been.

  5. The corporate reimbursement. A school in Pune has many parents working at IT companies that reimburse a portion of school fees. Parents forward Inkwelly fee receipts to their HR teams every quarter. The 30-day window covers a full reimbursement cycle; after that, parents request a fresh resend from the school office. Both sides — the parent and the HR — get what they need without the school posting permanent receipt URLs on the internet.

Common operations admin staff use every day

  • Open a receipt and click Resend to mint a fresh 30-day link
  • Open an invoice with Send to Parent and pick WhatsApp + Email + SMS — every channel gets its own secure link in the same payload
  • Switch the recipient from Parent to Student in the same send dialog when the student is the primary contact
  • Add a free-text note to the parent in the same send dialog — the note flows into the template alongside the link
  • View the message ledger to see exactly when the parent's secure link was clicked, by which device
  • Re-issue marksheet links when the school re-publishes results after a correction
  • Generate annual fee statements at year-end with secure 30-day links for ITR season
  • Resend admit cards to the entire class with one click before exam day
  • Download a copy of the same receipt internally without the secure-link wrapper (admin-side, audit-logged)
  • See the exact channel-by-channel delivery state of every link — sent, delivered, opened, failed

See secure document delivery in your school's data

A 20-minute walkthrough on a real Indian school dataset. We show you a sent receipt, a forwarded receipt, an expired receipt, and the audit log — end to end.

Read about the Communications modulePricing for Indian schools

Limits, safety and the small print

The 30-day window is a hard cap — Inkwelly does not currently support longer-lived links for finance documents, and we will not bend that for individual schools. If a school strongly needs a longer window for a specific document class (for example a Bonafide certificate that an embassy needs to verify over 60 days), the right pattern is to re-send rather than extend; every resend gives a fresh 30-day clock and a fresh audit row. Custom expiry windows are on the roadmap for non-financial document classes only.

The security model is the same as Razorpay or Stripe hosted receipts — anyone with the live link can open the file. The link itself is unguessable, but Inkwelly cannot detect that a parent has shared a still-valid link with someone else. What we can detect is tampering — any change to even a single character of the URL fails verification, and the file is not served. We also cannot revoke an individual link mid-window through the admin UI today; if a school needs a specific link killed before its natural expiry, the support workflow is to rotate the school's link secret, which expires every link the school has minted. That is a deliberately heavy hammer for a rare scenario, and we are designing a lighter per-link revoke for finance teams that need it.

Finally, the secure link covers the document delivery, not the message contents. The WhatsApp template body, SMS text and email subject lines still describe the document — 'Fee receipt for Aarav, April 2026' — so even an expired link's accompanying message tells the parent what they once received. If a school wants to scrub the original message from a parent's WhatsApp history, that requires a manual delete-for-me request to the parent. The message-side hardening is a separate roadmap item.

Belongs to

1 module

Frequently asked

8 questions
Does the 30-day window apply to all documents, or only to fee receipts?

All four document classes that Inkwelly delivers as PDF attachments use the same 30-day default: fee receipts, payment-link invoices, marksheets and admit cards. The default is the same whether the parent receives the file on WhatsApp, Email, SMS or via the parent app — the underlying link is the same secure 30-day download URL.

What happens if the parent loses the WhatsApp message after 30 days?

The school office can re-send the receipt from the receipt detail page with one click. Inkwelly mints a fresh secure link with its own 30-day clock and delivers it on the channels the school selects. The underlying receipt record is unchanged — only the document delivery is regenerated.

Is the receipt PDF stored on a public bucket like Cloudinary or S3?

No. The receipt PDF is regenerated on the spot every time a parent clicks the link, from the current state of the underlying record. The bytes never persist between sends. This means there is no permanent file copy that could leak from a storage breach, and any correction made to the receipt after sending flows through to the next click automatically.

Does this work for ICSE / state board schools too?

Yes — the secure-link wrapper has no dependency on the board. Whether the school is on CBSE, ICSE, ISC, IB, IGCSE, NIOS or any state board (UP Board, Maharashtra Board, Tamil Nadu Matric, Karnataka PUC, Rajasthan Board and others), the same private 30-day download link mechanism is used for every receipt, marksheet and admit card.

Is the document stored in India?

Yes. Every PDF is generated and streamed from Inkwelly's Mumbai infrastructure. No document is ever rendered or stored outside India, and the secure-link helper itself is signed using the school's tenant secret — Inkwelly does not have any shared key with a third-party CDN for the document content.

What if I want to extend the expiry beyond 30 days for a specific parent?

Per-link extension is not supported today, and we have kept it that way deliberately — long-lived receipt links are the exact pattern that leaks. The right workflow is to ask the parent to request a resend, which gives a fresh 30-day window. Custom expiry windows for non-financial documents (certificates, IDs, transfer letters) are on our roadmap, but finance documents will stay at 30 days as the default.

Can I revoke a single secure link before it expires?

Not from the admin UI today — that capability is in the planning queue for finance teams that occasionally need to kill a specific link (a misdirected send, an internal audit query). The current heavy-hammer workflow, available via Inkwelly support, is to rotate the school's link secret, which immediately expires every secure link that school has minted. We do not recommend it for routine cases — most 'wrong send' situations are better handled by letting the link expire on its own clock.

Will Google index a secure receipt link if it is accidentally pasted on a website?

The link itself is an opaque random-looking signature inside a long URL — Google's crawler will follow it once, fetch a 'link expired' response after 30 days (or sooner if signature does not match), and not index the content. We have also configured the document endpoints to refuse crawler user-agents and serve the friendly expired page in their place. In practice, even a fresh link pasted publicly today would not appear in Google search.

You might also like

2 reads

See Inkwelly on your school

30-minute demo. We open your current ERP with you and load your data into Inkwelly on the call. Dated go-live plan by the end of it.

Secure Receipt & Marksheet Links · Inkwelly