Delivery guide

How to send music to a client privately

An unreleased master is the one file a client cannot afford to have leak, and it's the one most engineers still send as a public download link that anyone can forward. "Private" has to mean more than "not posted publicly." Here's how to hand off a master so it reaches only the person you sent it to, only while you want it to, with a way to tell they actually got it.

Updated July 2026~7 min read
Delivery · password-protected Master_v3.wav 24-bit · 48 kHz · 61.4 MB Instrumental.wav 24-bit · 48 kHz · 58.9 MB SET Download Link active · 1 download SHA-256 ✓ Revoke Protected

The mastering is done, the client approved it, and now you have to physically get the files to them. For unreleased music this is the step with the most at stake and the least thought put into it: a pre-release single dropped into a transfer link that anyone with the URL can open, forward, or lose. Sending a master privately isn't complicated, but the default tools quietly work against you. Here's what actually matters and how to do it.

Why WeTransfer and Dropbox aren't built for unreleased music

They move files fast, and they're good at that. But an unreleased master has requirements a generic transfer link doesn't meet:

  • Anyone with the link has the file. No password means a forwarded email, or a URL pasted into a group chat, is a leak.
  • The link expires on its own. Transfer links often die in a week, so the client comes back for the final a month later and it's gone.
  • You can't take it back. Once it's out, there's no way to revoke access if a deal falls through or you sent the wrong version.
  • You can't see if they got it. "I never received it" has no answer, and neither does "which version did you actually download."
  • The filename gives it away. A URL ending in NewSingle_ArtistName_master.wav tells anyone who sees it what the file is and who it's for, before they even open it.

What "private" actually requires

Private delivery is a short checklist. A handoff that hits these is genuinely private; one that misses a few only feels that way:

  • Password protection. The URL by itself shouldn't be access. A bare link is not a private link.
  • Revocable. You can switch the link off the moment a deal changes or a file goes out by mistake.
  • No silent expiry. It stays available because you decided so, not because a timer ran out and stranded the client.
  • Download tracking. You can see the client retrieved the files, so receipt is a fact rather than a claim.
  • No login for the client. Every account you make them create is friction, and friction on a delivery is how files end up re-sent over email instead.
  • Non-guessable links. The URL shouldn't contain the artist or track name, and shouldn't be a number someone can increment to find other people's masters.
  • Checksum-verified files. A recorded SHA-256 checksum means what the client downloads provably matches what you uploaded, with no silent corruption in transit.

How to send a master privately, step by step

1. Password-protect the delivery

Make the password, not the URL, the thing that grants access. You can zip the files with a password, but the zip is still forwardable and the client has to wrangle it. A delivery link that asks for a password before it will even show the files is cleaner: a bare URL leaks nothing, and the protection travels with the link rather than with a specific archive.

2. Decide how the password travels

For most client relationships, sending the password together with the link is fine and simple, because the link is still useless without it and you can revoke the whole thing at any time. When the leak risk is genuinely high, a label pre-release, an embargoed single, send the password through a separate channel from the link, so intercepting one doesn't hand over both.

3. Keep the ability to revoke

This is the most underrated control in the whole process. A link you can switch off means a wrong file, a cancelled deal, or a leak scare is a thirty-second fix instead of a file that's loose forever. An expiring transfer link does the opposite: it disappears on its own schedule, usually at the worst time, and gives you no say in between.

4. Confirm they actually downloaded it

Close the loop. Delivery that tracks downloads turns "did you get it?" into something you can just check. Paired with a recorded approval of the version, you can show both that the client signed off on the master and that they received the exact files, which is the clean end to a job.

A note on watermarking and leak tracing

Password protection controls access. Watermarking is a separate, complementary layer: an inaudible identifier embedded per recipient, so that if a track does leak, you can trace which copy it came from. Labels sometimes require it for pre-release promos. It doesn't stop anyone from playing the file, it deters and traces after the fact, so treat it as a different decision from how you send the master, not a substitute for sending it privately.

Private delivery is not the review link

These are two different things, and running them together is a common mistake. A review link is for feedback and approval: the client streams the master losslessly, leaves notes on the waveform, and signs off, ideally without downloading anything at all. The delivery is the final, protected handoff of the actual files, after it's approved. Use the review link during the back-and-forth (see how to get client sign-off on a master and how to send a master for approval), and send the protected delivery once, at the end.

The short version

Don't send an unreleased master as an open, expiring link. Use a password-protected delivery you can revoke, keep the filename and URL from giving the work away, and confirm the client actually downloaded it. The review happens on a streaming link that needs no download; the files themselves change hands exactly once, protected.

Frequently asked questions

How do I send music to a client privately?

Send it as a password-protected delivery instead of an open download link: the files aren't reachable by URL alone, you can revoke the link at any time, and you can see whether the client downloaded them. Keep the filenames and the URL from naming the artist or track, and for an unreleased master, prefer a link that doesn't silently expire and strand the client later.

Is WeTransfer safe for sending unreleased music?

It moves files, but it isn't built for unreleased music. The link has no password, so anyone it's forwarded to has the file; it expires on its own, so the client can lose access; and you can't revoke it or see whether they downloaded it. For a master that hasn't been released, use password-protected delivery you control instead.

How do I password-protect an audio file to send to someone?

You can zip the file with a password, but the recipient needs that password to open it and the zip is still forwardable. A cleaner option is a delivery link that asks for a password before it will show the files, so the URL alone isn't access and you can revoke the whole thing later. Send the password with the link for normal jobs, or through a separate channel when the leak risk is high.

Should a delivery link for a master expire?

Expiry is a tradeoff. Auto-expiring links strand the client when they come back for the final a month later. A link you control is better: it stays available as long as you want, and you can revoke it deliberately if a deal changes or a wrong file goes out, rather than having it disappear on a timer.

How do I know the client actually downloaded the master?

Use a delivery that tracks downloads, so you can see the files were retrieved rather than relying on "I never got them". Pairing that with a recorded approval of the version means you can show both that the client signed off and that they received the exact files.

Deliver the master, protected

Soneam gives every master a password-protected delivery link you can revoke, with download tracking, no login for the client, opaque URLs that don't leak the artist or track, and a SHA-256 checksum on file. The review and sign-off happen on the same platform, so approval and delivery are one clean handoff.