A crypto key in the URL would ruin the deniability - their web server logs would contain the decryption keys. The whole point is to run AES in Javascript in the browser so the key never reaches them.
Linking the key as the fragment identifier component (after a #) would prevent the server from seeing it, but still allow Javascript to have access to the key.
That way you can link encrypted content with a key, and have the server not know about it.
This scheme has been deployed for at least one secure pastebin.
