A short-link API that
tells you what happened.
REST endpoints for links, analytics, A/B variants, webhooks, and audit log. OpenAPI 3.1 spec. API keys with scopes. HMAC-signed payloads. Runs on Cloudflare's edge.
Quick start
Create your first link.
curl -X POST https://api.orphl.ink/links \
-H "Authorization: Bearer olk_<your-api-key>" \
-H "Content-Type: application/json" \
-d '{
"destination_url": "https://example.com/spring-launch",
"title": "Spring launch",
"redirect_mode": "direct",
"utm_source": "newsletter",
"utm_campaign": "spring-launch"
}' Replace <your-api-key> with a real key from your dashboard.
Core endpoints
What you can build.
The full reference covers auth, workspaces, tags, groups, branding, cloaking rules, embeds, and proxy sessions. Below is the path most teams hit first.
| Method | Path | What it does | Docs |
|---|---|---|---|
| POST | /links | Create a short link with optional redirect mode, UTM tags, expiry, password. | Try it |
| GET | /links | List workspace links with filters: search, tag, group, status, health. | Try it |
| GET | /links/{id}/analytics | Time-series clicks plus referrer, country, and device breakdowns. | Try it |
| PUT | /links/{id}/variants | Configure A/B variants — weights sum to 100, per-variant click counters. | Try it |
| POST | /webhooks | Subscribe to link events. HMAC-signed payloads with exponential-backoff retries. | Try it |
| GET | /audit-log | Workspace audit trail with before/after diffs. Retention is plan-configurable. | Try it |
| POST | /links/import | Bulk import via multipart CSV. Max 500 rows. Each row runs through moderation. | Try it |
API keys
Keys are workspace-scoped and prefixed with olk_. We store only the hash; the first eight characters (the key prefix) are kept in plain text so the dashboard can identify which key is which without ever revealing the secret. Pass the key as Authorization: Bearer olk_… on every request.
Scopes are checked per-route — issue read-only keys for analytics consumers, write keys for the importer.
Manage keysWebhooks
Subscribe an endpoint to the events you care about. Payloads are POSTed as JSON with an X-OrphLink-Signature header carrying an HMAC-SHA256 of the body. Verify it on receipt; reject if it doesn't match. Failed deliveries retry up to three times with exponential backoff (30s, 120s, 480s).
- · link.created
- · link.clicked
- · link.expired
- · link.moderation_complete
- · link.threshold_reached
- · link.health_failed
- · link.imported
Read the full reference.
Every route, every schema, every error shape. Live in your browser.