Create, list, retrieve, and update short links via the public API.
Create a short link
POST /public/v1/short-links
Request body
| Field | Type | Required | Description |
|---|---|---|---|
targetUrl | string | Yes | Destination URL |
slug | string | No | Custom slug (requires plan allowance) |
title | string | No | Display title (shown on countdown page) |
description | string | No | Optional description (shown on countdown page) |
profileId | uuid | No | Attach to a profile |
isProfileScoped | boolean | No | Use /@handle/slug URL pattern |
utmSource | string | No | UTM source parameter |
utmMedium | string | No | UTM medium parameter |
utmCampaign | string | No | UTM campaign parameter |
startsAt | ISO datetime | No | Schedule activation (Pro/Business) |
expiresAt | ISO datetime | No | Schedule expiration (Pro/Business) |
countdownPage | boolean | No | Show a live countdown to visitors before startsAt (requires scheduling) |
password | string | No | Visitor password (Pro/Business); stored as bcrypt hash, never returned |
passwordBeforeCountdown | boolean | No | When both password and countdown are enabled, show password first (default true) |
Example
curl -X POST https://api.to.it.com/v1/short-links \
-H "Authorization: Bearer toit_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"targetUrl": "https://example.com", "slug": "demo"}'
Scheduled launch with countdown
curl -X POST https://api.to.it.com/v1/short-links \
-H "Authorization: Bearer toit_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{
"targetUrl": "https://example.com/launch",
"slug": "launch",
"title": "Product launch",
"startsAt": "2026-07-10T12:00:00.000Z",
"countdownPage": true
}'
Update a short link
PATCH /public/v1/short-links/{shortLinkId}
Send at least one field to update. Scheduling fields require a Pro or Business plan.
| Field | Type | Description |
|---|---|---|
targetUrl | string | Destination URL |
title | string | Display title |
description | string | Optional description |
status | ACTIVE / DISABLED | Link status |
startsAt | ISO datetime / null | Schedule activation; pass null to clear |
expiresAt | ISO datetime / null | Schedule expiration; pass null to clear |
countdownPage | boolean | Show countdown page before startsAt |
password | string | Set or replace the visitor password (Pro/Business) |
clearPassword | boolean | Remove password protection from the link |
passwordBeforeCountdown | boolean | When both password and countdown are enabled, show password before countdown |
Example
curl -X PATCH https://api.to.it.com/v1/short-links/SHORT_LINK_ID \
-H "Authorization: Bearer toit_YOUR_KEY" \
-H "Content-Type: application/json" \
-d '{"countdownPage": true, "startsAt": "2026-07-10T12:00:00.000Z"}'
List short links
GET /public/v1/short-links
Optional query parameter: profileId (uuid) to filter by profile.
Get a short link
GET /public/v1/short-links/{shortLinkId}
Returns the short link record and computed shortUrl.
Response fields
Create, list, get, and patch responses include the full short link object. Notable scheduling fields:
| Field | Type | Default | Description |
|---|---|---|---|
startsAt | string | null | When the link becomes active |
expiresAt | string | null | When the link stops redirecting |
countdownPage | boolean | false | Whether visitors see a countdown before startsAt |
hasPassword | boolean | false | Whether the link requires a visitor password |
passwordBeforeCountdown | boolean | true | Password gate order when combined with countdown |
Owner API responses include targetUrl and hasPassword. They never include passwordHash or the plain-text password.
Password-protected links
When password is set on create or patch:
- Visitors must enter the password before the destination URL is revealed.
- The public resolve endpoint does not return
targetUrluntil all gates (password, countdown) are cleared. - After a correct password, the API sets an HttpOnly unlock cookie so visitors are not prompted again during the same visit.
- Use
clearPassword: trueon patch to remove protection.
Requirements:
- Requires Pro or Business (
passwordLinksplan feature). - Password length: 4–128 characters.
- Combine with countdown pages using
passwordBeforeCountdownto control gate order.
Countdown pages
When countdownPage is true and startsAt is in the future:
- Visitors who open the short URL see a live countdown (days, hours, minutes, seconds) instead of a 404.
- When the countdown reaches zero, they are redirected automatically to
targetUrl. - Click analytics are recorded on redirect, not when the countdown page loads.
titleanddescriptionare shown on the countdown page when set.
Requirements and rules:
- Requires Pro or Business (same plan gate as link scheduling).
countdownPage: truerequiresstartsAtto be set.- Clearing
startsAt(null) also clearscountdownPage. - After
startsAthas passed, the link redirects normally even ifcountdownPageremainstrue.
OpenAPI
See the full interactive API reference generated from our OpenAPI spec.