Skip to main content

How to create encrypted links via Short.io Browser SDK

View as Markdown

The Short.io Browser SDK provides a method to create encrypted short links that protect the original destination URL from being exposed to Short.io's servers. This is useful for sharing sensitive or confidential URLs where end-to-end privacy is required.

With the createEncryptedLink() method, the original URL is protected with AES-GCM encryption on client-side before being sent to the API. The decryption key is placed in the URL fragment (hash) and never sent to our servers.

Example usage:

const link = await client.createEncryptedLink({
  originalURL: 'https://sensitive-content.example.com/private',
  domain: 'your-domain.com'
});
// link.shortURL → https://your-domain.com/abc123#<base64-key>

How it works step by step

The SDK performs the following steps automatically when you call createEncryptedLink():

  1. Generates the encrypted payload

    • A random AES-GCM symmetric key and a 12-byte initialization vector (IV/nonce) are generated on the client side
    • The destination URL is converted to bytes and encrypted using the key and IV
    • The resulting ciphertext and IV are encoded into a text-safe format (base64url) and combined into a single payload string that acts as the "original URL": shortsecure://<ciphertext>?<iv>
[Note]

This payload contains only encrypted data — the actual destination is not readable by anyone without the key.

  1. Creates the short link

    • The SDK sends a standard "create short link" request to the Short.io API, with the originalURL set to the encrypted payload built in step 1

    • The API returns a normal short URL (e.g. https://your-domain.com/abc123) that points to the encrypted payload stored on the server

  2. Builds the final shareable link

    • The encryption key is encoded into base64url format

    • The key is appended to the short URL as a fragment (#): https://your-domain.com/abc123#<base64-key>

    • The server stores only the encrypted payload; the decryption key travels exclusively in the # fragment, which browsers never send to the server

Decryption on click

When a recipient opens the link:

  1. The browser loads the short URL and retrieves the encrypted payload from the server.
  2. The client-side code reads the decryption key from the # fragment.
  3. The ciphertext and IV are decrypted using the key to recover the original destination URL.
  4. The user is redirected to the real destination.

Due to the fact that the decryption key never leaves the client, Short.io has no ability to read the original URL at any point.