obfus.link

Link Obfuscator creates AES-256-GCM encrypted short URLs with single or double-hop redirect chains. Double hop means the destination never appears in any single referrer log. Time-limited and click-limited self-destructing options. Optional scrypt passphrase gate. Custom aliases, automatic tracking-parameter stripping, and a strict SSRF allowlist make this the best-in-class privacy-first link shortener.

Tier 3obfuscators✓ TDD Verified

Link Obfuscator

AES-256-GCM encrypted short URLs with double-hop and self-destruct

Only http:// and https:// destinations. Private IPs, loopback, and metadata endpoints are rejected.
obfus.link/x/CODEdestination

How to use

  1. Paste your destination URLAny http:// or https:// URL up to 4096 characters. Private IPs, localhost, and non-network schemes are rejected by the SSRF allowlist.
  2. Pick redirect modeSingle hop for normal shortening. Double hop creates a two-stage chain so the destination URL never appears in any single hop's referrer log — use this when the destination itself is sensitive.
  3. Set TTL and click budgetOptional. Time-to-live caps the link's lifetime; max clicks caps the number of redirects. Combine them for "valid for 1 hour OR 100 clicks, whichever comes first" semantics.
  4. Optional passphrase + aliasSet a passphrase to gate the redirect (scrypt-hashed server-side, never reaches the destination). Set a custom alias for vanity URLs like obfus.link/x/launch2026.
  5. Toggle tracking stripRemoves utm_*, fbclid, gclid, mc_eid, and other ad-network tracking parameters from the destination before encrypting — useful for forwarding clean URLs.
  6. Obfuscate, copy, shareClick Obfuscate. Copy the short URL or scan the QR code. Test the redirect in a new tab to confirm. The link is live the moment the response returns.
Read technical article

MCP / API

Call link_obfuscator directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "link_obfuscator",
  arguments: {
    "url": "...",
    "mode": "single",
    "encryption": "aes-256-gcm"
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"link_obfuscator","arguments":{"url":"...","mode":"single","encryption":"aes-256-gcm"}}}'

Related tools

JWT Hardener
Audit and harden JWT tokens with security scoring and diff output
Hash Generator
Generate MD5, SHA-256, SHA-512, BLAKE3 and more in one call
HMAC Generator
Generate and verify HMAC signatures with Stripe, GitHub, Twilio, Shopify, Slack templates

FAQ

What does double-hop actually buy me over single-hop?

In single-hop mode, the destination URL appears in the Referer header on the very first hop — anyone watching network traffic, browser history, or analytics dashboards on the destination side sees where the click originated and where it landed in one tidy log line. Double-hop puts a second obfus.link redirect in between, so the receiver only ever sees obfus.link URLs in their referrer stream. The destination URL stays confidential to anyone who can't see both the encrypted database rows AND the server-side master key.

How is the passphrase stored?

scrypt with a per-link 16-byte random salt, default Node parameters (N=2^14, r=8, p=1). The hash is stored alongside the encrypted URL; the plaintext is never written to disk, never reaches the destination, and is verified at the gate page using a timing-safe equality check. scrypt is the OWASP 2023 recommendation for passphrase hashing — more memory-hard than bcrypt, no external dependency.

What happens if I lose the master key?

Every obfuscated link becomes undecryptable. The encryption key for each link is derived from the master key + the short code via HKDF-SHA-256, so without the master key there is no way to recover the destination URL from the database row alone. This is the security property — but it also means the master key is critical operational state. Back it up. In development, an ephemeral key is generated per process if LINK_OBFUSCATOR_KEY is unset.

What schemes and hosts are rejected?

Schemes: only http:// and https://. javascript:, data:, file:, ftp:, gopher:, and others are rejected as SECURITY_VIOLATION. Hosts: RFC1918 private ranges (10/8, 172.16/12, 192.168/16), loopback (127/8, ::1, localhost, 0.0.0.0), link-local (169.254/16 — the AWS/GCP/Azure metadata endpoint), IPv6 unique-local (fc00::/7), .local mDNS, and .internal hostnames. These guards prevent the tool from being abused as an SSRF pivot.

How do TTL and maxClicks interact?

Either threshold being crossed expires the link. Set both for "valid for 1 hour OR 100 clicks, whichever comes first" semantics. The redirect handler returns HTTP 410 Gone with a Tech Noir error page when either is exceeded — the same status code is used for both so a recipient cannot distinguish "your link expired" from "someone else used it up." Click counts increment in a single Postgres transaction with a row lock, so a burst of simultaneous clicks cannot race past maxClicks.

What's the cipher choice rationale?

AES-256-GCM with a 96-bit (12-byte) random IV per encryption and a 16-byte auth tag. The per-link encryption key is derived from the master key via HKDF-SHA-256 with the short code as the salt — this means compromising one link's database row does not give you any other link's key. The short code doubles as Additional Authenticated Data (AAD), so swapping short codes between rows breaks the tag verification and decrypt fails. This is the standard NIST SP 800-38D pattern.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.