One-Time Links That Expire After the First Click
Generate a short URL that works for exactly one visit and then disappears. No account, no install — just paste, set max-clicks: 1, and share.
What is a one-time link?
A one-time link is a URL that redirects exactly once. After the first click, it stops working — anyone who tries to follow it later sees an expired-link page instead of the destination. It's the safest way to send a URL where you don't want it forwarded, indexed, or replayed: invite codes, beta access keys, single-use downloads, password reset links, secret hand-offs.
zip1.io makes one-time links a one-line operation: set max-clicks: 1. There's no separate "secret link" feature, no expiring-token plumbing, and no account. The same primitive scales up — set max-clicks: 100 for a beta cohort or max-clicks: 5000 for a campaign — but at 1, it behaves as a strict one-shot.
Make one in five seconds
Web form: paste your URL, click "Advanced Options", set Max clicks to 1, click Shorten.
API (no key required, 10 requests/min per IP):
curl -X POST http://zip1.io/api/create \
-H "Content-Type: application/json" \
-d '{
"url": "https://your-app.com/secret-download/abc123",
"max-clicks": 1
}'
# Response:
# {"short_url": "http://zip1.io/xK9p3z", ...}That short URL works exactly once. The first request gets a 302 to the destination; every subsequent request gets the expired-link page (HTTP 400). The original destination URL is preserved exactly — query string, fragments, everything.
When to use a one-time link
1. Single-recipient downloads
Hand a contract draft, design comp, or signed file to one person. If the link gets forwarded, the second person sees an expired page instead of your file. The first recipient still gets through cleanly.
2. Beta / invite codes
Mint a short URL per invitee that points at your sign-up page with a pre-filled invite parameter. Set max-clicks: 1 so the invite can't be re-used after the first claim.
{
"url": "https://app.example.com/signup?invite=alice-2026",
"alias": "join-alice",
"max-clicks": 1
}3. Password reset / one-shot magic links
Already have a token-based reset flow on your own backend? Layer a one-time short URL on top so the link can't be replayed even if the email is forwarded. The destination URL still carries your real reset token; zip1.io just adds the click cap on the public-facing URL.
4. Sensitive sharing in chat / email
Slack, email, and SMS conversations all archive forever. A one-time link means even an old archive entry can't replay the original visit. Combine with the destination's own auth for defence in depth.
5. Capped beta cohorts
Same primitive, larger number. max-clicks: 100 gives the first 100 people who click access, and locks the link automatically once the cohort fills. No coupon-code system to maintain.
What about analytics?
Even after the link expires, the stats page at http://zip1.io/stats/<slug> keeps working. You'll see:
- Whether the link was actually clicked, and when
- The country, browser, and OS of the person who claimed it
- The referrer — if they followed the link from somewhere indexable
- Whether the click was a bot (so you know if a crawler burned the cap)
For invite-code workflows in particular, that's enough audit trail to verify the right person opened the link and to spot when a preview-link bot consumed the cap before the human got there. (If preview-bot consumption is a concern, see the FAQ below.)
How zip1.io compares to other "self-destructing link" tools
| Capability | zip1.io | OneTimeSecret | Privatebin | bit.ly |
|---|---|---|---|---|
| Single-use redirect | Yes (max-clicks=1) | For text/secrets only | For pasted text only | No |
| Branded custom slug | Yes | No | No | Account required |
| Cap at N clicks (not just 1) | Any integer | Single-use only | Single-use only | No |
| Click analytics post-expiry | Yes — full history | Read-receipt only | No | Limited free tier |
| API without an account | Yes | Yes | Self-host | No |
| Open source | Yes | Yes | Yes | No |
OneTimeSecret and Privatebin are great for sharing secrets that live entirely on their server. zip1.io is the right tool when the destination is a URL you control — your own download endpoint, your own signup page — and you want a public-facing link that can't be replayed.
FAQ
-
What counts as a "click"?
Any HTTP request to the short URL that isn't already past the cap. That includes preview crawlers (Slack, Discord, iMessage, LinkedIn) — see below.
-
What about link-preview bots eating my one-time link?
If you paste a one-time link into Slack or iMessage, the platform may fetch it once to render a preview, consuming the click. Workarounds: (a) wrap the destination so the preview-fetch goes to a placeholder page that's safe to be eaten, or (b) deliver the link in plain text in a channel that doesn't auto-preview (email subject line, SMS without OG fetching, etc.). zip1.io can't tell preview bots apart from real users at redirect time, but the stats page will tag them as bots after the fact.
-
Can I extend a one-time link after it has expired?
Not currently — links are immutable once created. If a real visitor missed it because a preview bot used the click, mint a new short URL and re-share.
-
Is this a substitute for end-to-end encryption?
No. zip1.io stores the destination URL in plaintext on our server (it has to, to redirect you there). One-time links protect against re-use of the public URL, not against server-side disclosure. For true zero-knowledge secret sharing, use OneTimeSecret, Privatebin, or a similar dedicated tool.
-
Do I need an account?
No. zip1.io has no signup, ever. The API is rate-limited at 10 link creations per minute per IP, with no monthly cap and no paid tier.
Related
Mint a one-time link
Five seconds. No account. The link is gone after the first click.