LinkUnlocker

Developers

Anti bypass system

You share one public LinkUnlocker unlock URL with everyone who hits that checkpoint. The Redirect API token from User settings, Api Keys, is the secret you paste into your checkpoint dashboard. Every other step is plain HTTPS requests to LinkUnlocker.

After someone finishes your unlock page, LinkUnlocker returns a short lived signature t and sends them onward. By default they go to whatever destination your link already has. If you supply hash, they go wherever that ciphertext decrypts instead (AES-256-GCM, tied to your token). Your checkpoint service calls the encryptor to build each hash for the next URL, attaches it to the same unlock link each time. You never need a new LinkUnlocker short URL per visitor.

LuarmorReward checkpoints (Luarmor)

Luarmor documents a short unlock URL plus an API token in the Luarmor reward system guide. Do the same with LinkUnlocker: put your link in the checkpoint field, paste the Redirect API token where they ask for a provider key, and have their backend call encrypt and validate before handing out a key. A valid hash proves the ciphertext matches your publisher token, alongside the usual unlock flow on LinkUnlocker.

1. Credentials

Open User settings from the dashboard (profile area, then the gear icon). Choose Api Keys in the sidebar. LinkUnlocker issues a Redirect API token (64 hex characters) the first time that tab loads. Copy the token into your checkpoint dashboard anywhere a provider API key is requested. Rotate it if it leaks, then update every integration that still used the old secret.

LinkUnlocker dashboard profile row with the settings gear control highlighted
Open settings from your profile row (gear icon).
User settings modal on the Api Keys tab showing API Token, Encrypt URL, and Validate URL with copy actions
Api Keys tab: your api_token, encryptor URL, and hash validation URL.

2. Generate a hash

Point your checkpoint or script at the encryptor with both fields below. JSON POST, form POST, and GET query parameters are all supported. You can also send Authorization: Bearer with the token and omit api_token from the body.

Send to encryptor

destination_url
The HTTPS redirect target for this checkpoint step.
api_token
Your Redirect API token (same value as under User settings → Api Keys).
Encryptor endpoint
https://linkunlocker.com/api/public/url_encryptor
// Example success body{  "type": "created",  "request_time": 1730000000123,  "message": "qB2HfRu5Tc4VgPnY8sLwk6JdMaZx0eUiOoAtNvCzWrE",  "hash": "qB2HfRu5Tc4VgPnY8sLwk6JdMaZx0eUiOoAtNvCzWrE"}

hash and message hold the exact same ciphertext (base64url, no padding). Glue it onto your unlock URL as ?hash=… or &hash=… when you send the visitor forward.

3. Verify a hash

Before your reward backend unlocks anything, call the validator and only proceed when LinkUnlocker confirms the ciphertext is valid for your publisher token.

Validation base URL
https://linkunlocker.com/api/public/hash/validate
Example request
GEThttps://linkunlocker.com/api/public/hash/validate?hash=&api_token=

A successful response is { "valid": true } only when decryption yields an HTTPS URL LinkUnlocker allows.

Add deleteToken=1 if you want the same ciphertext to stop validating once it has succeeded (optional replay safeguard).

async function verifyRedirectHash (hash, apiToken) {  const base = 'https://linkunlocker.com/api/public/hash/validate'  const q = new URLSearchParams({ hash, api_token: apiToken })  const res = await fetch(`${base}?${q}`)  const data = await res.json()  return data.valid === true}

4. Final unlock URL

After tasks complete, the browser gets unlock token t and opens something shaped like:

https://linkunlocker.com/api/unlock/your_slug?t=<unlock_token>[&hash=<encrypted_destination>]
  • Skip hash when you rely on your link's normal monetized or fallback destination.
  • With hash, the server must decrypt with your token.
  • If the visitor landed on your slug URL with ?hash=… already attached, LinkUnlocker keeps it when it builds this redirect automatically.
  • Unlock tokens expire in about 45 seconds.

5. Cryptography

AES 256 GCM. The symmetric key comes from SHA 256 applied to your Redirect API token as UTF 8 hex. On the wire the payload is URL safe Base64 that concatenates nonce, auth tag, and ciphertext in that order.

← Back home