Developer API

Create LOCK.PUB links by API

Pro accounts can create password-protected URL links and secret memo links from scripts, internal tools, automations, or product workflows. API-created links appear in the dashboard with an API badge.

Manage API key Upgrade to Pro

One active key

Each account has one active API key. Rotating a key immediately disables the previous key.

URL and memo links

v1 supports only type=url and type=memo. Files, images, audio, requests, and chat are not in v1.

No key reveal later

The full key is returned only when you create or rotate it. Store it in your secret manager.

Endpoint

POST https://lock.pub/api/v1/links

Send the key in the Authorization header. Query-string API keys are not supported.

curl -X POST https://lock.pub/api/v1/links \
  -H "Authorization: Bearer ll_live_your_api_key" \
  -H "Content-Type: application/json" \
  -d '{
    "type": "url",
    "targetUrl": "https://example.com/private",
    "password": "share-this-separately",
    "memo": "Client contract",
    "redirectLimit": 3
  }'

JavaScript memo example

const response = await fetch("https://lock.pub/api/v1/links", {
  method: "POST",
  headers: {
    Authorization: "Bearer " + process.env.LOCKPUB_API_KEY,
    "Content-Type": "application/json"
  },
  body: JSON.stringify({
    type: "memo",
    secretMemo: "The encrypted memo body",
    password: "share-this-separately",
    memo: "Internal note"
  })
})

const link = await response.json()

Python URL example

import os
import requests

response = requests.post(
    "https://lock.pub/api/v1/links",
    headers={
        "Authorization": f"Bearer {os.environ['LOCKPUB_API_KEY']}",
        "Content-Type": "application/json",
    },
    json={
        "type": "url",
        "targetUrl": "https://example.com/private",
        "password": "share-this-separately",
        "memo": "Client contract",
    },
)

print(response.json()["shortUrl"])

Request fields

Field	Required	Description
type	Yes	Use url or memo.
targetUrl or link	URL only	The destination URL for type=url.
secretMemo	Memo only	The encrypted body for type=memo.
password	Yes	The password recipients must enter. Share it separately.
memo	Yes	A public dashboard label and recipient hint. Do not put secrets here.
customSlug	No	Optional lowercase custom slug, 3-30 characters.
redirectLimit	No	Positive integer access limit.
startTime	No	ISO date/time before which the link cannot open.
expireTime	No	ISO date/time after which the link expires.

Quotas and limits

Plan	API-created links/month	Requests/minute	Burst/10 seconds
Pro	1,000	60	20

Quotas reset on the first day of each month at 00:00 UTC. Only successful link creations count toward monthly API quota. Validation failures, failed authentication, rate-limited requests, and duplicate slugs do not count.

Successful responses include X-Api-Quota-Limit, X-Api-Quota-Remaining, and X-Api-Quota-Reset. Rate-limited responses include Retry-After.

Security checklist

Store API keys in a secret manager or server-side environment variable.
Do not put the API key in browser code, logs, analytics, or URL query strings.
Do not put secrets in the public memo field. Use secretMemo for encrypted memo content.
Rotate the key from Settings if it may have been exposed.
Dashboard and user APIs return only key metadata such as prefix and last-used time, never the full key or key hash.